I ended up setting all four values to the requirement and that resolved the login.defs requirements.. now I'm trying to figure out what's "goobering" up the credit's for cracklib... While I'm sure deciphering the xml is easy enough for someone who's been nose deep in this for a while, it's proving a bit challenging for me to find what's connected to what...
Title Set Password Strength Minimum Uppercase Characters Rule password_require_uppercases Ident CCE-26601-5 Result fail Title Set Password Strength Minimum Special Characters Rule password_require_specials Ident CCE-26409-3 Result fail Title Set Password Strength Minimum Lowercase Characters Rule password_require_lowercases Ident CCE-26631-2 Result fail grep cracklib /etc/pam.d/system-auth password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 On Thu, Oct 24, 2013 at 1:29 PM, Jeff Bachtel < [email protected]> wrote: > Will, > > I'm seeing the same failures using SCC 3.1 (which is DISA's packaging of > SSG). I suspect a profile problem (leading to improper external variables > possibly being set). What happens when you run the test with profile > stig-rhel6-server > ? > > Actually, checking /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml > the "server" profile specifies > <refine-value idref="var_password_min_age" selector="7"/> so that's the > minimum acceptable with the profile you're using. > > But thanks for the email, now I have an idea what might be goobering up on > SCC... > > Jeff > > > > On Thu, Oct 24, 2013 at 11:40 AM, wm-lists <[email protected]> wrote: > >> I'm using scap-security-guide-0.1-12.el6.noarch as my source from >> >> >> http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPMS/noarch/ >> >> Running oscap xccdf eval --profile server >> /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml >> Generates a failure for >> Title Set Password Minimum Age >> Rule password_min_age >> Ident CCE-27013-2 >> Result fail >> >> Title Set Password Maximum Age >> Rule password_max_age >> Ident CCE-26985-2 >> Result fail >> >> Title Set Password Strength Minimum Uppercase Characters >> Rule password_require_uppercases >> Ident CCE-26601-5 >> Result fail >> >> Title Set Password Strength Minimum Special Characters >> Rule password_require_specials >> Ident CCE-26409-3 >> Result fail >> >> Title Set Password Strength Minimum Lowercase Characters >> Rule password_require_lowercases >> Ident CCE-26631-2 >> Result fail >> >> Among others. >> I have cracklib configured what I believe is correct (according to the >> CCE) >> # grep cracklib /etc/pam.d/system-auth-ac >> password requisite pam_cracklib.so dcredit=-1 ucredit=-1 >> ocredit=-1 lcredit=-1 difok=4 try_first_pass retry=3 minlen=14 type= >> # grep PASS /etc/login.defs >> >> PASS_MAX_DAYS 180 >> PASS_MIN_DAYS 1 >> PASS_MIN_LEN 14 >> PASS_WARN_AGE 7 >> >> Any help on what I might be missing here? >> >> Thanks! >> Will >> >> _______________________________________________ >> scap-security-guide mailing list >> [email protected] >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> >> > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > >
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
