On 10/24/13, 1:29 PM, Jeff Bachtel wrote:
Will,
I'm seeing the same failures using SCC 3.1 (which is DISA's packaging
of SSG). I suspect a profile problem (leading to improper external
variables possibly being set). What happens when you run the test with
profile stig-rhel6-server ?
Actually, checking /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
the "server" profile specifies
<refine-value idref="var_password_min_age" selector="7"/> so that's
the minimum acceptable with the profile you're using.
But thanks for the email, now I have an idea what might be goobering
up on SCC...
Jeff
On Thu, Oct 24, 2013 at 11:40 AM, wm-lists <[email protected]
<mailto:[email protected]>> wrote:
I'm using scap-security-guide-0.1-12.el6.noarch as my source from
http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPMS/noarch/
Running oscap xccdf eval --profile server
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Generates a failure for
Title Set Password Minimum Age
Rule password_min_age
Ident CCE-27013-2
Result fail
Title Set Password Maximum Age
Rule password_max_age
Ident CCE-26985-2
Result fail
Title Set Password Strength Minimum Uppercase Characters
Rule password_require_uppercases
Ident CCE-26601-5
Result fail
Title Set Password Strength Minimum Special Characters
Rule password_require_specials
Ident CCE-26409-3
Result fail
Title Set Password Strength Minimum Lowercase Characters
Rule password_require_lowercases
Ident CCE-26631-2
Result fail
Among others.
I have cracklib configured what I believe is correct (according to
the CCE)
# grep cracklib /etc/pam.d/system-auth-ac
password requisite pam_cracklib.so dcredit=-1 ucredit=-1
ocredit=-1 lcredit=-1 difok=4 try_first_pass retry=3 minlen=14 type=
# grep PASS /etc/login.defs
PASS_MAX_DAYS 180
PASS_MIN_DAYS 1
PASS_MIN_LEN 14
PASS_WARN_AGE 7
Any help on what I might be missing here?
Thanks!
Will
Stuff off my people.redhat.com page is just scratch space I use for my
own purposes -- demos, builds, etc. *Definitely* don't trust content
from there as it's usually a clone of my (often broke) local git tree.
And often outdated. Speaking of which, I need to drop in a norobots file....
As for this OVAL, it appears to have been fixed on 18-SEPT:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/RHEL6/input/checks/accounts_minimum_age_login_defs.xml?id=8e56c6960f71c1fed1cfa7e1fafed382ce2c1d87
Should be reflected in next RPM update
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
