still getting the same result.. oscap xccdf eval --report /var/www/html/report.html --profile server /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1"; xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"; id="RHEL-6" resolved="1" xml:lang="en-US"> <status date="2013-10-22">draft</status> Title Set Password Strength Minimum Uppercase Characters Rule password_require_uppercases Ident CCE-26601-5 Result fail Title Set Password Strength Minimum Special Characters Rule password_require_specials Ident CCE-26409-3 Result fail Title Set Password Strength Minimum Lowercase Characters Rule password_require_lowercases Ident CCE-26631-2 Result fail On Thu, Oct 24, 2013 at 1:51 PM, Shawn Wells <[email protected]> wrote: > On 10/24/13, 1:29 PM, Jeff Bachtel wrote: > > Will, > > I'm seeing the same failures using SCC 3.1 (which is DISA's packaging of > SSG). I suspect a profile problem (leading to improper external variables > possibly being set). What happens when you run the test with profile > stig-rhel6-server > ? > > Actually, checking /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml > the "server" profile specifies > <refine-value idref="var_password_min_age" selector="7"/> so that's the > minimum acceptable with the profile you're using. > > But thanks for the email, now I have an idea what might be goobering up > on SCC... > > Jeff > > > > On Thu, Oct 24, 2013 at 11:40 AM, wm-lists <[email protected]> wrote: > >> I'm using scap-security-guide-0.1-12.el6.noarch as my source from >> >> >> http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPMS/noarch/ >> >> Running oscap xccdf eval --profile server >> /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml >> Generates a failure for >> Title Set Password Minimum Age >> Rule password_min_age >> Ident CCE-27013-2 >> Result fail >> >> Title Set Password Maximum Age >> Rule password_max_age >> Ident CCE-26985-2 >> Result fail >> >> Title Set Password Strength Minimum Uppercase Characters >> Rule password_require_uppercases >> Ident CCE-26601-5 >> Result fail >> >> Title Set Password Strength Minimum Special Characters >> Rule password_require_specials >> Ident CCE-26409-3 >> Result fail >> >> Title Set Password Strength Minimum Lowercase Characters >> Rule password_require_lowercases >> Ident CCE-26631-2 >> Result fail >> >> Among others. >> I have cracklib configured what I believe is correct (according to the >> CCE) >> # grep cracklib /etc/pam.d/system-auth-ac >> password requisite pam_cracklib.so dcredit=-1 ucredit=-1 >> ocredit=-1 lcredit=-1 difok=4 try_first_pass retry=3 minlen=14 type= >> # grep PASS /etc/login.defs >> >> PASS_MAX_DAYS 180 >> PASS_MIN_DAYS 1 >> PASS_MIN_LEN 14 >> PASS_WARN_AGE 7 >> >> Any help on what I might be missing here? >> >> Thanks! >> Will >> > > > Stuff off my people.redhat.com page is just scratch space I use for my > own purposes -- demos, builds, etc. *Definitely* don't trust content from > there as it's usually a clone of my (often broke) local git tree. And often > outdated. Speaking of which, I need to drop in a norobots file.... > > As for this OVAL, it appears to have been fixed on 18-SEPT: > > https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/RHEL6/input/checks/accounts_minimum_age_login_defs.xml?id=8e56c6960f71c1fed1cfa7e1fafed382ce2c1d87 > > Should be reflected in next RPM update > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > >
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
