Re: Issue with PASS_MIN_DAYS validation

Thu, 24 Oct 2013 17:23:06 -0700 

On 10/24/13, 2:40 PM, wm-lists wrote:

still getting the same result..
oscap xccdf eval --report /var/www/html/report.html --profile server /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml 


<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; id="RHEL-6" 
resolved="1" xml:lang="en-US">

  <status date="2013-10-22">draft</status>


Title   Set Password Strength Minimum Uppercase Characters
Rule    password_require_uppercases
Ident   CCE-26601-5
Result  fail

Title   Set Password Strength Minimum Special Characters
Rule    password_require_specials
Ident   CCE-26409-3
Result  fail

Title   Set Password Strength Minimum Lowercase Characters
Rule    password_require_lowercases
Ident   CCE-26631-2
Result  fail



These XCCDF names reflect nomenclature from prior releases ;)  Try 
rebasing via yum update or 'git pull' the latest source -- is it still 
happening?



In case you're still failing here's my /etc/pam.d/system-auth (which 
passes the checks).... is something different in yours?

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so  try_first_pass

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 
fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 
fail_interval=900

auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so


password    requisite     pam_cracklib.so try_first_pass retry=5 type= 
ucredit=-1 lcredit=-1 ocredit=-1
password    sufficient    pam_unix.so sha512 shadow try_first_pass 
use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid

session     required      pam_unix.so


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide























					Reply via email to