yes mine is different since we use sssd for authentication, the placement of the cracklib is the same though. Switching to your cracklib values, actually caused me to fail more of the categories auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5 password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so I grabbed the zipfile this morning and used it <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1"; xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"; id="RHEL-6" resolved="1" xml:lang="en-US"> <status date="2013-10-24">draft</status> On Thu, Oct 24, 2013 at 8:22 PM, Shawn Wells <[email protected]> wrote: > On 10/24/13, 2:40 PM, wm-lists wrote: > >> still getting the same result.. >> oscap xccdf eval --report /var/www/html/report.html --profile server >> /usr/share/xml/scap/ssg/**content/ssg-rhel6-xccdf.xml >> >> <Benchmark >> xmlns="http://checklists.nist.**gov/xccdf/1.1<http://checklists.nist.gov/xccdf/1.1>" >> xmlns:xsi="http://www.w3.org/**2001/XMLSchema-instance<http://www.w3.org/2001/XMLSchema-instance>" >> id="RHEL-6" resolved="1" xml:lang="en-US"> >> <status date="2013-10-22">draft</**status> >> >> >> Title Set Password Strength Minimum Uppercase Characters >> Rule password_require_uppercases >> Ident CCE-26601-5 >> Result fail >> >> Title Set Password Strength Minimum Special Characters >> Rule password_require_specials >> Ident CCE-26409-3 >> Result fail >> >> Title Set Password Strength Minimum Lowercase Characters >> Rule password_require_lowercases >> Ident CCE-26631-2 >> Result fail >> > > These XCCDF names reflect nomenclature from prior releases ;) Try > rebasing via yum update or 'git pull' the latest source -- is it still > happening? > > In case you're still failing here's my /etc/pam.d/system-auth (which > passes the checks).... is something different in yours? > >> auth required pam_env.so >> auth sufficient pam_fprintd.so >> auth sufficient pam_unix.so try_first_pass >> auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 >> fail_interval=900 >> auth required pam_faillock.so authsucc deny=3 unlock_time=604800 >> fail_interval=900 >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth required pam_deny.so >> >> account required pam_unix.so >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 500 quiet >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=5 type= >> ucredit=-1 lcredit=-1 ocredit=-1 >> password sufficient pam_unix.so sha512 shadow try_first_pass >> use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] pam_succeed_if.so service in crond >> quiet use_uid >> session required pam_unix.so >> > > ______________________________**_________________ > scap-security-guide mailing list > scap-security-guide@lists.**fedorahosted.org<[email protected]> > https://lists.fedorahosted.**org/mailman/listinfo/scap-**security-guide<https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide> >
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
