>From fd1c743445e4b5fa2cf1c5a35f312ef0676c365a Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Mon, 23 Dec 2013 07:34:34 -0500 Subject: [PATCH 17/25] accounts_password_all_shadowed --> shared/
- Moved to shared/, added RHEL6 and 7 symlinks - Updated CPE - Tested on RHEL7 Signed-off-by: Shawn Wells <[email protected]> --- :100644 100644 32eb751... 051f22e... M RHEL/6/input/auxiliary/stig_overlay.xml :100644 100644 c1339c9... d190b2c... M RHEL/6/input/auxiliary/transition_notes.xml :100644 120000 6543111... e7d3705... T RHEL/6/input/checks/accounts_password_all_shadowed.xml :100644 100644 f1cc155... 1bfacc4... M RHEL/6/input/profiles/CS2.xml :100644 100644 4134266... 108dc9b... M RHEL/6/input/profiles/common.xml :100644 100644 00d85e8... a349b8d... M RHEL/6/input/profiles/fisma-medium-rhel6-server.xml :100644 100644 5d0cd48... ae0108a... M RHEL/6/input/profiles/rht-ccp.xml :100644 100644 5fcee18... 78f7634... M RHEL/6/input/profiles/usgcb-rhel6-server.xml :100644 100644 9720505... cbd8271... M RHEL/6/input/system/accounts/restrictions/password_storage.xml :000000 120000 0000000... e7d3705... A RHEL/7/input/checks/accounts_password_all_shadowed.xml :100644 100644 121f739... 428d88b... M scap-security-guide.spec :000000 100644 0000000... 4295673... A shared/oval/accounts_password_all_shadowed.xml RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/auxiliary/transition_notes.xml | 2 +- .../checks/accounts_password_all_shadowed.xml | 26 +--------------------- RHEL/6/input/profiles/CS2.xml | 2 +- RHEL/6/input/profiles/common.xml | 2 +- .../6/input/profiles/fisma-medium-rhel6-server.xml | 2 +- RHEL/6/input/profiles/rht-ccp.xml | 2 +- RHEL/6/input/profiles/usgcb-rhel6-server.xml | 2 +- .../accounts/restrictions/password_storage.xml | 2 +- .../checks/accounts_password_all_shadowed.xml | 1 + scap-security-guide.spec | 1 + shared/oval/accounts_password_all_shadowed.xml | 26 ++++++++++++++++++++++ 12 files changed, 37 insertions(+), 33 deletions(-) diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 32eb751..051f22e 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -80,7 +80,7 @@ <VMSinfo VKey="38497" SVKey="50298" VRelease="1" /> <title>The system must not have accounts configured with blank or null passwords.</title> </overlay> - <overlay owner="disastig" ruleid="no_hashes_outside_shadow" ownerid="RHEL-06-000031" disa="366" severity="medium"> + <overlay owner="disastig" ruleid="accounts_password_all_shadowed" ownerid="RHEL-06-000031" disa="366" severity="medium"> <VMSinfo VKey="38499" SVKey="50300" VRelease="1" /> <title>The /etc/passwd file must not contain password hashes.</title> </overlay> diff --git a/RHEL/6/input/auxiliary/transition_notes.xml b/RHEL/6/input/auxiliary/transition_notes.xml index c1339c9..d190b2c 100644 --- a/RHEL/6/input/auxiliary/transition_notes.xml +++ b/RHEL/6/input/auxiliary/transition_notes.xml @@ -1554,7 +1554,7 @@ rule=userowner_shadow_file manual=no <note ref="22347" auth="KS"> Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. -rule=no_hashes_outside_shadow manual=no +rule=accounts_password_all_shadowed manual=no </note> <note ref="22375" auth="KS"> diff --git a/RHEL/6/input/checks/accounts_password_all_shadowed.xml b/RHEL/6/input/checks/accounts_password_all_shadowed.xml deleted file mode 100644 index 6543111..0000000 --- a/RHEL/6/input/checks/accounts_password_all_shadowed.xml +++ /dev/null @@ -1,25 +0,0 @@ -<def-group> - <definition class="compliance" id="accounts_password_all_shadowed" version="1"> - <metadata> - <title>All Password Hashes Shadowed</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>All password hashes should be shadowed.</description> - <reference source="swells" ref_id="20130918" ref_url="test_attestation"/> - </metadata> - <criteria> - <criterion comment="password hashes are shadowed" test_ref="test_accounts_password_all_shadowed" /> - </criteria> - </definition> - <unix:password_test check="all" comment="password hashes are shadowed" id="test_accounts_password_all_shadowed" version="1"> - <unix:object object_ref="object_accounts_password_all_shadowed" /> - <unix:state state_ref="state_accounts_password_all_shadowed" /> - </unix:password_test> - <unix:password_object id="object_accounts_password_all_shadowed" version="1"> - <unix:username operation="pattern match">.*</unix:username> - </unix:password_object> - <unix:password_state id="state_accounts_password_all_shadowed" version="1"> - <unix:password>x</unix:password> - </unix:password_state> -</def-group> diff --git a/RHEL/6/input/checks/accounts_password_all_shadowed.xml b/RHEL/6/input/checks/accounts_password_all_shadowed.xml new file mode 120000 index 0000000..e7d3705 --- /dev/null +++ b/RHEL/6/input/checks/accounts_password_all_shadowed.xml @@ -0,0 +1 @@ +../../../../shared/oval/accounts_password_all_shadowed.xml \ No newline at end of file diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml index f1cc155..1bfacc4 100644 --- a/RHEL/6/input/profiles/CS2.xml +++ b/RHEL/6/input/profiles/CS2.xml @@ -75,7 +75,7 @@ <select idref="install_PAE_kernel_on_x86-32" selected="true" /> <select idref="disable_prelink" selected="true" /> <select idref="account_unique_name" selected="true"/> -<select idref="no_hashes_outside_shadow" selected="true"/> +<select idref="accounts_password_all_shadowed" selected="true"/> <select idref="accounts_no_uid_except_zero" selected="true"/> <select idref="set_password_hashing_algorithm_systemauth" selected="true"/> diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml index 4134266..108dc9b 100644 --- a/RHEL/6/input/profiles/common.xml +++ b/RHEL/6/input/profiles/common.xml @@ -21,7 +21,7 @@ <select idref="restrict_serial_port_logins" selected="true"/> <select idref="no_shelllogin_for_systemaccounts" selected="true"/> <select idref="no_empty_passwords" selected="true"/> -<select idref="no_hashes_outside_shadow" selected="true"/> +<select idref="accounts_password_all_shadowed" selected="true"/> <select idref="accounts_no_uid_except_zero" selected="true"/> <select idref="userowner_shadow_file" selected="true"/> diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml index 00d85e8..a349b8d 100644 --- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml +++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml @@ -288,7 +288,7 @@ <select idref="set_password_hashing_algorithm_logindefs" selected="true" /> <select idref="set_password_hashing_algorithm_libuserconf" selected="true" /> <select idref="no_empty_passwords" selected="true" /> -<select idref="no_hashes_outside_shadow" selected="true" /> +<select idref="accounts_password_all_shadowed" selected="true" /> <select idref="no_netrc_files" selected="true" /> <refine-value idref="var_accounts_password_minlen_login_defs" selector="12" /> <select idref="accounts_password_minlen_login_defs" selected="true" /> diff --git a/RHEL/6/input/profiles/rht-ccp.xml b/RHEL/6/input/profiles/rht-ccp.xml index 5d0cd48..ae0108a 100644 --- a/RHEL/6/input/profiles/rht-ccp.xml +++ b/RHEL/6/input/profiles/rht-ccp.xml @@ -48,7 +48,7 @@ <select idref="accounts_password_reuse_limit" selected="true"/> <select idref="no_shelllogin_for_systemaccounts" selected="true"/> <select idref="no_empty_passwords" selected="true"/> -<select idref="no_hashes_outside_shadow" selected="true"/> +<select idref="accounts_password_all_shadowed" selected="true"/> <select idref="accounts_no_uid_except_zero" selected="true"/> <select idref="accounts_password_minlen_login_defs" selected="true"/> <select idref="accounts_minimum_age_login_defs" selected="true"/> diff --git a/RHEL/6/input/profiles/usgcb-rhel6-server.xml b/RHEL/6/input/profiles/usgcb-rhel6-server.xml index 5fcee18..78f7634 100644 --- a/RHEL/6/input/profiles/usgcb-rhel6-server.xml +++ b/RHEL/6/input/profiles/usgcb-rhel6-server.xml @@ -62,7 +62,7 @@ <select idref="securetty_root_login_console_only" selected="true" /> <!-- slightly different language than rhel5 --> <select idref="restrict_serial_port_logins" selected="true" /> <select idref="no_empty_passwords" selected="true" /> -<select idref="no_hashes_outside_shadow" selected="true" /> +<select idref="accounts_password_all_shadowed" selected="true" /> <select idref="accounts_no_uid_except_zero" selected="true" /> <refine-value idref="var_accounts_password_warn_age_login_defs" selector="14"/> <select idref="accounts_password_warn_age_login_defs" selected="true" /> diff --git a/RHEL/6/input/system/accounts/restrictions/password_storage.xml b/RHEL/6/input/system/accounts/restrictions/password_storage.xml index 9720505..cbd8271 100644 --- a/RHEL/6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL/6/input/system/accounts/restrictions/password_storage.xml @@ -42,7 +42,7 @@ environments. <tested by="DS" on="20121024"/> </Rule> -<Rule id="no_hashes_outside_shadow" severity="medium"> +<Rule id="accounts_password_all_shadowed" severity="medium"> <title>Verify All Account Password Hashes are Shadowed</title> <description> If any password hashes are stored in <tt>/etc/passwd</tt> (in the second field, diff --git a/RHEL/7/input/checks/accounts_password_all_shadowed.xml b/RHEL/7/input/checks/accounts_password_all_shadowed.xml new file mode 120000 index 0000000..e7d3705 --- /dev/null +++ b/RHEL/7/input/checks/accounts_password_all_shadowed.xml @@ -0,0 +1 @@ +../../../../shared/oval/accounts_password_all_shadowed.xml \ No newline at end of file diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 121f739..428d88b 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -69,6 +69,7 @@ cp -a RHEL/6/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man - OVAL for accounts_password_reuse_limit - OVAL for no_shelllogin_for_systemaccounts - OVAL for no_empty_passwords +- OVAL for no_hashes_outside_shadow * Fri Nov 01 2013 Jan iankko Lieskovsky <[email protected]> 0.1-15 - Version bump diff --git a/shared/oval/accounts_password_all_shadowed.xml b/shared/oval/accounts_password_all_shadowed.xml new file mode 100644 index 0000000..4295673 --- /dev/null +++ b/shared/oval/accounts_password_all_shadowed.xml @@ -0,0 +1,26 @@ +<def-group> + <definition class="compliance" id="accounts_password_all_shadowed" version="1"> + <metadata> + <title>All Password Hashes Shadowed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>All password hashes should be shadowed.</description> + <reference source="swells" ref_id="20130918" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="password hashes are shadowed" test_ref="test_accounts_password_all_shadowed" /> + </criteria> + </definition> + <unix:password_test check="all" comment="password hashes are shadowed" id="test_accounts_password_all_shadowed" version="1"> + <unix:object object_ref="object_accounts_password_all_shadowed" /> + <unix:state state_ref="state_accounts_password_all_shadowed" /> + </unix:password_test> + <unix:password_object id="object_accounts_password_all_shadowed" version="1"> + <unix:username operation="pattern match">.*</unix:username> + </unix:password_object> + <unix:password_state id="state_accounts_password_all_shadowed" version="1"> + <unix:password>x</unix:password> + </unix:password_state> +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
