>From 275a795d111cd1bce7368e058dc9c83a7796d19d Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Mon, 23 Dec 2013 08:06:28 -0500 Subject: [PATCH 22/25] accounts_password_warn_age_login_defs --> shared/ && RHT CCP profile update
- RHEL6 CCP profile using incorrect XCCDF variable, updated to var_accounts_password_warn_age_login_defs - Migrated OVAL to shared/ - Tested on RHEL7, created symlinks Signed-off-by: Shawn Wells <[email protected]> --- :100644 120000 9dce3e9... 1bf833d... T RHEL/6/input/checks/accounts_password_warn_age_login_defs.xml :100644 100644 e214b7e... 3262b18... M RHEL/6/input/profiles/rht-ccp.xml :000000 120000 0000000... 1bf833d... A RHEL/7/input/checks/accounts_password_warn_age_login_defs.xml :100644 100644 43c5aea... f30f06e... M scap-security-guide.spec :000000 100644 0000000... 583a3a4... A shared/oval/accounts_password_warn_age_login_defs.xml .../accounts_password_warn_age_login_defs.xml | 37 +--------------------- RHEL/6/input/profiles/rht-ccp.xml | 2 +- .../accounts_password_warn_age_login_defs.xml | 1 + scap-security-guide.spec | 3 +- .../oval/accounts_password_warn_age_login_defs.xml | 37 ++++++++++++++++++++++ 5 files changed, 42 insertions(+), 38 deletions(-) diff --git a/RHEL/6/input/checks/accounts_password_warn_age_login_defs.xml b/RHEL/6/input/checks/accounts_password_warn_age_login_defs.xml deleted file mode 100644 index 9dce3e9..0000000 --- a/RHEL/6/input/checks/accounts_password_warn_age_login_defs.xml +++ /dev/null @@ -1,36 +0,0 @@ -<def-group> - <definition class="compliance" id="accounts_password_warn_age_login_defs" version="1"> - <metadata> - <title>Set Password Expiration Parameters</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The password expiration warning age should be set appropriately.</description> - <reference source="swells" ref_id="20130914" ref_url="test_attestation" /> - </metadata> - <criteria> - <criterion test_ref="test_pass_warn_age" /> - </criteria> - </definition> - - <ind:textfilecontent54_test check="all" - comment="Tests the value of PASS_WARN_AGE in /etc/login.defs" - id="test_pass_warn_age" version="1"> - <ind:object object_ref="object_etc_login_defs_pass_warn_age" /> - <ind:state state_ref="state_etc_login_defs_pass_warn_age" /> - </ind:textfilecontent54_test> - - <ind:textfilecontent54_object id="object_etc_login_defs_pass_warn_age" - version="1"> - <ind:filepath>/etc/login.defs</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> - - <ind:textfilecontent54_state id="state_etc_login_defs_pass_warn_age" version="1"> - <ind:subexpression operation="greater than or equal" var_ref="var_accounts_password_warn_age_login_defs" datatype="int" /> - </ind:textfilecontent54_state> - - <external_variable comment="password expiration warning age in days" datatype="int" id="var_accounts_password_warn_age_login_defs" version="1" /> - -</def-group> diff --git a/RHEL/6/input/checks/accounts_password_warn_age_login_defs.xml b/RHEL/6/input/checks/accounts_password_warn_age_login_defs.xml new file mode 120000 index 0000000..1bf833d --- /dev/null +++ b/RHEL/6/input/checks/accounts_password_warn_age_login_defs.xml @@ -0,0 +1 @@ +../../../../shared/oval/accounts_password_warn_age_login_defs.xml \ No newline at end of file diff --git a/RHEL/6/input/profiles/rht-ccp.xml b/RHEL/6/input/profiles/rht-ccp.xml index e214b7e..3262b18 100644 --- a/RHEL/6/input/profiles/rht-ccp.xml +++ b/RHEL/6/input/profiles/rht-ccp.xml @@ -10,7 +10,7 @@ <refine-value idref="var_accounts_password_minlen_login_defs" selector="6"/> <refine-value idref="var_password_max_age" selector="90"/> <refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/> -<refine-value idref="var_password_warn_age" selector="7"/> +<refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/> <refine-value idref="var_password_pam_cracklib_retry" selector="3"/> <refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/> <refine-value idref="var_password_pam_cracklib_ucredit" selector="2"/> diff --git a/RHEL/7/input/checks/accounts_password_warn_age_login_defs.xml b/RHEL/7/input/checks/accounts_password_warn_age_login_defs.xml new file mode 120000 index 0000000..1bf833d --- /dev/null +++ b/RHEL/7/input/checks/accounts_password_warn_age_login_defs.xml @@ -0,0 +1 @@ +../../../../shared/oval/accounts_password_warn_age_login_defs.xml \ No newline at end of file diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 43c5aea..f30f06e 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,5 +1,5 @@ -%global redhatssgrelease 15 +%global redhatssgrelease 16 Name: scap-security-guide Version: 0.1 @@ -73,6 +73,7 @@ cp -a RHEL/6/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man - OVAL for accounts_no_uid_except_zero - OVAL for accounts_password_minlen_login_defs - OVAL for accounts_minimum_age_login_defs +- OVAL for accounts_password_warn_age_login_defs * Fri Nov 01 2013 Jan iankko Lieskovsky <[email protected]> 0.1-15 - Version bump diff --git a/shared/oval/accounts_password_warn_age_login_defs.xml b/shared/oval/accounts_password_warn_age_login_defs.xml new file mode 100644 index 0000000..583a3a4 --- /dev/null +++ b/shared/oval/accounts_password_warn_age_login_defs.xml @@ -0,0 +1,37 @@ +<def-group> + <definition class="compliance" id="accounts_password_warn_age_login_defs" version="1"> + <metadata> + <title>Set Password Expiration Parameters</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The password expiration warning age should be set appropriately.</description> + <reference source="swells" ref_id="20130914" ref_url="test_attestation" /> + </metadata> + <criteria> + <criterion test_ref="test_pass_warn_age" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" + comment="Tests the value of PASS_WARN_AGE in /etc/login.defs" + id="test_pass_warn_age" version="1"> + <ind:object object_ref="object_etc_login_defs_pass_warn_age" /> + <ind:state state_ref="state_etc_login_defs_pass_warn_age" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_etc_login_defs_pass_warn_age" + version="1"> + <ind:filepath>/etc/login.defs</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="state_etc_login_defs_pass_warn_age" version="1"> + <ind:subexpression operation="greater than or equal" var_ref="var_accounts_password_warn_age_login_defs" datatype="int" /> + </ind:textfilecontent54_state> + + <external_variable comment="password expiration warning age in days" datatype="int" id="var_accounts_password_warn_age_login_defs" version="1" /> + +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
