For Set Password Warning Age - (CCE-26988-6), with either the stig-rhel6-server or the usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-negative when running SCC 3.1.1.1 on a RHEL6V1R2 non-complaint machine. # /bin/grep ^PASS_WARN_AGE /etc/login.defs | cut -f2 77 See the following report output:
Set Password Warning Age ID: accounts_password_warn_age_login_defs Result: Pass Identities: CCE-26988-6 Description: To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line, replacing DAYS appropriately: PASS_WARN_AGE DAYS The DoD requirement is 7. Fix Text: Severity: low Weight: Reference: IA-5(f) Definitions: ID: oval:ssg:def:351 Result: true Title: Set Password Expiration Parameters Description: The password expiration warning age should be set appropriately. Class: compliance Tests: true (All item-state comparisons must be true.) true (Tests the value of PASS_WARN_AGE in /etc/login.defs) Tests: Test ID: oval:ssg:tst:352 Result: true Title: Tests the value of PASS_WARN_AGE in /etc/login.defs Check Existence: One or more collected items must exist. Check: All collected items must match the given state(s). State Operator: All item-state comparisons must be true. Object ID: oval:ssg:obj:1450 Object Requirements: filepath must be equal to '/etc/login.defs' pattern must match the pattern '^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$' instance must be equal to '1' State ID: oval:ssg:ste:1451 State Requirements: subexpression must be greater than or equal to '7' Collected Item Properties: filepath equals '/etc/login.defs' path equals '/etc' filename equals 'login.defs' pattern equals '^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$' instance equals '1' text equals 'PASS_WARN_AGE 77 ' subexpression equals '77' Additional Information: pression equals '7' Additional Information: _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
