Hello Trey, thank you for checking with us.
----- Original Message ----- > From: "Trey Henefield" <[email protected]> > To: "Steve Grubb" <[email protected]>, > [email protected] > Sent: Thursday, March 20, 2014 2:09:35 PM > Subject: RE: Minimum Password Length ... > > > > Thanks for the response Steve. That is what I had figured. > > But because both the RHEL6 SSG and RHEL6 STIG require this functionality to > be configured only in /etc/login.defs as opposed to /etc/pam.d/system-auth, > it was questionable. > > While system certifications simply require checking that a system is > configured in accordance with a published STIG, DSS will actually check to > see that the intended requirements are actually enforced (i.e. actually > attempt a non-compliant password as opposed to checking for applied > settings). > > So if we are all in agreement, could the SSG check and fix for this please be > changed to include the setting that gets enforced (minlen=14 in > /etc/pam.d/system-auth)? You are truly right that on Red Hat Enterprise Linux 5 the rule checks both conditions: http://ovaldb.altx-soft.ru/Definition.aspx?id=oval:gov.nist.usgcb.rhel:def:20071 while in SSG content for Red Hat Enterprise Linux 6 just /etc/login.defs condition: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/shared/oval/accounts_password_minlen_login_defs.xml But (slight) uncertainty comes from the following: * in RHEL-5 the rule is titled "CCE-4541-1: Set password minimum length" (thus somehow implying this should be system-wide check). While * on RHEL-6 it is titled "2.4.1.3.a. Set Password Minimum Length in login.defs (CCE-27002-5)" (thus somehow implying it should be checking just login.defs file due the login.defs being emphasized in the title). This makes me believe the original intention when creating RHEL-6 content was to have just login.defs specific rule, and then add a pam_cracklib specific rule into / under: "Set Password Quality Requirements" subsection of "Protect Accounts by Configuring PAM" section (maybe to have login.defs and PAM rules separated into sections?) But looks the second part (adding "minlen" check for PAM case) wasn't realized later. The summary being -- you are correct, the PAM minlen check should be added to the current form of RHEL-6 SSG content. The question is where we want to have this check being added -- if into minimum password length login.defs rule (like it's done on RHEL-5) or under the PAM section (where it might seem to be more logical to belong to). I can come with a patch proposal, just first need someone on the list to clarify the expected rule location. Shawn, can you possibly hint on this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > Thanks! > > Best regards, > > > Trey Henefield, CISSP > Senior IAVA Engineer > > Ultra Electronics > Advanced Tactical Systems, Inc. > 4101 Smith School Road > Building IV, Suite 100 > Austin, TX 78744 USA > > [email protected] > Tel: +1 512 327 6795 ext. 647 > Fax: +1 512 327 8043 > Mobile: +1 512 541 6450 > > www.ultra-ats.com > > -----Original Message----- > From: Steve Grubb [mailto:[email protected]] > Sent: Thursday, March 20, 2014 7:59 AM > To: [email protected] > Cc: Trey Henefield > Subject: Re: Minimum Password Length ... > > On Thursday, March 20, 2014 07:28:34 AM Trey Henefield wrote: > > Nobody has seemed to respond to this. But this is an issue. > > > > In /etc/login.defs, I have PASS_MIN_LEN set to 14, yet as a user, I > > can set the following password 56tyghbn%^TY which only has 12 > > characters via the passwd command. > > In our common criteria setup, we have annotated the login.defs file with the > following: > > # The evaluated configuration constraints are: > # PASS_MAX_DAYS MAY be changed, must be <= 60 # PASS_MAX_DAYS MAY be changed, > 0 < PASS_MIN_DAYS < PASS_MAX_DAYS # PASS_MIN_LEN has no effect in the > evaluated configuration # PASS_WARN_AGE MAY be changed > > > Note...has no effect... > > The intended way can be seen in system-auth: > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password required pam_deny.so > > Of these, cracklib is responsible for enforcing password policy. Checking its > man page, it has something called minlen. Looking at the RHEL5 USGCB > settings, this is in fact how it's set: > > sed -i "/pam_cracklib.so/s/retry=3/retry=3 minlen=12 dcredit=-1 ucredit=-1 > ocredit=-1 lcredit=-1 difok=3/" /etc/pam.d/system-auth > > So, to have 14, alter the above settings to correct it. > > -Steve > > > > > Disclaimer > The information contained in this communication from > [email protected] sent at 2014-03-20 09:09:38 is private and may > be legally privileged or export controlled. It is intended solely for use by > [email protected] and others authorized to receive > it. If you are not [email protected] you are hereby > notified that any disclosure, copying, distribution or taking action in > reliance of the contents of this information is strictly prohibited and may > be unlawful. > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
