I don't like leaving bugs in place while these decisions are being made.
I'd still like to add the missing platform line in, unless you're
telling me that the final release of RHEL 7 won't have pam_cracklib.so
at all or unless you're saying that pam_cracklib.so won't be a supported
option for users that use the announced upgrade in place option. You or
Shawn would know better than I, seeing as how both modules were
apparently written by Redhat.
Alternately, I could submit a patch to move all the pam_cracklib.so
options back to RHEL 6's check directory until this is sorted out, or,
if a version of Fedora uses pam_cracklib, I could change all the
platform lines to read Fedora instead of RHEL 7.)
pam_pwquality.so is obviously geared to be an easy change for sysadmins,
seeing as how the option names are currently the same. However, if they
diverge going forward, a universal check might have unexpected behavior.
So I'm leaning a little more towards creating pam_pwquality specific checks.
- Maura Dailey
On 04/01/2014 12:40 PM, Jan Lieskovsky wrote:
Hello Maura,
----- Original Message -----
From: "Maura Dailey" <[email protected]>
Subject: [PATCH] Shared check was missing RHEL 7 platform line
Other pam_cracklib shared checks had the required platform field, but the
check for difok appears to have been inadvertently skipped.
I would say instead of storing RHEL-7 as platform into shared pam_cracklib
oval checks, we should create a RHEL-7 specific / own pam_pwquality oriented
ones.
In RHEL-7 pam_cracklib has been replaced with pam_pwquality (man pw_quality)
and while the checks still work, their names:
accounts_password_pam_cracklib_difok.xml
accounts_password_pam_cracklib_lcredit.xml
etc.
might be misleading. Under my opinion we have two options how to proceed:
* either rename the rules (remove the pam_cracklib string from them) and
make them universal (IOW able to handle both of pam_cracklib & pam_pwquality
cases).
Particular rule names in shared/ would become:
accounts_password_pam_difok.xml
accounts_password_pam_lcredit.xml
etc.
and in the /etc/pam.d/system-auth pattern operation pattern match section
there would be just (pam_cracklib | pam_pwquality) options listed as to be
allowed
after the required / requisite password section,
* or we can keep RHEL-6 pam_cracklib rules intact (as they are now), and create
new pam_pwquality RHEL-7 specific ones.
Leaving the wider mailing list opinion / thoughts to decide (make a decision)
which way (yet some other from the two ones proposed above?) we want to pursue.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
- Maura Dailey
Signed-off-by: Maura Dailey <[email protected]>
---
.../oval/accounts_password_pam_cracklib_difok.xml | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/shared/oval/accounts_password_pam_cracklib_difok.xml
b/shared/oval/accounts_password_pam_cracklib_difok.xml
index 80fd21e..62a535a 100644
--- a/shared/oval/accounts_password_pam_cracklib_difok.xml
+++ b/shared/oval/accounts_password_pam_cracklib_difok.xml
@@ -4,6 +4,7 @@
<title>Set Password difok Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
+ <platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The password difok should meet minimum
requirements using pam_cracklib</description>
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
