On 4/11/14, 10:33 AM, Jan Lieskovsky wrote:
Patch summary:
[shared] Modify /etc/login.defs rules to allow heading spaces & trailing
comments
[shared] Move accounts_maximum_age_login_defs.xml to shared
[shared] Add Fedora 20 as another platform identifier for password
/etc/login.defs rules
[shared] Update test attestations timestamps for RHEL & Fedora (for
password /etc/login.defs rules)
[Fedora] Replace own copies of /etc/login.defs password OVAL checks with
the shared ones
[RHEL/6] Make a link for accounts_maximum_age_login_defs.xml from shared
[RHEL/7] Make a link for accounts_maximum_age_login_defs.xml from shared
Testing report:
The proposal has been tested on all of RHEL-6, RHEL-7, and Rawhide for both
combinations (with / without trailing comments, with / without heading spaces)
and seems to be working properly in all cases (further review / testing
appreciated
of course).
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-shared-Modify-etc-login.defs-rules-to-allow-heading-.patch
From 461fe1dbab938d2c7770216e1d0ace202116d3d7 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky<[email protected]>
Date: Fri, 11 Apr 2014 16:22:43 +0200
Subject: [PATCH] [shared] Modify /etc/login.defs rules to allow heading spaces
& trailing comments [shared] Move accounts_maximum_age_login_defs.xml to
shared [shared] Add Fedora 20 as another platform identifier [shared] Update
test attestations timestamps for RHEL & Fedora [Fedora] Replace own copies of
/etc/login.defs OVAL checks with shared version [RHEL/6] Make a link for
accounts_maximum_age_login_defs.xml from shared [RHEL/7] The same
Signed-off-by: Jan Lieskovsky<[email protected]>
---
.../checks/accounts_maximum_age_login_defs.xml | 33 +------------------
.../checks/accounts_minimum_age_login_defs.xml | 35 +-------------------
.../checks/accounts_password_minlen_login_defs.xml | 34 +-------------------
.../accounts_password_warn_age_login_defs.xml | 36 +--------------------
.../checks/accounts_maximum_age_login_defs.xml | 35 +-------------------
.../checks/accounts_maximum_age_login_defs.xml | 1 +
shared/oval/accounts_maximum_age_login_defs.xml | 37 ++++++++++++++++++++++
shared/oval/accounts_minimum_age_login_defs.xml | 8 +++--
.../oval/accounts_password_minlen_login_defs.xml | 8 +++--
.../oval/accounts_password_warn_age_login_defs.xml | 8 +++--
10 files changed, 58 insertions(+), 177 deletions(-)
mode change 100644 => 120000
Fedora/input/checks/accounts_maximum_age_login_defs.xml
mode change 100644 => 120000
Fedora/input/checks/accounts_minimum_age_login_defs.xml
mode change 100644 => 120000
Fedora/input/checks/accounts_password_minlen_login_defs.xml
mode change 100644 => 120000
Fedora/input/checks/accounts_password_warn_age_login_defs.xml
mode change 100644 => 120000
RHEL/6/input/checks/accounts_maximum_age_login_defs.xml
create mode 120000 RHEL/7/input/checks/accounts_maximum_age_login_defs.xml
create mode 100644 shared/oval/accounts_maximum_age_login_defs.xml
diff --git a/Fedora/input/checks/accounts_maximum_age_login_defs.xml
b/Fedora/input/checks/accounts_maximum_age_login_defs.xml
deleted file mode 100644
index 5e96118..0000000
--- a/Fedora/input/checks/accounts_maximum_age_login_defs.xml
+++ /dev/null
@@ -1,32 +0,0 @@
-<def-group>
- <definition class="compliance" id="accounts_maximum_age_login_defs"
version="1">
- <metadata>
- <title>Set Password Expiration Parameters</title>
- <affected family="unix">
- <platform>Fedora 19</platform>
- </affected>
- <description>The maximum password age policy should meet minimum
requirements.</description>
- </metadata>
- <criteria comment="the value PASS_MAX_DAYS should be set appropriately in
/etc/login.defs">
- <criterion test_ref="test_pass_max_days" />
- </criteria>
- </definition>
-
- <ind:textfilecontent54_test check="all" comment="the value PASS_MAX_DAYS should be set appropriately in
/etc/login.defs" id="test_pass_max_days" version="1">
- <ind:object object_ref="object_etc_login_defs_pass_max" />
- <ind:state state_ref="state_accounts_maximum_age_login_defs" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_etc_login_defs_pass_max"
version="1">
- <ind:filepath>/etc/login.defs</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*PASS_MAX_DAYS[\s]+(\d+)\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_accounts_maximum_age_login_defs"
version="1">
- <ind:subexpression operation="less than or equal"
var_ref="var_accounts_maximum_age_login_defs" datatype="int" />
- </ind:textfilecontent54_state>
-
- <external_variable comment="maximum password age" datatype="int"
id="var_accounts_maximum_age_login_defs" version="1" />
-
-</def-group>
diff --git a/Fedora/input/checks/accounts_maximum_age_login_defs.xml
b/Fedora/input/checks/accounts_maximum_age_login_defs.xml
new file mode 120000
index 0000000..1f8ffe9
--- /dev/null
+++ b/Fedora/input/checks/accounts_maximum_age_login_defs.xml
@@ -0,0 +1 @@
+../../../shared/oval/accounts_maximum_age_login_defs.xml
\ No newline at end of file
diff --git a/Fedora/input/checks/accounts_minimum_age_login_defs.xml
b/Fedora/input/checks/accounts_minimum_age_login_defs.xml
deleted file mode 100644
index 87917e0..0000000
--- a/Fedora/input/checks/accounts_minimum_age_login_defs.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<def-group>
- <definition class="compliance" id="accounts_minimum_age_login_defs"
version="1">
- <metadata>
- <title>Set Password Expiration Parameters</title>
- <affected family="unix">
- <platform>Fedora 19</platform>
- </affected>
- <description>The minimum password age policy should be set
appropriately.</description>
- </metadata>
- <criteria comment="the value PASS_MIN_DAYS should be set appropriately in
/etc/login.defs">
- <criterion test_ref="test_pass_min_days" />
- </criteria>
- </definition>
-
- <ind:textfilecontent54_test check="all"
- comment="Tests the value of PASS_MIN_DAYS in /etc/login.defs"
- id="test_pass_min_days" version="1">
- <ind:object object_ref="object_etc_login_defs_pass_min_age" />
- <ind:state state_ref="state_etc_login_defs_pass_min_age" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_etc_login_defs_pass_min_age"
version="1">
- <ind:filepath>/etc/login.defs</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*PASS_MIN_DAYS[\s]+(\d+)\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_etc_login_defs_pass_min_age"
version="1">
- <ind:subexpression operation="greater than or equal"
var_ref="var_accounts_minimum_age_login_defs" datatype="int" />
- </ind:textfilecontent54_state>
-
- <external_variable comment="minimum password age in days" datatype="int"
id="var_accounts_minimum_age_login_defs" version="1" />
-
-</def-group>
diff --git a/Fedora/input/checks/accounts_minimum_age_login_defs.xml
b/Fedora/input/checks/accounts_minimum_age_login_defs.xml
new file mode 120000
index 0000000..00ba914
--- /dev/null
+++ b/Fedora/input/checks/accounts_minimum_age_login_defs.xml
@@ -0,0 +1 @@
+../../../shared/oval/accounts_minimum_age_login_defs.xml
\ No newline at end of file
diff --git a/Fedora/input/checks/accounts_password_minlen_login_defs.xml
b/Fedora/input/checks/accounts_password_minlen_login_defs.xml
deleted file mode 100644
index e3ce130..0000000
--- a/Fedora/input/checks/accounts_password_minlen_login_defs.xml
+++ /dev/null
@@ -1,33 +0,0 @@
-<def-group>
-
- <definition class="compliance" id="accounts_password_minlen_login_defs"
version="1">
- <metadata>
- <title>Set Password Expiration Parameters</title>
- <affected family="unix">
- <platform>Fedora 19</platform>
- </affected>
- <description>The password minimum length should be set
appropriately.</description>
- </metadata>
- <criteria operator="AND">
- <criterion test_ref="test_etc_login_defs" />
- </criteria>
- </definition>
-
- <ind:textfilecontent54_test check="all" comment="check PASS_MIN_LEN in /etc/login.defs"
id="test_etc_login_defs" version="1">
- <ind:object object_ref="object_etc_login_defs" />
- <ind:state state_ref="state_accounts_password_minlen_login_defs" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_etc_login_defs" version="1">
- <ind:filepath>/etc/login.defs</ind:filepath>
- <ind:pattern operation="pattern
match">^PASS_MIN_LEN\s+(\d+)\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_accounts_password_minlen_login_defs"
version="1">
- <ind:subexpression operation="greater than or equal"
var_ref="var_accounts_password_minlen_login_defs" datatype="int" />
- </ind:textfilecontent54_state>
-
- <external_variable comment="password minimum length" datatype="int"
id="var_accounts_password_minlen_login_defs" version="1" />
-
-</def-group>
diff --git a/Fedora/input/checks/accounts_password_minlen_login_defs.xml
b/Fedora/input/checks/accounts_password_minlen_login_defs.xml
new file mode 120000
index 0000000..a434e9b
--- /dev/null
+++ b/Fedora/input/checks/accounts_password_minlen_login_defs.xml
@@ -0,0 +1 @@
+../../../shared/oval/accounts_password_minlen_login_defs.xml
\ No newline at end of file
diff --git a/Fedora/input/checks/accounts_password_warn_age_login_defs.xml
b/Fedora/input/checks/accounts_password_warn_age_login_defs.xml
deleted file mode 100644
index 5230af1..0000000
--- a/Fedora/input/checks/accounts_password_warn_age_login_defs.xml
+++ /dev/null
@@ -1,35 +0,0 @@
-<def-group>
- <definition class="compliance" id="accounts_password_warn_age_login_defs"
version="1">
- <metadata>
- <title>Set Password Expiration Parameters</title>
- <affected family="unix">
- <platform>Fedora 19</platform>
- </affected>
- <description>The password expiration warning age should be set
appropriately.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_pass_warn_age" />
- </criteria>
- </definition>
-
- <ind:textfilecontent54_test check="all"
- comment="Tests the value of PASS_WARN_AGE in /etc/login.defs"
- id="test_pass_warn_age" version="1">
- <ind:object object_ref="object_etc_login_defs_pass_warn_age" />
- <ind:state state_ref="state_etc_login_defs_pass_warn_age" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_etc_login_defs_pass_warn_age"
- version="1">
- <ind:filepath>/etc/login.defs</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_etc_login_defs_pass_warn_age"
version="1">
- <ind:subexpression operation="greater than or equal"
var_ref="var_accounts_password_warn_age_login_defs" datatype="int" />
- </ind:textfilecontent54_state>
-
- <external_variable comment="password expiration warning age in days" datatype="int"
id="var_accounts_password_warn_age_login_defs" version="1" />
-
-</def-group>
diff --git a/Fedora/input/checks/accounts_password_warn_age_login_defs.xml
b/Fedora/input/checks/accounts_password_warn_age_login_defs.xml
new file mode 120000
index 0000000..4f95fe1
--- /dev/null
+++ b/Fedora/input/checks/accounts_password_warn_age_login_defs.xml
@@ -0,0 +1 @@
+../../../shared/oval/accounts_password_warn_age_login_defs.xml
\ No newline at end of file
diff --git a/RHEL/6/input/checks/accounts_maximum_age_login_defs.xml
b/RHEL/6/input/checks/accounts_maximum_age_login_defs.xml
deleted file mode 100644
index 5360e66..0000000
--- a/RHEL/6/input/checks/accounts_maximum_age_login_defs.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<def-group>
- <definition class="compliance" id="accounts_maximum_age_login_defs"
version="1">
- <metadata>
- <title>Set Password Expiration Parameters</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The maximum password age policy should meet
- minimum requirements.</description>
- <reference source="MED" ref_id="20130807" ref_url="test_attestation" />
- </metadata>
- <criteria comment="the value PASS_MAX_DAYS should be set appropriately in
/etc/login.defs">
- <criterion test_ref="test_pass_max_days" />
- </criteria>
- </definition>
-
- <ind:textfilecontent54_test check="all" comment="the value PASS_MAX_DAYS should be set appropriately in
/etc/login.defs" id="test_pass_max_days" version="1">
- <ind:object object_ref="object_etc_login_defs_pass_max" />
- <ind:state state_ref="state_accounts_maximum_age_login_defs" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_etc_login_defs_pass_max"
version="1">
- <ind:filepath>/etc/login.defs</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*PASS_MAX_DAYS[\s]+(\d+)\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_accounts_maximum_age_login_defs"
version="1">
- <ind:subexpression operation="less than or equal"
var_ref="var_accounts_maximum_age_login_defs" datatype="int" />
- </ind:textfilecontent54_state>
-
- <external_variable comment="maximum password age" datatype="int"
id="var_accounts_maximum_age_login_defs" version="1" />
-
-</def-group>
diff --git a/RHEL/6/input/checks/accounts_maximum_age_login_defs.xml
b/RHEL/6/input/checks/accounts_maximum_age_login_defs.xml
new file mode 120000
index 0000000..496fd34
--- /dev/null
+++ b/RHEL/6/input/checks/accounts_maximum_age_login_defs.xml
@@ -0,0 +1 @@
+../../../../shared/oval/accounts_maximum_age_login_defs.xml
\ No newline at end of file
diff --git a/RHEL/7/input/checks/accounts_maximum_age_login_defs.xml
b/RHEL/7/input/checks/accounts_maximum_age_login_defs.xml
new file mode 120000
index 0000000..496fd34
--- /dev/null
+++ b/RHEL/7/input/checks/accounts_maximum_age_login_defs.xml
@@ -0,0 +1 @@
+../../../../shared/oval/accounts_maximum_age_login_defs.xml
\ No newline at end of file
diff --git a/shared/oval/accounts_maximum_age_login_defs.xml
b/shared/oval/accounts_maximum_age_login_defs.xml
new file mode 100644
index 0000000..211f259
--- /dev/null
+++ b/shared/oval/accounts_maximum_age_login_defs.xml
@@ -0,0 +1,37 @@
+<def-group>
+ <definition class="compliance" id="accounts_maximum_age_login_defs"
version="1">
+ <metadata>
+ <title>Set Password Expiration Parameters</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ <platform>Red Hat Enterprise Linux 7</platform>
+ <platform>Fedora 20</platform>
+ </affected>
+ <description>The maximum password age policy should meet
+ minimum requirements.</description>
+ <reference source="JL" ref_id="20140411" ref_url="test_attestation" />
+ <!-- Fedora 20: <reference source="JL" ref_id="20140411"
ref_url="test_attestation" /> -->
+ </metadata>
+ <criteria comment="the value PASS_MAX_DAYS should be set appropriately in
/etc/login.defs">
+ <criterion test_ref="test_pass_max_days" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" comment="the value PASS_MAX_DAYS should be set appropriately in
/etc/login.defs" id="test_pass_max_days" version="1">
+ <ind:object object_ref="object_etc_login_defs_pass_max" />
+ <ind:state state_ref="state_accounts_maximum_age_login_defs" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_etc_login_defs_pass_max"
version="2">
+ <ind:filepath>/etc/login.defs</ind:filepath>
+ <ind:pattern operation="pattern
match">^[\s]*PASS_MAX_DAYS[\s]+(\d+)[\s]*(?:|(?:#.*))?$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_accounts_maximum_age_login_defs"
version="1">
+ <ind:subexpression operation="less than or equal"
var_ref="var_accounts_maximum_age_login_defs" datatype="int" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="maximum password age" datatype="int"
id="var_accounts_maximum_age_login_defs" version="1" />
+
+</def-group>
diff --git a/shared/oval/accounts_minimum_age_login_defs.xml
b/shared/oval/accounts_minimum_age_login_defs.xml
index 03ada1e..6690bd4 100644
--- a/shared/oval/accounts_minimum_age_login_defs.xml
+++ b/shared/oval/accounts_minimum_age_login_defs.xml
@@ -5,9 +5,11 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
+ <platform>Fedora 20</platform>
</affected>
<description>The minimum password age policy should be set
appropriately.</description>
- <reference source="MED" ref_id="20130807" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140411" ref_url="test_attestation" />
+ <!-- Fedora 20: <reference source="JL" ref_id="20140411"
ref_url="test_attestation" /> -->
</metadata>
<criteria comment="the value PASS_MIN_DAYS should be set appropriately in
/etc/login.defs">
<criterion test_ref="test_pass_min_days" />
@@ -21,9 +23,9 @@
<ind:state state_ref="state_etc_login_defs_pass_min_age" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_etc_login_defs_pass_min_age" version="1">
+ <ind:textfilecontent54_object id="object_etc_login_defs_pass_min_age"
version="2">
<ind:filepath>/etc/login.defs</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*PASS_MIN_DAYS[\s]+(\d+)\s*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*PASS_MIN_DAYS[\s]+(\d+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/shared/oval/accounts_password_minlen_login_defs.xml b/shared/oval/accounts_password_minlen_login_defs.xml
index 2fc1556..cca79a4 100644
--- a/shared/oval/accounts_password_minlen_login_defs.xml
+++ b/shared/oval/accounts_password_minlen_login_defs.xml
@@ -6,9 +6,11 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
+ <platform>Fedora 20</platform>
</affected>
<description>The password minimum length should be set
appropriately.</description>
- <reference source="swells" ref_id="20130914" ref_url="test_attestation"
/>
+ <reference source="JL" ref_id="20140411" ref_url="test_attestation" />
+ <!-- Fedora 20: <reference source="JL" ref_id="20140411"
ref_url="test_attestation" /> -->
</metadata>
<criteria operator="AND">
<criterion test_ref="test_etc_login_defs" />
@@ -20,9 +22,9 @@
<ind:state state_ref="state_accounts_password_minlen_login_defs" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_etc_login_defs" version="1">
+ <ind:textfilecontent54_object id="object_etc_login_defs" version="2">
<ind:filepath>/etc/login.defs</ind:filepath>
- <ind:pattern operation="pattern
match">^PASS_MIN_LEN\s+(\d+)\s*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*PASS_MIN_LEN[\s]+(\d+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/shared/oval/accounts_password_warn_age_login_defs.xml b/shared/oval/accounts_password_warn_age_login_defs.xml
index 583a3a4..7bc8780 100644
--- a/shared/oval/accounts_password_warn_age_login_defs.xml
+++ b/shared/oval/accounts_password_warn_age_login_defs.xml
@@ -5,9 +5,11 @@
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
+ <platform>Fedora 20</platform>
</affected>
<description>The password expiration warning age should be set
appropriately.</description>
- <reference source="swells" ref_id="20130914" ref_url="test_attestation"
/>
+ <reference source="JL" ref_id="20140411" ref_url="test_attestation" />
+ <!-- Fedora 20: <reference source="JL" ref_id="20140411"
ref_url="test_attestation" /> -->
</metadata>
<criteria>
<criterion test_ref="test_pass_warn_age" />
@@ -22,9 +24,9 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_etc_login_defs_pass_warn_age"
- version="1">
+ version="2">
<ind:filepath>/etc/login.defs</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*PASS_WARN_AGE[\s]+(\d+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
-- 1.8.3.1
Ack
Noticed you dropped F19 and replaced with F20. IIRC this was to drop
support for older Fedora releases? Absolutely no problems with that;
just wanted to document the reason in the mailing list archives.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
