accounts_password_set_max_life_existing is misaligned with DISA

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats

https://complianceascode.readthedocs.io/en/latest/

Other

2.13k stars 676 forks source link

accounts_password_set_max_life_existing is misaligned with DISA #10083

Open comps opened 1 year ago

comps commented 1 year ago

Description of problem:

disa-content-alignment-remediations Ansible
disa-content-alignment-remediations Ansible (GUI)
disa-content-alignment-remediations Bash
disa-content-alignment-remediations Bash (GUI)

fail with

Misalignments not passing after waiving:
  CCE-82473-0 CCI-000199 - SV-230367r627750_rule accounts_password_set_max_life_existing                                    pass - fail

SCAP Security Guide Version:

master as of 2023-01-16

Operating System Version:

RHEL-8.8

Steps to Reproduce:

compare_results.py ssg-stig-viewer.xml disa-xccdf-arf-results.xml

yuumasato commented 1 year ago

This is an issue with DISA's SCAP that has been reported to them already.

The test needs to have its check_existence changed to any_exist, as it is failing if there is no user with UID >= 1000. And, a colon needs to be added to avoid matching a substring of another user. Example, adm and admin users.

fix_RHEL-08-020210-SV-230367r627750_rule.diff.txt

yuumasato commented 1 year ago

This was first noted on disa-stig-rhel8-v1r5-xccdf-scap.xml and as of disa-stig-rhel8-v1r8-xccdf-scap.xml, has not been fixed yet.

Mab879 commented 11 months ago

This issue still exists in disa-stig-rhel8-v1r10-xccdf-scap.xml.