ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.24k stars 698 forks source link

needs mapping/rule: SRG-OS-000075-GPOS-00043, SV-86551r1_rule, RHEL-07-010240 #1823

Closed shawndwells closed 6 years ago

shawndwells commented 7 years ago
Group id="V-71927"><title>SRG-OS-000075-GPOS-00043</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86551r1_rule" severity="medium" weight="10.0"><version>RHEL-07-010240</version><title>Passwords must be restricted to a 24 hours/1 day minimum lifetime.</title><description>&lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000198</ident><fixtext fixref="F-78279r1_fix">Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:^M
^M
# chage -m 1 [user]</fixtext><fix id="F-78279r1_fix" /><check system="C-72159r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check whether the minimum time period between password changes for each user account is one day or greater.^M
^M
# awk -F: '$4 &lt; 1 {print $1}' /etc/shadow^M
^M
If any results are returned that are not associated with a system account, this is a finding.</check-content></check></Rule></Group>
shawndwells commented 7 years ago

As with the passwd file, each field in the shadow file is also separated with ":" colon characters, and are as follows:

Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.

Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``'' entry (eg. ::) indicates the account has been disabled.

The number of days (since January 1, 1970) since the password was last changed.

The number of days before password may be changed (0 indicates it may be changed at any time)

The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)

The number of days to warn user of an expiring password (7 for a full week)

The number of days after password expires that account is disabled

The number of days since January 1, 1970 that an account has been disabled

shawndwells commented 6 years ago

mapped @ https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing.rule#L28

yuumasato commented 6 years ago

@shawndwells Thank you for looking into all these mappings!