Merge pull request ComplianceAsCode#11560 from jan-cerny/anssi_R31

ANSSI R31 updates

components/pam.yml

@@ -63,6 +63,7 @@ rules:
 - accounts_password_pam_unix_rounds_password_auth
 - accounts_password_pam_unix_rounds_system_auth
 - accounts_password_set_max_life_existing
+- accounts_password_set_max_life_root
 - accounts_password_set_min_life_existing
 - accounts_password_set_warn_age_existing
 - accounts_password_warn_age_login_defs

controls/anssi.yml

@@ -717,26 +717,27 @@ controls:
     levels:
     - minimal
     notes: >-
-      The rules selected below establish a general password strength baseline of 100 bits,
-      inspired by DAT-NT-001 and the "Password Strenght Calculator"
-      (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).
+      The rules selected below establish a general password strength baseline
+      of 100 bits, based on the recommendations of the technical note
+      "Recommandations relatives à l'authentification multifacteur et aux mots de passe"
+      (https://cyber.gouv.fr/publications/recommandations-relatives-lauthentification-multifacteur-et-aux-mots-de-passe)
 
       The baseline should be reviewed and tailored to the system's use case and needs.
     status: automated
     rules:
     # enable authselect to support following rules
     - enable_authselect
 
-    # Renew passwords every 90 days
-    - var_accounts_maximum_age_login_defs=90
-    - accounts_maximum_age_login_defs
+    # Set the maximum password age for the root account to 1 year
+    - var_accounts_maximum_age_root=365
+    - accounts_password_set_max_life_root
 
-    # Ensure passwords with minimum of 18 characters
-    - var_password_pam_minlen=18
+    # Ensure passwords with minimum of 15 characters
+    - var_password_pam_minlen=15
     - accounts_password_pam_minlen
     - cracklib_accounts_password_pam_minlen
     # Enforce password lenght for new accounts
-    - var_accounts_password_minlen_login_defs=18
+    - var_accounts_password_minlen_login_defs=15
     - accounts_password_minlen_login_defs
     # Require at Least 1 Special Character in Password
     - var_password_pam_ocredit=1

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml

@@ -0,0 +1,16 @@
+# platform = multi_platform_rhel
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_accounts_maximum_age_root") }}}
+- name: Change the maximum time period between password changes
+{{% if product in ["rhel7", "ol7"] %}}
+  ansible.builtin.command:
+    cmd: chage -M {{ var_accounts_maximum_age_root }} root
+{{% else %}}
+  ansible.builtin.user:
+    user: root
+    password_expire_max: '{{ var_accounts_maximum_age_root }}'
+{{% endif %}}

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh

@@ -0,0 +1,8 @@
+# platform = multi_platform_rhel
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_instantiate_variables("var_accounts_maximum_age_root") }}}
+chage -M $var_accounts_maximum_age_root root

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/oval/shared.xml

@@ -0,0 +1,22 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("A maximum password age should be set for the root account") }}}
+    <criteria>
+      <criterion comment="root max age"
+                 test_ref="test_accounts_password_set_max_life_root"/>
+    </criteria>
+  </definition>
+  <unix:shadow_test check="all" check_existence="at_least_one_exists" version="1"
+                    id="test_accounts_password_set_max_life_root"
+                    comment="root max age">
+    <unix:object object_ref="object_accounts_password_set_max_life_root"/>
+    <unix:state state_ref="state_accounts_password_set_max_life_root"/>
+  </unix:shadow_test>
+  <unix:shadow_object id="object_accounts_password_set_max_life_root" version="1">
+    <unix:username operation="equals">root</unix:username>
+  </unix:shadow_object>
+  <unix:shadow_state id="state_accounts_password_set_max_life_root" version="1">
+    <unix:chg_req operation="equals" var_ref="var_accounts_maximum_age_root" datatype="int"/>
+  </unix:shadow_state>
+  <external_variable id="var_accounts_maximum_age_root" datatype="int" comment="maximum password age in days" version="1"/>
+</def-group>

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml

@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Set Root Account Password Maximum Age'
+
+description: |-
+    Configure the root account to enforce a {{{ xccdf_value("var_accounts_maximum_age_root") }}}-day maximum password lifetime restriction by running the following command:
+    <pre>$ sudo chage -M {{{ xccdf_value("var_accounts_maximum_age_root") }}} root</pre>
+
+rationale: |-
+    Any password, no matter how complex, can eventually be cracked. Therefore,
+    passwords need to be changed periodically. If the operating system does
+    not limit the lifetime of passwords and force users to change their
+    passwords, there is the risk that the operating system passwords could be
+    compromised.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-87665-6
+    cce@rhel8: CCE-87667-2
+    cce@rhel9: CCE-87668-0
+
+ocil_clause: 'any results are returned that are not associated with a system account'
+
+ocil: |-
+    Check whether the maximum time period for root account password is restricted to {{{ xccdf_value("var_accounts_maximum_age_root") }}} days with the following commands:
+
+    $ sudo awk -F: '$1 == "root" {print $1 " " $5}' /etc/shadow
+
+fixtext: |-
+    Configure non-compliant accounts to enforce a {{{ xccdf_value("var_accounts_maximum_age_root") }}}-day maximum password lifetime restriction.
+    $ sudo chage -M {{{ xccdf_value("var_accounts_maximum_age_root") }}} root
+

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/tests/correct.pass.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+# variables = var_accounts_maximum_age_root=365
+chage -M 365 root

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/tests/wrong.fail.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+# variables = var_accounts_maximum_age_root=365
+chage -M 9999 root

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_root.var

@@ -0,0 +1,13 @@
+documentation_complete: true
+
+title: 'Maximum Root Password Age'
+
+description: 'Maximum age of password in days for the root account'
+
+type: number
+
+interactive: false
+
+options:
+    365: 365
+    default: 99999

shared/references/cce-redhat-avail.txt

@@ -1110,9 +1110,6 @@ CCE-87661-5
 CCE-87662-3
 CCE-87663-1
 CCE-87664-9
-CCE-87665-6
-CCE-87667-2
-CCE-87668-0
 CCE-87669-8
 CCE-87671-4
 CCE-87672-2