From 03b64be158e85db73503c8bb6570a9d65f99ce50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 8 Feb 2024 09:35:06 +0100 Subject: [PATCH 1/3] Update a comment --- controls/anssi.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index 665fd4073ca..127752206bf 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -716,9 +716,10 @@ controls: levels: - minimal notes: >- - The rules selected below establish a general password strength baseline of 100 bits, - inspired by DAT-NT-001 and the "Password Strenght Calculator" - (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/). + The rules selected below establish a general password strength baseline + of 100 bits, based on the recommendations of the technical note + "Recommandations relatives à l'authentification multifacteur et aux mots de passe" + (https://cyber.gouv.fr/publications/recommandations-relatives-lauthentification-multifacteur-et-aux-mots-de-passe) The baseline should be reviewed and tailored to the system's use case and needs. status: automated From caad06564e6a496e1ad6dd151dfbe6ff7ca78dc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 8 Feb 2024 09:35:25 +0100 Subject: [PATCH 2/3] Change password minimal lenght ANSSI password recommendiation https://cyber.gouv.fr/publications/recommandations-relatives-lauthentification-multifacteur-et-aux-mots-de-passe section 4.2 recommends at least 15 characters. --- controls/anssi.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/anssi.yml b/controls/anssi.yml index 127752206bf..31209c9c93c 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -731,12 +731,12 @@ controls: - var_accounts_maximum_age_login_defs=90 - accounts_maximum_age_login_defs - # Ensure passwords with minimum of 18 characters - - var_password_pam_minlen=18 + # Ensure passwords with minimum of 15 characters + - var_password_pam_minlen=15 - accounts_password_pam_minlen - cracklib_accounts_password_pam_minlen # Enforce password lenght for new accounts - - var_accounts_password_minlen_login_defs=18 + - var_accounts_password_minlen_login_defs=15 - accounts_password_minlen_login_defs # Require at Least 1 Special Character in Password - var_password_pam_ocredit=1 From 48f435324a638df56f68df1fb642b489a9aa3441 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 8 Feb 2024 16:02:15 +0100 Subject: [PATCH 3/3] Add a new rule accounts_password_set_max_life_root The new rule checks that maximum password age is set for the root user. This rule is similar to rule `accounts_maximum_age_login_defs` but that applies to all user accounts. The ANSSI password recommendation (https://cyber.gouv.fr/publications/recommandations-relatives-lauthentification-multifacteur-et-aux-mots-de-passe) recommends to not set the maximum age for common users, but it says that for the privileged users the maximum age should be configured to 1 to 3 years. We concluded to agree on 1 year. --- components/pam.yml | 1 + controls/anssi.yml | 6 ++-- .../ansible/shared.yml | 16 +++++++++ .../bash/shared.sh | 8 +++++ .../oval/shared.xml | 22 +++++++++++++ .../rule.yml | 33 +++++++++++++++++++ .../tests/correct.pass.sh | 3 ++ .../tests/wrong.fail.sh | 3 ++ .../var_accounts_maximum_age_root.var | 13 ++++++++ shared/references/cce-redhat-avail.txt | 3 -- 10 files changed, 102 insertions(+), 6 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/tests/correct.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/tests/wrong.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_root.var diff --git a/components/pam.yml b/components/pam.yml index 36b14ab41fd..cfe96a051d5 100644 --- a/components/pam.yml +++ b/components/pam.yml @@ -63,6 +63,7 @@ rules: - accounts_password_pam_unix_rounds_password_auth - accounts_password_pam_unix_rounds_system_auth - accounts_password_set_max_life_existing +- accounts_password_set_max_life_root - accounts_password_set_min_life_existing - accounts_password_set_warn_age_existing - accounts_password_warn_age_login_defs diff --git a/controls/anssi.yml b/controls/anssi.yml index 31209c9c93c..a1ae066411b 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -727,9 +727,9 @@ controls: # enable authselect to support following rules - enable_authselect - # Renew passwords every 90 days - - var_accounts_maximum_age_login_defs=90 - - accounts_maximum_age_login_defs + # Set the maximum password age for the root account to 1 year + - var_accounts_maximum_age_root=365 + - accounts_password_set_max_life_root # Ensure passwords with minimum of 15 characters - var_password_pam_minlen=15 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml new file mode 100644 index 00000000000..0960e05ace0 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/ansible/shared.yml @@ -0,0 +1,16 @@ +# platform = multi_platform_rhel +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +{{{ ansible_instantiate_variables("var_accounts_maximum_age_root") }}} +- name: Change the maximum time period between password changes +{{% if product in ["rhel7", "ol7"] %}} + ansible.builtin.command: + cmd: chage -M {{ var_accounts_maximum_age_root }} root +{{% else %}} + ansible.builtin.user: + user: root + password_expire_max: '{{ var_accounts_maximum_age_root }}' +{{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh new file mode 100644 index 00000000000..808365173de --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh @@ -0,0 +1,8 @@ +# platform = multi_platform_rhel +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +{{{ bash_instantiate_variables("var_accounts_maximum_age_root") }}} +chage -M $var_accounts_maximum_age_root root diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/oval/shared.xml new file mode 100644 index 00000000000..c37f1a4718f --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/oval/shared.xml @@ -0,0 +1,22 @@ + + + {{{ oval_metadata("A maximum password age should be set for the root account") }}} + + + + + + + + + + root + + + + + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml new file mode 100644 index 00000000000..3c05944018d --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/rule.yml @@ -0,0 +1,33 @@ +documentation_complete: true + +title: 'Set Root Account Password Maximum Age' + +description: |- + Configure the root account to enforce a {{{ xccdf_value("var_accounts_maximum_age_root") }}}-day maximum password lifetime restriction by running the following command: +
$ sudo chage -M {{{ xccdf_value("var_accounts_maximum_age_root") }}} root
+ +rationale: |- + Any password, no matter how complex, can eventually be cracked. Therefore, + passwords need to be changed periodically. If the operating system does + not limit the lifetime of passwords and force users to change their + passwords, there is the risk that the operating system passwords could be + compromised. + +severity: medium + +identifiers: + cce@rhel7: CCE-87665-6 + cce@rhel8: CCE-87667-2 + cce@rhel9: CCE-87668-0 + +ocil_clause: 'any results are returned that are not associated with a system account' + +ocil: |- + Check whether the maximum time period for root account password is restricted to {{{ xccdf_value("var_accounts_maximum_age_root") }}} days with the following commands: + + $ sudo awk -F: '$1 == "root" {print $1 " " $5}' /etc/shadow + +fixtext: |- + Configure non-compliant accounts to enforce a {{{ xccdf_value("var_accounts_maximum_age_root") }}}-day maximum password lifetime restriction. + $ sudo chage -M {{{ xccdf_value("var_accounts_maximum_age_root") }}} root + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/tests/correct.pass.sh new file mode 100644 index 00000000000..2635cbb48d4 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/tests/correct.pass.sh @@ -0,0 +1,3 @@ +#!/bin/bash +# variables = var_accounts_maximum_age_root=365 +chage -M 365 root diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/tests/wrong.fail.sh new file mode 100644 index 00000000000..01cfb606c87 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/tests/wrong.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash +# variables = var_accounts_maximum_age_root=365 +chage -M 9999 root diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_root.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_root.var new file mode 100644 index 00000000000..33b118bfaac --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_maximum_age_root.var @@ -0,0 +1,13 @@ +documentation_complete: true + +title: 'Maximum Root Password Age' + +description: 'Maximum age of password in days for the root account' + +type: number + +interactive: false + +options: + 365: 365 + default: 99999 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 80c5472525f..70c92898e2b 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1111,9 +1111,6 @@ CCE-87661-5 CCE-87662-3 CCE-87663-1 CCE-87664-9 -CCE-87665-6 -CCE-87667-2 -CCE-87668-0 CCE-87669-8 CCE-87671-4 CCE-87672-2