<div dir="ltr">Thanks Jan<div>That seems to have solved that one issue. I'll keep trying on the others and see if I can figure out what's linked to what!</div><div><br></div><div><br></div><div>Will</div></div><div class="gmail_extra"> <br><br><div class="gmail_quote">On Thu, Oct 24, 2013 at 12:47 PM, Jan Lieskovsky <span dir="ltr"><<a href="mailto:jlieskov@redhat.com" target="_blank">jlieskov@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hello Will,<br> <br> thank you for checking with us.<br> <div class="im"><br> ----- Original Message -----<br> > From: "wm-lists" <<a href="mailto:wm-lists@nixpeeps.com">wm-lists@nixpeeps.com</a>><br> > To: <a href="mailto:open-scap-list@redhat.com">open-scap-list@redhat.com</a><br> > Sent: Thursday, October 24, 2013 2:52:41 PM<br> > Subject: [Open-scap] issue with PASS_MIN_DAYS validation<br> ><br> > I'm using scap-security-guide-0.1-12.el6.noarch as my source from<br> ><br> > <a href="http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPMS/noarch/" target="_blank">http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPMS/noarch/</a><br> ><br> > Running oscap xccdf eval --profile server<br> > /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml<br> <br> </div>The 'server' profile extends 'common' profile. Having a look at 'common' profile<br> definition:<br> [1] <a href="http://people.redhat.com/swells/scap-security-guide/RHEL6/input/profiles/common.xml" target="_blank">http://people.redhat.com/swells/scap-security-guide/RHEL6/input/profiles/common.xml</a><br> <br> it can be seen that =><br> <div class="im"><br> > Generates a failure for<br> > Title Set Password Minimum Age<br> > Rule password_min_age<br> > Ident CCE-27013-2<br> > Result fail<br> ><br> <br> </div><refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/><br> <br> <br> the profile requires / specifies the minimum password login age to be<br> set to value of 7 the rule to succeed.<br> <br> Generally profiles can define their own requirements (via particular variable<br> definition) how particular rule should be evaluated for success (IOW the<br> values specified in the profile might differ with values specified in the HTML form<br> of the guide:<br> [2] <a href="http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-guide.html" target="_blank">http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-guide.html</a><br> <div class="im"><br> > Title Set Password Maximum Age<br> > Rule password_max_age<br> > Ident CCE-26985-2<br> > Result fail<br> <br> </div>Similar for max password age:<br> <br> <refine-value idref="var_accounts_maximum_age_login_defs" selector="90"/><br> <br> <br> Value at most 90 is required the test to succeed.<br> <br> For the rest of the rules I didn't search for exact details,<br> but assuming the explanation would be the same.<br> <br> Hope the above being helpful. Let us know if we can be of any further<br> assistance.<br> <br> Regards, Jan.<br> --<br> Jan iankko Lieskovsky / Red Hat Security Technologies Team<br> <div><div class="h5"><br> ><br> > Title Set Password Strength Minimum Uppercase Characters<br> > Rule password_require_uppercases<br> > Ident CCE-26601-5<br> > Result fail<br> ><br> > Title Set Password Strength Minimum Special Characters<br> > Rule password_require_specials<br> > Ident CCE-26409-3<br> > Result fail<br> ><br> > Title Set Password Strength Minimum Lowercase Characters<br> > Rule password_require_lowercases<br> > Ident CCE-26631-2<br> > Result fail<br> ><br> > Among others.<br> > I have cracklib configured what I believe is correct (according to the CCE)<br> > # grep cracklib /etc/pam.d/system-auth-ac<br> > password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1<br> > lcredit=-1 difok=4 try_first_pass retry=3 minlen=14 type=<br> > # grep PASS /etc/login.defs<br> ><br> > PASS_MAX_DAYS 180<br> > PASS_MIN_DAYS 1<br> > PASS_MIN_LEN 14<br> > PASS_WARN_AGE 7<br> ><br> > Any help on what I might be missing here?<br> ><br> > Thanks!<br> > Will<br> ><br> ><br> ><br> </div></div>> _______________________________________________<br> > Open-scap-list mailing list<br> > <a href="mailto:Open-scap-list@redhat.com">Open-scap-list@redhat.com</a><br> > <a href="https://www.redhat.com/mailman/listinfo/open-scap-list" target="_blank">https://www.redhat.com/mailman/listinfo/open-scap-list</a><br> </blockquote></div><br></div>