Merge pull request #12965 from vojtapolasek/new_rule_account_password…

…_pwquality_retry

add new stig rule accounts_password_pam_pwquality_retry

components/pam.yml

@@ -64,6 +64,7 @@ rules:
 - accounts_password_pam_pwhistory_remember_system_auth
 - accounts_password_pam_pwhistory_use_authtok
 - accounts_password_pam_pwquality_password_auth
+- accounts_password_pam_pwquality_retry
 - accounts_password_pam_pwquality_system_auth
 - accounts_password_pam_pwquality_enabled
 - accounts_password_pam_retry

controls/srg_gpos/SRG-OS-000069-GPOS-00037.yml

@@ -7,7 +7,7 @@ controls:
         rules:
             - var_password_pam_retry=3
             - accounts_password_pam_enforce_root
-            - accounts_password_pam_retry
+            - accounts_password_pam_pwquality_retry
             - accounts_password_pam_ucredit
             - accounts_password_pam_pwquality_password_auth
             - accounts_password_pam_pwquality_system_auth

controls/stig_rhel9.yml

@@ -2786,7 +2786,7 @@ controls:
             RHEL 9 must ensure the password complexity module in the system-auth file
             is configured for three retries or less.
         rules:
-            - accounts_password_pam_retry
+            - accounts_password_pam_pwquality_retry
             - var_password_pam_retry=3
         status: automated
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_retry/policy/stig/shared.yml

@@ -0,0 +1,40 @@
+srg_requirement: |-
+    {{{ full_name }}} must ensure the password complexity module in the system-auth file is configured for three retries or less.
+
+vuldiscussion: |-
+    Use of a complex password helps to increase the time and resources required
+    to compromise the password. Password complexity, or strength, is a measure
+    of the effectiveness of a password in resisting attempts at guessing and
+    brute-force attacks. "pwquality" enforces complex password construction
+    configuration and has the ability to limit brute-force attacks on the
+    system.
+
+    {{{ full_name }}} uses "pwquality" as a mechanism to enforce password
+    complexity. This is set in both:
+
+    <tt>/etc/pam.d/password-auth</tt>
+    <tt>/etc/pam.d/system-auth</tt>
+
+    By limiting the number of attempts to meet the pwquality module complexity
+    requirements before returning with an error, the system will audit abnormal
+    attempts at password changes.
+
+checktext: |-
+    Verify {{{ full_name }}} is configured to limit the "pwquality" retry option to "3".
+
+    Check for the use of the retry option in the security directory with the following command:
+
+    <pre>$ grep -w retry /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf</pre>
+
+    <pre>retry = 3</pre>
+
+    If the value of "retry" is set to "0" or greater than "3", or is missing,
+    this is a finding.
+
+
+fixtext: |-
+    Add or update the following line in the "/etc/security/pwquality.conf" file
+    or a file in the "/etc/security/pwquality.conf.d/" directory to contain the
+    "retry" parameter:
+
+    <pre>retry = 3</pre>

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_retry/rule.yml

@@ -0,0 +1,42 @@
+documentation_complete: true
+
+
+title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session in /etc/security/pwquality.conf'
+
+description: |-
+    To configure the number of retry prompts that are permitted per-session:
+    Edit the <tt>/etc/security/pwquality.conf</tt> to include
+    <tt>retry={{{xccdf_value("var_password_pam_retry") }}}</tt>, or a lower value if site
+    policy is more restrictive. The DoD requirement is a maximum of 3 prompts
+    per session.
+
+rationale: |-
+    Setting the password retry prompts that are permitted on a per-session basis to a low value
+    requires some software, such as SSH, to re-connect. This can slow down and
+    draw additional attention to some types of password-guessing attacks. Note that this
+    is different from account lockout, which is provided by the pam_faillock module.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86502-2
+    cce@rhel10: CCE-90663-6
+
+references:
+    disa: CCI-004066,CCI-000192
+    srg: SRG-OS-000069-GPOS-00037
+
+ocil_clause: 'the value of "retry" is set to "0" or greater than "{{{ xccdf_value("var_password_pam_retry") }}}", or is missing'
+
+ocil: |-
+    Verify {{{ full_name }}} is configured to limit the "pwquality" retry option to {{{ xccdf_value("var_password_pam_retry") }}}.
+
+    Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command:
+    <pre>$ grep retry /etc/security/pwquality.conf</pre>
+
+template:
+    name: accounts_password
+    vars:
+        variable: retry
+        operation: less than or equal
+        zero_comparison_operation: greater than

shared/references/cce-redhat-avail.txt

@@ -42,7 +42,6 @@ CCE-86498-3
 CCE-86499-1
 CCE-86500-6
 CCE-86501-4
-CCE-86502-2
 CCE-86527-9
 CCE-86530-3
 CCE-86535-2
@@ -2523,7 +2522,6 @@ CCE-90654-5
 CCE-90655-2
 CCE-90659-4
 CCE-90662-8
-CCE-90663-6
 CCE-90665-1
 CCE-90667-7
 CCE-90668-5

tests/data/profile_stability/rhel9/stig.profile

@@ -55,7 +55,7 @@ selections:
 - accounts_password_pam_ocredit
 - accounts_password_pam_pwquality_password_auth
 - accounts_password_pam_pwquality_system_auth
-- accounts_password_pam_retry
+- accounts_password_pam_pwquality_retry
 - accounts_password_pam_ucredit
 - accounts_password_pam_unix_rounds_password_auth
 - accounts_password_pam_unix_rounds_system_auth

tests/data/profile_stability/rhel9/stig_gui.profile

@@ -67,7 +67,7 @@ selections:
 - accounts_password_pam_ocredit
 - accounts_password_pam_pwquality_password_auth
 - accounts_password_pam_pwquality_system_auth
-- accounts_password_pam_retry
+- accounts_password_pam_pwquality_retry
 - accounts_password_pam_ucredit
 - accounts_password_pam_unix_rounds_password_auth
 - accounts_password_pam_unix_rounds_system_auth