Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1484

Remediation should only update parameter values not parameter explanations

    • None
    • None
    • rhel-sst-security-compliance
    • ssg_security
    • 26
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      Manually add some comments to /etc/login.defs (similar to issue description), e.g.:

       

      # PASS_MAX_DAYS 365
      # PASS_MIN_DAYS 1
      

      Remediate

      • set_password_hashing_algorithm_logindefs
      • accounts_maximum_age_login_defs
      • accounts_minimum_age_login_defs
      • accounts_password_minlen_login_defs
      • accounts_password_warn_age_login_defs

      And then check that comments are still there.

       

      Show
      Manually add some comments to /etc/login.defs (similar to issue description), e.g.:   # PASS_MAX_DAYS 365 # PASS_MIN_DAYS 1 Remediate set_password_hashing_algorithm_logindefs accounts_maximum_age_login_defs accounts_minimum_age_login_defs accounts_password_minlen_login_defs accounts_password_warn_age_login_defs And then check that comments are still there.  
    • Pass
    • None
    • Release Note Not Required
    • None

      Description of problem:
      After remediating RHEL 9.1 system (CIS Level 2 - Server) we see in /etc/login.defs these changes (among others):

      1. Password aging controls:
        #
        1. PASS_MAX_DAYS Maximum number of days a password may be used.
        2. PASS_MIN_DAYS Minimum number of days allowed between password changes.
          +# PASS_MAX_DAYS 365
          +# PASS_MIN_DAYS 1
      2. PASS_MIN_LEN Minimum acceptable password length.
      3. PASS_WARN_AGE Number of days warning given before a password expires.
        #
        -PASS_MAX_DAYS 99999
        -PASS_MIN_DAYS 0
        +PASS_MAX_DAYS 365
        +PASS_MIN_DAYS 1
        PASS_WARN_AGE 7

      It looks unnecessary to update commented out lines as now the description of the configuration parameters has been removed.

      This is a general suggestion, there might be more cases like this. Thanks.

              jcerny@redhat.com Jan Cerny
              myllynen Marko Myllynen
              Marcus Burghardt
              Jan Cerny Jan Cerny
              Milan Lysonek Milan Lysonek
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: