add new rule accounts_password_pam_pwquality_conf_retry

components/libpwquality.yml

@@ -3,3 +3,4 @@ packages:
 - libpwquality
 rules:
 - package_pam_pwquality_installed
+- accounts_password_pam_pwquality_conf_retry

components/pam.yml

@@ -9,7 +9,7 @@ groups:
 - password_expiration
 - password_quality
 - password_quality_pamcracklib
-- password_quality_pwquality
+- password_quality_pam_pwquality
 name: pam
 packages:
 - pam

controls/stig_rhel9.yml

@@ -2783,9 +2783,11 @@ controls:
             RHEL 9 must ensure the password complexity module in the system-auth file
             is configured for three retries or less.
         rules:
-            - accounts_password_pam_retry
+            - accounts_password_pam_pwquality_conf_retry
             - var_password_pam_retry=3
         status: automated
+        notes: |-
+            We check only the /etc/security/pwquality.conf, rule should be extended to check also /etc/security/pwquality.conf.d directory content.
 
     -   id: RHEL-09-611025
         levels:

docs/templates/template_reference.md

@@ -609,6 +609,8 @@ When the remediation is applied duplicate occurrences of `key` are removed.
 
     - **value** - the value the key should have in the specified path
 
+    - **xccdf_variable** - use value stored in an XCCDF variable instead of hardcoded value
+
     - **app** - optional. If not set the check will use the default text `The respective application or service`.
       If set, the `app` is used within sentences like: "`application` is configured correctly and configuration file exists"
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_libpwquality/accounts_password_pam_pwquality_conf_retry/rule.yml

@@ -0,0 +1,41 @@
+documentation_complete: true
+
+
+title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session in /etc/security/pwquality.conf'
+
+description: |-
+    To configure the number of retry prompts that are permitted per-session:
+    Edit the <tt>/etc/security/pwquality.conf</tt> to include
+    <tt>retry={{{xccdf_value("var_password_pam_retry") }}}</tt>, or a lower value if site
+    policy is more restrictive. The DoD requirement is a maximum of 3 prompts
+    per session.
+
+rationale: |-
+    Setting the password retry prompts that are permitted on a per-session basis to a low value
+    requires some software, such as SSH, to re-connect. This can slow down and
+    draw additional attention to some types of password-guessing attacks. Note that this
+    is different from account lockout, which is provided by the pam_faillock module.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86492-6
+
+references:
+    disa: CCI-004066,CCI-000192
+    srg: SRG-OS-000069-GPOS-00037
+
+ocil_clause: 'the value of "retry" is set to "0" or greater than "{{{ xccdf_value("var_password_pam_retry") }}}", or is missing'
+
+ocil: |-
+    Verify {{{ full_name }}} is configured to limit the "pwquality" retry option to {{{ xccdf_value("var_password_pam_retry") }}}.
+
+    Check for the use of the "pwquality" retry option in the pwquality.conf file with the following command:
+    <pre>$ grep retry /etc/security/pwquality.conf</pre>
+
+template:
+    name: key_value_pair_in_file
+    vars:
+        path: /etc/security/pwquality.conf
+        key: retry
+        xccdf_variable: var_password_pam_retry

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_libpwquality/group.yml

@@ -0,0 +1,6 @@
+documentation_complete: true
+
+title: 'Set Password Quality Requirements with pam_pwquality'
+
+description: |-
+    Use the file <tt>/etc/security/pwquality.conf</tt> for configuring various aspects of password quality.

shared/macros/10-oval.jinja

@@ -43,15 +43,22 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 :type section: str
 :param quotes: If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
 :type quotes: str
+:param xccdf_variable: the name of an XCCDF variable carrying the value, this conflicts with the value parameter
+:type xccdf_variable: str
 
 #}}
-{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
+{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='', xccdf_variable="") -%}}
 {{%- if application == '' -%}}
 	{{%- set application = "The respective application or service" -%}}
 {{%- endif -%}}
+{{%- if xccdf_variable -%}}
+{{%- set description= "Ensure '" + parameter + "' is configured with value configured through XCCDF variable " + xccdf_variable + (" in section '" + section if section else "") + "' in " + path -%}}
+{{%- else -%}}
+{{%- set description="Ensure '" + parameter + "' is configured with value '" + value | replace("(?i)", "") | replace("(?-i)", "") + (" in section '" + section if section else "") + "' in " + path -%}}
+{{%- endif -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    {{{ oval_metadata("Ensure '" + parameter + "' is configured with value '" + value | replace("(?i)", "") | replace("(?-i)", "") + (" in section '" + section if section else "") + "' in " + path) }}}
+    {{{ oval_metadata(description) }}}
     {{%- if missing_config_file_fail %}}
     <criteria comment="{{{ application }}} is configured correctly and configuration file exists"
     operator="AND">
@@ -84,9 +91,19 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
     </criteria>
     {{%- endif %}}
   </definition>
+
+  {{% if xccdf_variable %}}
+  {{{ oval_line_in_file_define_variable(xccdf_variable, datatype="string") }}}
+  {{% endif %}}
+
   {{{ oval_line_in_file_test(path, parameter) }}}
   {{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, false, multi_value) }}}
+  {{%- if xccdf_variable -%}}
+  {{{ oval_line_in_file_state_xccdf_variable(xccdf_variable, datatype="string") }}}
+  {{%- else -%}}
   {{{ oval_line_in_file_state(value, multi_value, quotes) }}}
+  {{%- endif -%}}
+
   {{%- if missing_parameter_pass %}}
   {{{ oval_line_in_file_test(path, parameter, missing_parameter_pass) }}}
   {{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, missing_parameter_pass, multi_value) }}}

shared/references/cce-redhat-avail.txt

@@ -36,7 +36,6 @@ CCE-86481-9
 CCE-86482-7
 CCE-86483-5
 CCE-86484-3
-CCE-86492-6
 CCE-86493-4
 CCE-86494-2
 CCE-86496-7

shared/templates/key_value_pair_in_file/ansible.template

@@ -4,4 +4,9 @@
 # complexity = low
 # disruption = low
 
+{{% if XCCDF_VARIABLE %}}
+{{{ ansible_instantiate_variables(XCCDF_VARIABLE) }}}
+{{{ ansible_set_config_file(msg, PATH, KEY, value="{{ "+XCCDF_VARIABLE+" }}", create=true, separator=SEP, separator_regex=SEP_REGEX, prefix_regex=PREFIX_REGEX) }}}
+{{% else %}}
 {{{ ansible_set_config_file(msg, PATH, KEY, value=VALUE, create=true, separator=SEP, separator_regex=SEP_REGEX, prefix_regex=PREFIX_REGEX) }}}
+{{% endif %}}

shared/templates/key_value_pair_in_file/bash.template

@@ -4,4 +4,9 @@
 # complexity = low
 # disruption = low
 
+{{% if XCCDF_VARIABLE %}}
+{{{ bash_instantiate_variables(XCCDF_VARIABLE) }}}
+{{{ set_config_file(PATH, KEY, value="$" ~ XCCDF_VARIABLE, create='yes', separator=SEP, separator_regex=SEP_REGEX, prefix_regex=PREFIX_REGEX) -}}}
+{{% else %}}
 {{{ set_config_file(PATH, KEY, value=VALUE, create='yes', separator=SEP, separator_regex=SEP_REGEX, prefix_regex=PREFIX_REGEX) -}}}
+{{% endif %}}

shared/templates/key_value_pair_in_file/oval.template

@@ -1 +1,5 @@
+{{%- if XCCDF_VARIABLE -%}}
+{{{ oval_check_config_file(PATH, prefix_regex=PREFIX_REGEX, parameter=KEY, separator_regex=SEP_REGEX, xccdf_variable=XCCDF_VARIABLE, application=APP, missing_config_file_fail=true) }}}
+{{%- else -%}}
 {{{ oval_check_config_file(PATH, prefix_regex=PREFIX_REGEX, parameter=KEY, separator_regex=SEP_REGEX, value=VALUE, application=APP, missing_config_file_fail=true) }}}
+{{%- endif -%}}

shared/templates/key_value_pair_in_file/template.py

@@ -1,4 +1,18 @@
+def set_variables_for_test_scenarios(data):
+    if not data.get("value"):
+        # this implies XCCDF variable is used
+        data["correct_value"] = "correct_value"
+    else:
+        data["correct_value"] = str(data["value"])
+
+    return data
+
+
 def preprocess(data, lang):
+    if data.get("value") is not None and data.get("xccdf_variable") is not None:
+        errmsg = ("The template definition of {0} specifies both value and xccdf_variable."
+                  "This is forbidden.".format(data["_rule_id"]))
+        raise ValueError(errmsg)
     if "sep" not in data:
         data["sep"] = " = "
 
@@ -10,4 +24,5 @@ def preprocess(data, lang):
 
     if "app" not in data:
         data["app"] = ""
+    data = set_variables_for_test_scenarios(data)
     return data

shared/templates/key_value_pair_in_file/tests/commented_value.fail.sh

@@ -1,7 +1,11 @@
 #!/bin/bash
 
+{{%- if XCCDF_VARIABLE %}}
+# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+{{% endif %}}
+
 mkdir -p $(dirname {{{ PATH }}})
 touch {{{ PATH }}}
 
 sed -i "/{{{ KEY }}}/d" "{{{ PATH }}}"
-echo "# {{{ KEY }}}{{{ SEP }}}{{{ VALUE }}}" >> "{{{ PATH }}}"
+echo "# {{{ KEY }}}{{{ SEP }}}{{{ CORRECT_VALUE }}}" >> "{{{ PATH }}}"

shared/templates/key_value_pair_in_file/tests/conflicting_values.fail.sh

@@ -1,8 +1,12 @@
 #!/bin/bash
 
+{{%- if XCCDF_VARIABLE %}}
+# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+{{% endif %}}
+
 mkdir -p $(dirname {{{ PATH }}})
 touch {{{ PATH }}}
 
 sed -i "/{{{ KEY }}}/d" "{{{ PATH }}}"
-echo "{{{ KEY }}}{{{ SEP }}}{{{ VALUE }}}" >> "{{{ PATH }}}"
+echo "{{{ KEY }}}{{{ SEP }}}{{{ CORRECT_VALUE }}}" >> "{{{ PATH }}}"
 echo "{{{ KEY }}}{{{ SEP }}}wrong_value" >> "{{{ PATH }}}"

shared/templates/key_value_pair_in_file/tests/correct_value.pass.sh

@@ -1,7 +1,11 @@
 #!/bin/bash
 
+{{%- if XCCDF_VARIABLE %}}
+# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+{{% endif %}}
+
 mkdir -p $(dirname {{{ PATH }}})
 touch {{{ PATH }}}
 
 sed -i "/{{{ KEY }}}/d" "{{{ PATH }}}"
-echo "{{{ KEY }}}{{{ SEP }}}{{{ VALUE }}}" >> "{{{ PATH }}}"
+echo "{{{ KEY }}}{{{ SEP }}}{{{ CORRECT_VALUE }}}" >> "{{{ PATH }}}"

shared/templates/key_value_pair_in_file/tests/duplicate_values.pass.sh

@@ -1,8 +1,12 @@
 #!/bin/bash
 
+{{%- if XCCDF_VARIABLE %}}
+# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+{{% endif %}}
+
 mkdir -p $(dirname {{{ PATH }}})
 touch {{{ PATH }}}
 
 sed -i "/{{{ KEY }}}/d" "{{{ PATH }}}"
-echo "{{{ KEY }}}{{{ SEP }}}{{{ VALUE }}}" >> "{{{ PATH }}}"
-echo "{{{ KEY }}}{{{ SEP }}}{{{ VALUE }}}" >> "{{{ PATH }}}"
+echo "{{{ KEY }}}{{{ SEP }}}{{{ CORRECT_VALUE }}}" >> "{{{ PATH }}}"
+echo "{{{ KEY }}}{{{ SEP }}}{{{ CORRECT_VALUE }}}" >> "{{{ PATH }}}"

shared/templates/key_value_pair_in_file/tests/wrong_value.fail.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+{{%- if XCCDF_VARIABLE %}}
+# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+{{% endif %}}
+
 mkdir -p $(dirname {{{ PATH }}})
 touch {{{ PATH }}}
 

tests/data/profile_stability/rhel9/stig.profile

@@ -55,7 +55,7 @@ selections:
 - accounts_password_pam_ocredit
 - accounts_password_pam_pwquality_password_auth
 - accounts_password_pam_pwquality_system_auth
-- accounts_password_pam_retry
+- accounts_password_pam_pwquality_conf_retry
 - accounts_password_pam_ucredit
 - accounts_password_pam_unix_rounds_password_auth
 - accounts_password_pam_unix_rounds_system_auth

tests/data/profile_stability/rhel9/stig_gui.profile

@@ -67,7 +67,7 @@ selections:
 - accounts_password_pam_ocredit
 - accounts_password_pam_pwquality_password_auth
 - accounts_password_pam_pwquality_system_auth
-- accounts_password_pam_retry
+- accounts_password_pam_pwquality_conf_retry
 - accounts_password_pam_ucredit
 - accounts_password_pam_unix_rounds_password_auth
 - accounts_password_pam_unix_rounds_system_auth