Back to bug 2228468
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Red Hat Bugzilla | 2023-08-02 12:23:19 UTC | Pool ID | sst_security_compliance_rhel_9 | |
| Milan Lysonek | 2023-08-02 14:26:10 UTC | Doc Type | If docs needed, set a value | Bug Fix |
| Doc Text | .Password age rules apply only to local users Some compliance profiles, eg. CIS or DISA STIG, contain rules checking password age and password expiration of user account passwords. Specifically, we are talking about these rules: accounts_password_set_max_life_existing, accounts_password_set_min_life_existing, accounts_password_set_warn_age_existing, accounts_set_post_pw_existing. Previously, these rules checked not only configuration of local users but they also evaluated configuration of remote users provided by network sources such as NSS. This behavior was caused by using the `getpwent()` system call in the OpenSCAP scanner. This behavior wasn't desired, behavior the remediation scripts weren't able to change the configuration of the remote users. Therefore, the internal implementation of the aforementioned rules has been changed to depend only on data present in the "/etc/shadow" file. That means no other sources of user metadata are read by the rules. As a result, the rules now consider only local users configuration. |
|||
| Red Hat One Jira (issues.redhat.com) | 2023-08-02 14:27:05 UTC | Link ID | Red Hat Issue Tracker RHELPLAN-164214 | |
| Vojtech Polasek | 2023-08-03 08:49:40 UTC | Status | NEW | POST |
| Jiri Jaburek | 2023-08-08 14:58:47 UTC | Fixed In Version | scap-security-guide-0.1.69-1.el9_0 | |
| Status | POST | MODIFIED | ||
| errata-xmlrpc | 2023-08-10 08:15:00 UTC | Status | MODIFIED | ON_QA |
| Matus Marhefka | 2023-08-14 07:57:06 UTC | QA Contact | qe-baseos-security | mmarhefk |
| Status | ON_QA | VERIFIED |
Back to bug 2228468