Bug 2057452

Summary: OpenSCAP should use a separate file for pwquality policy
Product: Red Hat Enterprise Linux 8 Reporter: Marko Myllynen <myllynen>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: ekolesni, ggasparb, mhaicman, mlysonek, wsato
Target Milestone: rcKeywords: Triaged
Target Release: 8.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2022-02-23 12:24:24 UTC 
Description of problem:
OpenSCAP uses a separate file under /etc/ssh/sshd_config.d to configure sshd and this makes sense as it's then easy to see what are the changes and the reverting (if needed for some reason) to OS defaults is trivial.

Starting with RHEL 8 there is /etc/security/pwquality.conf.d that could/should be used to create system-local password quality policy configurations. This would be consistent with sshd configuration and would avoid editing system-provided default files. However, it should be noted that at least currently the priorities for configuration files are inconsistent between sshd and pwpolicy, see https://bugzilla.redhat.com/show_bug.cgi?id=2055604.

It would be helpful if OpenSCAP would use files under /etc/security/pwquality.conf.d to configure libpwquality. Thanks.

(If deemed too late for RHEL 8 then doing this for RHEL 9 would be great.)

Version-Release number of selected component (if applicable):
RHEL 8.5
Comment 1 Milan Lysonek 2022-07-28 13:49:03 UTC 
Moving ITR to 8.8, because we won't manage to deliver fix in 8.7
Comment 2 Marko Myllynen 2023-05-05 10:02:44 UTC 
Given that with RHEL 8.8 / RHEL 9.2 we will have /etc/security/pwhistory.conf but not /etc/security/pwhistory.conf.d and that https://bugzilla.redhat.com/show_bug.cgi?id=2055604 remains unfixes perhaps it could be considered leaving this as-is, at least as long as the other areas are inconsistent. Thanks.