Bug 2193151

Summary: Remediation should only update parameter values not parameter explanations
Product: Red Hat Enterprise Linux 9 Reporter: Marko Myllynen <myllynen>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: ggasparb, matyc, mhaicman, mlysonek, openscap-maint, vpolasek
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2023-05-04 13:38:07 UTC 
Description of problem:
After remediating RHEL 9.1 system (CIS Level 2 - Server) we see in /etc/login.defs these changes (among others):

 # Password aging controls:
 #
-#      PASS_MAX_DAYS   Maximum number of days a password may be used.
-#      PASS_MIN_DAYS   Minimum number of days allowed between password changes.
+#      PASS_MAX_DAYS     365
+#      PASS_MIN_DAYS     1
 #      PASS_MIN_LEN    Minimum acceptable password length.
 #      PASS_WARN_AGE   Number of days warning given before a password expires.
 #
-PASS_MAX_DAYS  99999
-PASS_MIN_DAYS  0
+PASS_MAX_DAYS     365
+PASS_MIN_DAYS     1
 PASS_WARN_AGE  7

It looks unnecessary to update commented out lines as now the description of the configuration parameters has been removed.

This is a general suggestion, there might be more cases like this. Thanks.
Comment 2 RHEL Program Management 2023-08-17 14:26:27 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.