Bug 2213958
Summary: | Rules "Set Existing Passwords Maximum/Minimum Age" apply to non-local users as well | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Renaud Métrich <rmetrich> | |
Component: | scap-security-guide | Assignee: | Jan Černý <jcerny> | |
Status: | CLOSED ERRATA | QA Contact: | Milan Lysonek <mlysonek> | |
Severity: | medium | Docs Contact: | Jan Fiala <jafiala> | |
Priority: | medium | |||
Version: | 9.2 | CC: | ggasparb, jafiala, jcerny, jjaburek, mhaicman, mlysonek, myllynen, openscap-maint, vpolasek | |
Target Milestone: | rc | Keywords: | Triaged, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | scap-security-guide-0.1.69-1.el9 | Doc Type: | Bug Fix | |
Doc Text: |
.Password age rules apply only to local users
Some compliance profiles, for example CIS and DISA STIG, contain the following rules checking password age and password expiration of user account passwords:
* `accounts_password_set_max_life_existing`
* `accounts_password_set_min_life_existing`
* `accounts_password_set_warn_age_existing`
* `accounts_set_post_pw_existing`
These rules correctly check the configuration of local users. Previously, the scanner also incorrectly checked the configuration of remote users provided by network sources such as NSS even though the remediation scripts could not change remote users’ configuration. This was because the OpenSCAP scanner previously used the `getpwent()` system call.
This update changes the internal implementation of these rules to depend only on the data from the `/etc/shadow` file. As a result, the rules now apply only to the local users’ configuration.
|
Story Points: | --- | |
Clone Of: | ||||
: | 2228467 2228468 (view as bug list) | Environment: | ||
Last Closed: | 2023-11-07 08:37:02 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2228467, 2228468 |
Description
Renaud Métrich
2023-06-10 10:56:04 UTC
A pull request has been submitted to upstream for a review https://github.com/ComplianceAsCode/content/pull/10838 a fix has been merged upstream in https://github.com/ComplianceAsCode/content/pull/10838 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6552 |