2057452 – OpenSCAP should use a separate file for pwquality policy

Bug 2057452 - OpenSCAP should use a separate file for pwquality policy

Summary: OpenSCAP should use a separate file for pwquality policy

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	8.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.7
Assignee:	Vojtech Polasek
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-23 12:24 UTC by Marko Myllynen
Modified:	2023-07-31 11:46 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-113271	0	None	None	None	2022-02-23 12:49:59 UTC

Description Marko Myllynen 2022-02-23 12:24:24 UTC

Description of problem:
OpenSCAP uses a separate file under /etc/ssh/sshd_config.d to configure sshd and this makes sense as it's then easy to see what are the changes and the reverting (if needed for some reason) to OS defaults is trivial.

Starting with RHEL 8 there is /etc/security/pwquality.conf.d that could/should be used to create system-local password quality policy configurations. This would be consistent with sshd configuration and would avoid editing system-provided default files. However, it should be noted that at least currently the priorities for configuration files are inconsistent between sshd and pwpolicy, see https://bugzilla.redhat.com/show_bug.cgi?id=2055604.

It would be helpful if OpenSCAP would use files under /etc/security/pwquality.conf.d to configure libpwquality. Thanks.

(If deemed too late for RHEL 8 then doing this for RHEL 9 would be great.)

Version-Release number of selected component (if applicable):
RHEL 8.5

Comment 1 Milan Lysonek 2022-07-28 13:49:03 UTC

Moving ITR to 8.8, because we won't manage to deliver fix in 8.7

Comment 2 Marko Myllynen 2023-05-05 10:02:44 UTC

Given that with RHEL 8.8 / RHEL 9.2 we will have /etc/security/pwhistory.conf but not /etc/security/pwhistory.conf.d and that https://bugzilla.redhat.com/show_bug.cgi?id=2055604 remains unfixes perhaps it could be considered leaving this as-is, at least as long as the other areas are inconsistent. Thanks.

Note You need to log in before you can comment on or make changes to this bug.