content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Rule no_empty_passwords is misaligned with DISA

Open jan-cerny opened this issue 3 years ago • 0 comments

Description of problem:

Rule xccdf_org.ssgproject.content_rule_no_empty_passwords is misaligned with rule xccdf_mil.disa.stig_rule_SV-204424r809187_rule from shared/references/disa-stig-rhel7-v3r7-xccdf-scap.xml.

SCAP Security Guide Version:

current upstream as of 2022-08-06 as of HEAD https://github.com/ComplianceAsCode/content/commit/61b8f59e05e7a63267e22f3a44ff2b98de822ec0

Operating System Version:

RHEL 7

Steps to Reproduce:

  1. Evaluate RHEL 7 STIG profile
  2. evaluate disa-stig-rhel7-v3r7-xccdf-scap.xml

Actual Results:

xccdf_org.ssgproject.content_rule_no_empty_passwords : fail xccdf_mil.disa.stig_rule_SV-204424r809187_rule : pass

Expected Results:

both rules are the same

Additional Information/Debugging Steps:

This issue is also present in the RHEL 7 "STIG with GUI" profile.

jan-cerny avatar Aug 08 '22 16:08 jan-cerny

This issue seems no longer valid. Possibly, the update of the DISA STIG reference file, introduced by #9317 and the recent improvements on the no_empty_passwords rule remediation, introduced by #9375 , fixed this problem.

I have tested the rule in a fresh RHEL7.9 VM and got the same results: Rule assessment using the RHEL7 Datastream from master

oscap xccdf eval --profile stig_gui --rule xccdf_org.ssgproject.content_rule_no_empty_passwords --results-arf /tmp/arf.xml --report /tmp/report.html --oval-results ./ssg-rhel7-ds.xml
...
Title   Prevent Login to Accounts With Empty Password
Rule    xccdf_org.ssgproject.content_rule_no_empty_passwords
Ident   CCE-27286-4
Result  fail

Rule assessment using the RHEL7 Datastream reference: disa-stig-rhel7-v3r8-xccdf-scap.xml

oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-1_Classified --rule xccdf_mil.disa.stig_rule_SV-204424r809187_rule --results-arf /tmp/arf.xml --report /tmp/report.html --oval-results disa-stig-rhel7-v3r8-xccdf-scap.xml
...
Title   The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.
Rule    xccdf_mil.disa.stig_rule_SV-204424r809187_rule
Ident   CCE-27286-4
Ident   V-71937
Ident   SV-86561
Ident   CCI-000366
Result  fail

After applying the bash remediation from upstream master: bash ./no_empty_passwords.sh

oscap xccdf eval --profile stig_gui --rule xccdf_org.ssgproject.content_rule_no_empty_passwords --results-arf /tmp/arf.xml --report /tmp/report.html --oval-results ./ssg-rhel7-ds.xml
...
Title   Prevent Login to Accounts With Empty Password
Rule    xccdf_org.ssgproject.content_rule_no_empty_passwords
Ident   CCE-27286-4
Result  pass

And using the RHEL7 Datastream reference: disa-stig-rhel7-v3r8-xccdf-scap.xml

oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-1_Classified --rule xccdf_mil.disa.stig_rule_SV-204424r809187_rule --results-arf /tmp/arf.xml --report /tmp/report.html --oval-results disa-stig-rhel7-v3r8-xccdf-scap.xml
...
Title   The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.
Rule    xccdf_mil.disa.stig_rule_SV-204424r809187_rule
Ident   CCE-27286-4
Ident   V-71937
Ident   SV-86561
Ident   CCI-000366
Result  pass

Therefore, I believe this issue can be closed. @jan-cerny , do you have any consideration?

marcusburghardt avatar Aug 30 '22 10:08 marcusburghardt

From what you write I think that it can be closed.

jan-cerny avatar Aug 30 '22 11:08 jan-cerny