Merge pull request #10243 from marcusburghardt/cis_rhel_pass_past

Include rule for checking password last change in RHEL

controls/cis_rhel7.yml

@@ -2024,7 +2024,9 @@ controls:
     levels:
     - l1_server
     - l1_workstation
-    automated: no # rule missing
+    status: automated
+    rules:
+      - accounts_password_last_change_is_in_past
 
   - id: 5.5.2
     title: Ensure system accounts are secured (Automated)

controls/cis_rhel8.yml

@@ -2320,14 +2320,14 @@ controls:
       - account_disable_post_pw_expiration
       - var_account_disable_post_pw_expiration=30
 
-  # NEEDS RULE
-  # https://github.com/ComplianceAsCode/content/issues/5537
   - id: 5.6.1.5
     title: Ensure all users last password change date is in the past (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: planned
+    status: automated
+    rules:
+      - accounts_password_last_change_is_in_past
 
   # NEEDS RULE
   # We are missing the component of this control which locks non-root system accounts

controls/cis_rhel9.yml

@@ -2171,14 +2171,14 @@ controls:
       - account_disable_post_pw_expiration
       - var_account_disable_post_pw_expiration=30
 
-  # NEEDS RULE
-  # https://github.com/ComplianceAsCode/content/issues/5537
   - id: 5.6.1.5
     title: Ensure all users last password change date is in the past (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: planned
+    status: automated
+    rules:
+      - accounts_password_last_change_is_in_past
 
   # NEEDS RULE
   # We are missing the component of this control which locks non-root system accounts

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/oval/shared.xml

@@ -1,51 +1,59 @@
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    {{{ oval_metadata("All password change date is in the past.") }}}
-    <criteria>
-      <criterion comment="passward last change was in the past"
-                 test_ref="test_accounts_password_last_change_time_secs"/>
+    {{{ oval_metadata("All passwords last change date is in the past.") }}}
+    <criteria operator="OR">
+      <criterion test_ref="test_accounts_password_last_change_is_in_past"
+        comment="All passwords last change date is in the past"/>
+      <criterion test_ref="test_accounts_password_last_change_is_in_past_no_pass"
+        comment="There is no password defined in /etc/shadow"/>
     </criteria>
   </definition>
 
-  <local_variable id="var_accounts_password_last_change_time_secs" datatype="int" version="1"
-                  comment="last change component of password entry">
+  <unix:shadow_state id="state_accounts_password_all_chage_past_has_no_password" version="1">
+    <unix:password operation="pattern match">^(!|!!|!\*|\*|!locked)$</unix:password>
+  </unix:shadow_state>
+
+  <unix:shadow_object id="object_accounts_password_all_chage_in_past" version="1">
+    <unix:username operation="pattern match">.*</unix:username>
+    <filter action="exclude">state_accounts_password_all_chage_past_has_no_password</filter>
+  </unix:shadow_object>
+
+  <local_variable id="var_accounts_password_last_change_time_secs" version="1"
+    datatype="int" comment="last change field of shadow entry in seconds">
     <arithmetic arithmetic_operation="multiply">
       <object_component object_ref="object_accounts_password_all_chage_in_past"
-                        item_field="chg_lst"/>
+        item_field="chg_lst"/>
       <literal_component datatype="int">86400</literal_component>
-      </arithmetic>
+    </arithmetic>
   </local_variable>
 
   <local_variable id="var_accounts_password_last_change_time_diff" datatype="int" version="1"
-                  comment="last change component of password entry compared to current time">
+    comment="time difference between the last change field of shadow entry and the current time">
     <time_difference format_2="seconds_since_epoch">
-        <variable_component var_ref="var_accounts_password_last_change_time_secs"/>
+      <variable_component var_ref="var_accounts_password_last_change_time_secs"/>
     </time_difference>
   </local_variable>
 
-  <ind:variable_object  id="object_accounts_password_last_change_time_diff" version="1">
-     <ind:var_ref>var_accounts_password_last_change_time_diff</ind:var_ref>
-   </ind:variable_object>
-
-   <ind:variable_state id="state_accounts_password_last_change_time_diff" version="1">
-      <!-- With negative time I actually get very big number so instead
-           of checking greater than zero I am checking if less than 1000 years -->
-     <ind:value datatype="int" operation="less than or equal">86400000</ind:value>
- </ind:variable_state>
-
- <ind:variable_test check="all" check_existence="all_exist"
-                    id="test_accounts_password_last_change_time_secs" version="1"
-                    comment="Check if the password chage time is less than equal than today.">
+  <ind:variable_test id="test_accounts_password_last_change_is_in_past" version="1"
+    check="all" check_existence="all_exist"
+    comment="Check if the password last chage time is less than or equal today.">
     <ind:object object_ref="object_accounts_password_last_change_time_diff"/>
     <ind:state state_ref="state_accounts_password_last_change_time_diff"/>
-   </ind:variable_test>
+  </ind:variable_test>
 
-  <unix:shadow_object id="object_accounts_password_all_chage_in_past" version="1">
-    <unix:username operation="pattern match">.*</unix:username>
-    <filter action="exclude">state_accounts_password_all_chage_past_has_no_password</filter>
-  </unix:shadow_object>
-  <unix:shadow_state id="state_accounts_password_all_chage_past_has_no_password" version="1">
-      <unix:password operation="pattern match">^(!|!!|!\*|\*|!locked)$</unix:password>
-  </unix:shadow_state>
+  <ind:variable_object id="object_accounts_password_last_change_time_diff" version="1">
+    <ind:var_ref>var_accounts_password_last_change_time_diff</ind:var_ref>
+  </ind:variable_object>
+
+  <ind:variable_state id="state_accounts_password_last_change_time_diff" version="1">
+    <!-- With negative time I actually get very big number so instead
+         of checking greater than zero I am checking if less than 1000 years -->
+    <ind:value datatype="int" operation="less than or equal">86400000</ind:value>
+  </ind:variable_state>
 
+  <unix:shadow_test id="test_accounts_password_last_change_is_in_past_no_pass" version="1"
+    check="all" check_existence="none_exist"
+    comment="Check the inexistence of users with a password defined">
+    <unix:object object_ref="object_accounts_password_all_chage_in_past"/>
+  </unix:shadow_test>
 </def-group>

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/rule.yml

@@ -12,10 +12,16 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel7: CCE-86524-6
+    cce@rhel8: CCE-86525-3
+    cce@rhel9: CCE-86526-1
     cce@sle12: CCE-92330-0
     cce@sle15: CCE-92504-0
 
 references:
+    cis@rhel7: 5.5.1.5
+    cis@rhel8: 5.6.1.5
+    cis@rhel9: 5.6.1.5
     cis@sle12: 5.4.1.6
     cis@sle15: 5.4.1.6
 

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_last_change_is_in_past/tests/no_password_defined.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# remediation = none
+
+sed -E -i 's/(\w*:)(\$[^:]*)(:.*)/\1!!\3/' /etc/shadow

shared/references/cce-redhat-avail.txt

@@ -308,9 +308,6 @@ CCE-86518-8
 CCE-86520-4
 CCE-86521-2
 CCE-86522-0
-CCE-86524-6
-CCE-86525-3
-CCE-86526-1
 CCE-86527-9
 CCE-86528-7
 CCE-86530-3