We are attempting to customize a few fixlets found in the external CIS checklists for Ubuntu (i.e. CIS Checklist for Ubuntu 18.04 LTS), but we are having a hard time understanding how these fixlets should be customized so that the values match our company’s password policy. For example, the fixlet “Ensure password creation requirements are configured” enforces a minimum password length of 14 characters, and minclass of 4. However, we are trying to customize this fixlet so that it enforces a 15 character length, and a minclass of 3. We basically just changed minlen and cminlen in the action script from 14 to 15, but we can’t figure out how the minclass is set there. In addition, we can’t make sense of the relevancy statement below.
not exists 1 whose ((((((((((0 < number of ((it, (if exists it then concatenation “,” of substrings separated by “<!comma>” of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by “<!plural>” of concatenation “<!comma>” of substrings separated by “,” of concatenation “<!plural>” of (if exist matches (regex “<!comma>|<!plural>”) of it then error “Delimiter in string: <!comma>|<!plural>” else it) of lines whose (exist matches (regex “^\spassword\s+requisite\s+pam_pwquality.so\s+(\S+\s+)retry=[3210]") of it) of it, "^\spassword\s+requisite\s+pam_pwquality.so\s+(\S+\s+)retry=[3210]", 1) of it) of files “/etc/pam.d/common-password” and 0 < number of ((it, (if exists it then concatenation “,” of substrings separated by “<!comma>” of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by “<!plural>” of concatenation “<!comma>” of substrings separated by “,” of concatenation “<!plural>” of (if exist matches (regex “<!comma>|<!plural>”) of it then error “Delimiter in string: <!comma>|<!plural>” else it) of lines whose (exist matches (regex "^\sminlen\s=\s*(1[4-9]|[2-9][0-9]|[1-9][0-9][0-9]+)\s*(\s+#.)?$") of it) of it, "^\sminlen\s*=\s*(1[4-9]|[2-9][0-9]|[1-9][0-9][0-9]+)\s*(\s+#.)?$", 1) of it) of files “/etc/security/pwquality.conf”)) or 0 < number of ((it, (if exists it then concatenation “,” of substrings separated by “<!comma>” of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by “<!plural>” of concatenation “<!comma>” of substrings separated by “,” of concatenation “<!plural>” of (if exist matches (regex “<!comma>|<!plural>”) of it then error “Delimiter in string: <!comma>|<!plural>” else it) of lines whose (exist matches (regex "^\sdcredit\s*=\s*-[1-9][0-9]\s(\s+#.)?$") of it) of it, "^\sdcredit\s*=\s*-[1-9][0-9]\s(\s+#.)?$", 1) of it) of files “/etc/security/pwquality.conf”)) or 0 < number of ((it, (if exists it then concatenation “,” of substrings separated by “<!comma>” of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by “<!plural>” of concatenation “<!comma>” of substrings separated by “,” of concatenation “<!plural>” of (if exist matches (regex “<!comma>|<!plural>”) of it then error “Delimiter in string: <!comma>|<!plural>” else it) of lines whose (exist matches (regex "^\slcredit\s*=\s*-[1-9][0-9]\s(\s+#.)?$") of it) of it, "^\slcredit\s*=\s*-[1-9][0-9]\s(\s+#.)?$", 1) of it) of files “/etc/security/pwquality.conf”)) or 0 < number of ((it, (if exists it then concatenation “,” of substrings separated by “<!comma>” of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by “<!plural>” of concatenation “<!comma>” of substrings separated by “,” of concatenation “<!plural>” of (if exist matches (regex “<!comma>|<!plural>”) of it then error “Delimiter in string: <!comma>|<!plural>” else it) of lines whose (exist matches (regex "^\sucredit\s*=\s*-[1-9][0-9]\s(\s+#.)?$") of it) of it, "^\sucredit\s*=\s*-[1-9][0-9]\s(\s+#.)?$", 1) of it) of files “/etc/security/pwquality.conf”)) or 0 < number of ((it, (if exists it then concatenation “,” of substrings separated by “<!comma>” of it else it) of tuple string items (1 - 1) of concatenation ", " of substrings separated by “<!plural>” of concatenation “<!comma>” of substrings separated by “,” of concatenation “<!plural>” of (if exist matches (regex “<!comma>|<!plural>”) of it then error “Delimiter in string: <!comma>|<!plural>” else it) of lines whose (exist matches (regex "^\socredit\s*=\s*-[1-9][0-9]\s(\s+#.)?$") of it) of it, "^\socredit\s*=\s*-[1-9][0-9]\s(\s+#.*)?$”, 1) of it) of files “/etc/security/pwquality.conf”))
How can we update the action script and the relevancy statement so that it matches our own password policy?
We are also running into the same problem with these other fixlets as well. We think we are able to find the place in the action script to change out the numbers for most, but we don’t have a clue about what needs to change in the relevancy statements.
Ensure minimum days between password changes is configured (we are trying to set it to 2 days)
Ensure password expiration is 365 days or less (this was set to 90 days for the Ubuntu 16.04 checklist)
Ensure password reuse is limited (we are trying to set it to 4 passwords)
Ensure lockout for failed password attempts is configured (we are trying to set it to 30 minutes)
I had opened a support ticket with HCL, but they stated that they will not help with the customization of these fixlets and that I should post my question here. I think if we can get some help understanding how we should modify one of these fixlets, we can likely figure out the rest. Thank you to anyone who can help us out with this.