Merge pull request ComplianceAsCode#2169 from redhatrises/add_profile_values_login_defs

Use profile variable settings for login.defs to clear up scan results confusion

Author: jan-cerny

shared/xccdf/system/accounts/restrictions/password_expiration.xml

@@ -80,11 +80,12 @@ age, and 7 day warning period with the following command:
 <title>Set Password Minimum Length in login.defs</title>
 <description>To specify password length requirements for new accounts,
 edit the file <tt>/etc/login.defs</tt> and add or correct the following
-lines:
-<pre>PASS_MIN_LEN 14<!-- <sub idref="var_accounts_password_minlen_login_defs"> --></pre>
+line:
+<pre>PASS_MIN_LEN <sub idref="var_accounts_password_minlen_login_defs"/></pre>
 <br/><br/>
 The DoD requirement is <tt>15</tt>. 
 The FISMA requirement is <tt>12</tt>.
+The profile requirement is <tt><sub idref="var_accounts_password_minlen_login_defs"/></tt>.
 If a program consults <tt>/etc/login.defs</tt> and also another PAM module
 (such as <tt>pam_pwquality</tt>) during a password change operation,
 then the most restrictive must be satisfied. See PAM section
@@ -93,7 +94,7 @@ for more information about enforcing password quality requirements.
 <ocil clause="it is not set to the required value">
 To check the minimum password length, run the command:
 <pre>$ grep PASS_MIN_LEN /etc/login.defs</pre>
-The DoD requirement is <tt>15</tt>. 
+The DoD requirement is <tt>15</tt>.
 </ocil>
 <rationale>
 Requiring a minimum password length makes password
@@ -111,10 +112,11 @@ behavior that may result.
 <title>Set Password Minimum Age</title>
 <description>To specify password minimum age for new accounts,
 edit the file <tt>/etc/login.defs</tt>
-and add or correct the following line, replacing <i>DAYS</i> appropriately:
-<pre>PASS_MIN_DAYS <i>DAYS</i></pre>
+and add or correct the following line:
+<pre>PASS_MIN_DAYS <sub idref="var_accounts_minimum_age_login_defs"/></pre>
 A value of 1 day is considered sufficient for many
-environments. The DoD requirement is 1. 
+environments. The DoD requirement is 1.
+The profile requirement is <tt><sub idref="var_accounts_minimum_age_login_defs"/></tt>. 
 </description>
 <ocil clause="it is not equal to or greater than the required value">
 To check the minimum password age, run the command:
@@ -139,10 +141,11 @@ after satisfying the password reuse requirement.
 <title>Set Password Maximum Age</title>
 <description>To specify password maximum age for new accounts,
 edit the file <tt>/etc/login.defs</tt>
-and add or correct the following line, replacing <i>DAYS</i> appropriately:
-<pre>PASS_MAX_DAYS <i>DAYS</i></pre>
+and add or correct the following line:
+<pre>PASS_MAX_DAYS <sub idref="var_accounts_maximum_age_login_defs"/></pre>
 A value of 180 days is sufficient for many environments. 
 The DoD requirement is 60.
+The profile requirement is <tt><sub idref="var_accounts_maximum_age_login_defs"/></tt>.
 </description>
 <ocil clause="PASS_MAX_DAYS is not set equal to or greater than the required value">
 To check the maximum password age, run the command:
@@ -171,10 +174,10 @@ location subject to physical compromise.</rationale>
 <description>To specify how many days prior to password
 expiration that a warning will be issued to users,
 edit the file <tt>/etc/login.defs</tt> and add or correct
- the following line, replacing <i>DAYS</i> appropriately:
-<pre>PASS_WARN_AGE <i>DAYS</i></pre>
+ the following line:
+<pre>PASS_WARN_AGE <sub idref="var_accounts_password_warn_age_login_defs" /></pre>
 The DoD requirement is 7.
-<!-- <sub idref="accounts_password_warn_age_login_defs_login_defs_value" /> -->
+The profile requirement is <tt><sub idref="var_accounts_password_warn_age_login_defs"/></tt>.
 </description>
 <ocil clause="it is not set to the required value">
 To check the password warning age, run the command: