Update RHEL 9 CCN profile

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/var_password_pam_remember.var

@@ -21,5 +21,6 @@ options:
     7: 7
     8: 8
     9: 9
+    20: 20
     24: 24
     default: 5

products/rhel9/controls/ccn_rhel9.yml

@@ -118,7 +118,7 @@ controls:
       status: automated
       rules:
           - auditd_data_retention_max_log_file_action
-          - var_auditd_max_log_file_action=keep_logs
+          - var_auditd_max_log_file_action=rotate
 
     - id: A.3.SEC-RHEL7
       title: Modifications to the Sudoers File Are Audited, As Are Changes to Permissions, Users, Groups,
@@ -242,9 +242,16 @@ controls:
           - basic
           - intermediate
           - advanced
-      status: pending
-      notes: |-
-          Related to nosuid, noexec and nodev options but in /boot. More context is needed.
+      status: partial
+      notes: Remaining rules for /boot/efi are not implemented yet.
+      rules:
+          - mount_option_boot_efi_nosuid
+          - mount_option_boot_nodev
+          - mount_option_boot_noexec
+          - mount_option_boot_nosuid
+      # the noauto option could block proper evaluation of other mount options on /boot
+      related_rules:
+          - mount_option_boot_noauto
 
     - id: A.5.SEC-RHEL1
       title: Login and Impersonation Permissions Are Controlled
@@ -311,6 +318,9 @@ controls:
           - var_accounts_maximum_age_login_defs=45
           - var_accounts_minimum_age_login_defs=2
           - var_accounts_password_warn_age_login_defs=10
+          - accounts_password_pam_pwhistory_remember_password_auth
+          - accounts_password_pam_pwhistory_remember_system_auth
+          - var_password_pam_remember=20
 
     - id: A.5.SEC-RHEL6
       title: Secure Protocols Are Used For the Network Authentication Processes
@@ -601,11 +611,15 @@ controls:
           - advanced
       status: automated
       rules:
-          - accounts_password_pam_minclass
+          - accounts_password_pam_lcredit
+          - accounts_password_pam_ocredit
+          - accounts_password_pam_ucredit
+          - accounts_password_pam_dcredit
           - accounts_password_pam_minlen
+          - accounts_password_minlen_login_defs
           - accounts_password_pam_retry
-          - var_password_pam_minclass=4
-          - var_password_pam_minlen=14
+          - var_password_pam_minlen=12
+          - var_accounts_password_minlen_login_defs=12
 
     - id: A.11.SEC-RHEL4
       title: During Login, the System Displays a Text in Compliance With the Organization's Standards
@@ -625,7 +639,6 @@ controls:
           - dconf_gnome_login_banner_text
           - sshd_enable_warning_banner_net
           - login_banner_text=cis_banners
-          - motd_banner_text=cis_banners
           - remote_login_banner_text=cis_banners
 
     - id: A.11.SEC-RHEL5

tests/data/profile_stability/rhel9/ccn_advanced.profile

@@ -1,8 +1,14 @@
 accounts_maximum_age_login_defs
 accounts_minimum_age_login_defs
-accounts_password_pam_minclass
+accounts_password_minlen_login_defs
+accounts_password_pam_dcredit
+accounts_password_pam_lcredit
 accounts_password_pam_minlen
+accounts_password_pam_ocredit
+accounts_password_pam_pwhistory_remember_password_auth
+accounts_password_pam_pwhistory_remember_system_auth
 accounts_password_pam_retry
+accounts_password_pam_ucredit
 accounts_password_set_max_life_existing
 accounts_password_set_min_life_existing
 accounts_password_set_warn_age_existing
@@ -85,7 +91,10 @@ kernel_module_squashfs_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
 login_banner_text=cis_banners
-motd_banner_text=cis_banners
+mount_option_boot_efi_nosuid
+mount_option_boot_nodev
+mount_option_boot_noexec
+mount_option_boot_nosuid
 no_empty_passwords_etc_shadow
 no_password_auth_for_systemaccounts
 no_shelllogin_for_systemaccounts
@@ -147,18 +156,19 @@ usbguard_generate_policy
 use_pam_wheel_for_su
 var_accounts_maximum_age_login_defs=45
 var_accounts_minimum_age_login_defs=2
+var_accounts_password_minlen_login_defs=12
 var_accounts_password_warn_age_login_defs=10
 var_accounts_passwords_pam_faillock_deny=8
 var_accounts_passwords_pam_faillock_unlock_time=never
 var_accounts_tmout=5_min
 var_accounts_user_umask=027
-var_auditd_max_log_file_action=keep_logs
+var_auditd_max_log_file_action=rotate
 var_authselect_profile=sssd
 var_multiple_time_servers=rhel
 var_password_hashing_algorithm=SHA512
 var_password_hashing_algorithm_pam=sha512
-var_password_pam_minclass=4
-var_password_pam_minlen=14
+var_password_pam_minlen=12
+var_password_pam_remember=20
 var_screensaver_lock_delay=immediate
 var_selinux_policy_name=targeted
 var_selinux_state=enforcing

tests/data/profile_stability/rhel9/ccn_basic.profile

@@ -1,8 +1,14 @@
 accounts_maximum_age_login_defs
 accounts_minimum_age_login_defs
-accounts_password_pam_minclass
+accounts_password_minlen_login_defs
+accounts_password_pam_dcredit
+accounts_password_pam_lcredit
 accounts_password_pam_minlen
+accounts_password_pam_ocredit
+accounts_password_pam_pwhistory_remember_password_auth
+accounts_password_pam_pwhistory_remember_system_auth
 accounts_password_pam_retry
+accounts_password_pam_ucredit
 accounts_password_set_max_life_existing
 accounts_password_set_min_life_existing
 accounts_password_set_warn_age_existing
@@ -51,7 +57,10 @@ firewalld_loopback_traffic_restricted
 firewalld_loopback_traffic_trusted
 grub2_password
 login_banner_text=cis_banners
-motd_banner_text=cis_banners
+mount_option_boot_efi_nosuid
+mount_option_boot_nodev
+mount_option_boot_noexec
+mount_option_boot_nosuid
 package_firewalld_installed
 package_usbguard_installed
 remote_login_banner_text=cis_banners
@@ -95,12 +104,13 @@ sysctl_net_ipv6_conf_default_accept_source_route
 usbguard_generate_policy
 var_accounts_maximum_age_login_defs=45
 var_accounts_minimum_age_login_defs=2
+var_accounts_password_minlen_login_defs=12
 var_accounts_password_warn_age_login_defs=10
-var_auditd_max_log_file_action=keep_logs
+var_auditd_max_log_file_action=rotate
 var_authselect_profile=sssd
 var_password_hashing_algorithm=SHA512
 var_password_hashing_algorithm_pam=sha512
-var_password_pam_minclass=4
-var_password_pam_minlen=14
+var_password_pam_minlen=12
+var_password_pam_remember=20
 var_sshd_set_keepalive=1
 var_system_crypto_policy=default_policy

tests/data/profile_stability/rhel9/ccn_intermediate.profile

@@ -1,8 +1,14 @@
 accounts_maximum_age_login_defs
 accounts_minimum_age_login_defs
-accounts_password_pam_minclass
+accounts_password_minlen_login_defs
+accounts_password_pam_dcredit
+accounts_password_pam_lcredit
 accounts_password_pam_minlen
+accounts_password_pam_ocredit
+accounts_password_pam_pwhistory_remember_password_auth
+accounts_password_pam_pwhistory_remember_system_auth
 accounts_password_pam_retry
+accounts_password_pam_ucredit
 accounts_password_set_max_life_existing
 accounts_password_set_min_life_existing
 accounts_password_set_warn_age_existing
@@ -73,7 +79,10 @@ kernel_module_squashfs_disabled
 kernel_module_udf_disabled
 kernel_module_usb-storage_disabled
 login_banner_text=cis_banners
-motd_banner_text=cis_banners
+mount_option_boot_efi_nosuid
+mount_option_boot_nodev
+mount_option_boot_noexec
+mount_option_boot_nosuid
 no_empty_passwords_etc_shadow
 no_password_auth_for_systemaccounts
 no_shelllogin_for_systemaccounts
@@ -134,14 +143,15 @@ usbguard_generate_policy
 use_pam_wheel_for_su
 var_accounts_maximum_age_login_defs=45
 var_accounts_minimum_age_login_defs=2
+var_accounts_password_minlen_login_defs=12
 var_accounts_password_warn_age_login_defs=10
-var_auditd_max_log_file_action=keep_logs
+var_auditd_max_log_file_action=rotate
 var_authselect_profile=sssd
 var_multiple_time_servers=rhel
 var_password_hashing_algorithm=SHA512
 var_password_hashing_algorithm_pam=sha512
-var_password_pam_minclass=4
-var_password_pam_minlen=14
+var_password_pam_minlen=12
+var_password_pam_remember=20
 var_screensaver_lock_delay=immediate
 var_selinux_policy_name=targeted
 var_selinux_state=enforcing