Update STIG IDs for RHEL8 related to pam_pwquality rules

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml

@@ -6,13 +6,16 @@ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts
 
 description: |-
     To configure the number of retry prompts that are permitted per-session:
+    {{% if product in ['rhel8', 'rhel9'] %}}
+    Edit the <tt>/etc/security/pwquality.conf</tt> to include
+    {{% else %}}
     Edit the <tt>pam_pwquality.so</tt> statement in
     {{% if 'ubuntu' not in product %}}
-    <tt>/etc/pam.d/system-auth</tt> {{% if product in ['rhel8', 'rhel9'] %}} and
-    <tt>/etc/pam.d/password-auth</tt> {{% endif %}} to show
+    <tt>/etc/pam.d/system-auth</tt> to show
     {{% else %}}
     <tt>/etc/pam.d/common-password</tt> to show
     {{% endif %}}
+    {{% endif %}}
     <tt>retry={{{xccdf_value("var_password_pam_retry") }}}</tt>, or a lower value if site
     policy is more restrictive. The DoD requirement is a maximum of 3 prompts
     per session.
@@ -48,17 +51,21 @@ references:
     stigid@ol7: OL07-00-010119
     stigid@ol8: OL08-00-020100
     stigid@rhel7: RHEL-07-010119
-    stigid@rhel8: RHEL-08-020100
+    stigid@rhel8: RHEL-08-020104
     stigid@ubuntu2004: UBTU-20-010057
 
 ocil_clause: 'it is not the required value'
 
 ocil: |-
     To check how many retry attempts are permitted on a per-session basis, run the following command:
+    {{% if product in ['rhel8', 'rhel9'] %}}
+    <pre>$ grep retry /etc/security/pwquality.conf</pre>
+    {{% else %}}
     {{% if 'ubuntu' in product %}}
     <pre>$ grep pam_pwquality /etc/pam.d/common-password</pre>
     {{% else %}}
-    <pre>$ grep pam_pwquality /etc/pam.d/system-auth {{% if product in ['rhel8', 'rhel9'] %}}/etc/pam.d/password-auth{{% endif %}}</pre>
+    <pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
+    {{% endif %}}
     {{% endif %}}
     The <tt>retry</tt> parameter will indicate how many attempts are permitted.
     The DoD required value is less than or equal to 3.

products/rhel8/profiles/stig.profile

@@ -523,6 +523,20 @@ selections:
     - sssd_enable_certmap
 
     # RHEL-08-020100
+    - accounts_password_pam_pwquality_password_auth
+
+    # RHEL-08-020101
+    - accounts_password_pam_pwquality_system_auth
+
+    # RHEL-08-020102
+    # This is only required for RHEL8 systems below version 8.4 where the
+    # retry parameter was not yet available on /etc/security/pwquality.conf.
+
+    # RHEL-08-020103
+    # This is only required for RHEL8 systems below version 8.4 where the
+    # retry parameter was not yet available on /etc/security/pwquality.conf.
+
+    # RHEL-08-020104
     - accounts_password_pam_retry
 
     # RHEL-08-020110

products/rhel9/profiles/stig.profile

@@ -524,6 +524,20 @@ selections:
     - sssd_enable_certmap
 
     # RHEL-08-020100
+    - accounts_password_pam_pwquality_password_auth
+
+    # RHEL-08-020101
+    - accounts_password_pam_pwquality_system_auth
+
+    # RHEL-08-020102
+    # This is only required for RHEL8 systems below version 8.4 where the
+    # retry parameter was not yet available on /etc/security/pwquality.conf.
+
+    # RHEL-08-020103
+    # This is only required for RHEL8 systems below version 8.4 where the
+    # retry parameter was not yet available on /etc/security/pwquality.conf.
+
+    # RHEL-08-020104
     - accounts_password_pam_retry
 
     # RHEL-08-020110

shared/references/cce-redhat-avail.txt

@@ -1,9 +1,3 @@
-CCE-85872-0
-CCE-85873-8
-CCE-85874-6
-CCE-85876-1
-CCE-85877-9
-CCE-85878-7
 CCE-85879-5
 CCE-85880-3
 CCE-85881-1

tests/data/profile_stability/rhel8/stig.profile

@@ -53,6 +53,8 @@ selections:
 - accounts_password_pam_ocredit
 - accounts_password_pam_pwhistory_remember_password_auth
 - accounts_password_pam_pwhistory_remember_system_auth
+- accounts_password_pam_pwquality_password_auth
+- accounts_password_pam_pwquality_system_auth
 - accounts_password_pam_retry
 - accounts_password_pam_ucredit
 - accounts_password_pam_unix_rounds_password_auth