Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updates for accounts_passwords_pam_faillock_unlock_time #475

Merged
merged 4 commits into from
Apr 14, 2015
Merged

updates for accounts_passwords_pam_faillock_unlock_time #475

merged 4 commits into from
Apr 14, 2015

Conversation

shawndwells
Copy link
Member

  • Updated XCCDF naming to follow other faillocks (f6a61f7)
  • Updated OVAL name (f6a61f7)
  • Added remediation using @iankko 's template (adcc8cf)

…ounts_passwords_pam_faillock_interval.xml

````
$ grep -rin accounts_passwords_pam_fail_interval *
auxiliary/stig_overlay.xml:1020:	<overlay owner="disastig" ruleid="accounts_passwords_pam_fail_interval" ownerid="RHEL-06-000357" disa="1452" severity="medium">
checks/accounts_passwords_pam_fail_interval.xml:2:  <definition class="compliance" id="accounts_passwords_pam_fail_interval" version="2">
profiles/nist-CL-IL-AL.xml:169:<select idref="accounts_passwords_pam_fail_interval" selected="true" />
profiles/stig-rhel6-server-upstream.xml:98:<select idref="accounts_passwords_pam_fail_interval" selected="true" />
profiles/CSCF-RHEL6-MLS.xml:67:<select idref="accounts_passwords_pam_fail_interval" selected="false" />
profiles/fisma-medium-rhel6-server.xml:82:<select idref="accounts_passwords_pam_fail_interval" selected="true" />
system/accounts/pam.xml:557:<Rule id="accounts_passwords_pam_fail_interval" severity="medium">
system/accounts/pam.xml:582:<oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/>

$ sed -i 's/accounts_passwords_pam_fail_interval/accounts_passwords_pam_faillock_interval/g' auxiliary/stig_overlay.xml checks/accounts_passwords_pam_fail_interval.xml profiles/* system/accounts/pam.xml

$ grep -rin accounts_passwords_pam_fail_interval *
$ grep -rin accounts_passwords_pam_faillock_interval *
auxiliary/stig_overlay.xml:1020:	<overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_interval" ownerid="RHEL-06-000357" disa="1452" severity="medium">
checks/accounts_passwords_pam_fail_interval.xml:2:  <definition class="compliance" id="accounts_passwords_pam_faillock_interval" version="2">
profiles/nist-CL-IL-AL.xml:169:<select idref="accounts_passwords_pam_faillock_interval" selected="true" />
profiles/stig-rhel6-server-upstream.xml:98:<select idref="accounts_passwords_pam_faillock_interval" selected="true" />
profiles/CSCF-RHEL6-MLS.xml:67:<select idref="accounts_passwords_pam_faillock_interval" selected="false" />
profiles/fisma-medium-rhel6-server.xml:82:<select idref="accounts_passwords_pam_faillock_interval" selected="true" />
system/accounts/pam.xml:557:<Rule id="accounts_passwords_pam_faillock_interval" severity="medium">
system/accounts/pam.xml:582:<oval id="accounts_passwords_pam_faillock_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/>

$ git mv checks/accounts_passwords_pam_fail_interval.xml checks/accounts_passwords_pam_faillock_interval.xml
based off @iankko's template:

````
$ cp accounts_passwords_pam_faillock_deny.sh accounts_passwords_pam_faillock_interval.sh
$ sed -i 's/accounts_passwords_pam_faillock_deny/accounts_passwords_pam_faillock_interval/g' accounts_passwords_pam_faillock_interval.sh
$ sed -i 's/deny/interval/g' accounts_passwords_pam_faillock_interval.sh
````
@landscape-bot
Copy link

Code Health
Code quality remained the same when pulling adcc8cf on shawndwells:accounts_passwords_pam_fail_interval into 998d195 on OpenSCAP:master.

@shawndwells
Copy link
Member Author

kind bump to get a review :)

@iankko
Copy link

iankko commented Mar 12, 2015

@shawndwells

kind bump to get a review :)

Hi Shawn,

three issues basically:

  1. looks not all former accounts_passwords_pam_fail_interval have been replaced with the new form:
$ grep -rHn "accounts_passwords_pam_fail_interval" * | more
Fedora/input/system/accounts/pam.xml:538:<Rule id="accounts_passwords_pam_fail_interval" severity="medium">
Fedora/input/system/accounts/pam.xml:558:<!--oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/
-->
RHEL/7/input/system/accounts/pam.xml:571:<Rule id="accounts_passwords_pam_fail_interval" severity="medium">
RHEL/7/input/system/accounts/pam.xml:598:<oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/>
RHEL/7/input/profiles/usgcb-rhel7-server.xml:32:<select idref="accounts_passwords_pam_fail_interval" selected="true" />
RHEL/7/input/profiles/stig-rhel7-server-upstream.xml:34:<select idref="accounts_passwords_pam_fail_interval" selected="true" />
RHEL/7/input/auxiliary/stig_overlay.xml:1007:   <overlay owner="disastig" ruleid="accounts_passwords_pam_fail_interval" ownerid="RHEL-06-000357" disa=
"1452" severity="medium">
  1. Though applying the template looks fine, there isn't var_accounts_passwords_pam_faillock_interval variable (like it's currently used in the remediation). It's var_accounts_passwords_pam_faillock_fail_interval instead:
    https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/system/accounts/pam.xml#L230

So either update the XCCDF s/var_accounts_passwords_pam_faillock_fail_interval/var_accounts_passwords_pam_faillock_interval/g, or update the provided remediation to do the vice versa switch (this seems to be better approach since there aren't that much var_accounts_passwords_pam_faillock_interval occurrences):

$ grep -rHn "var_accounts_passwords_pam_faillock_fail_interval" * | uniq | wc -l
31

vs

$ grep -rHn "var_accounts_passwords_pam_faillock_interval" * | uniq | wc -l
7

So IMHO it will be easier to replace var_accounts_passwords_pam_faillock_interval.

  1. Last but not least - even when both above changes are done, though the remediation being correct from source code PoV, the functional check returns 'error' when performing the remediation.
    This is because corresponding OVAL check needs to be modified too (in the same way like the shared/oval/accounts_passwords_pam_faillock_deny.xml has been modified here:
    45792dd

In other words instead of requiring first example from pam_faillock(8) manual page it should be updated to require second example from that manual page - since this has been consulted with PAM developers as the correct solution we should use / recommend. And the second example is what we actually describe as the requirements in the corresponding XCCDF rules).

But this is not a blocker, once the issues 1) and 2) are fixed, I can merge this & rewrite the OVAL check to follow the shared/*_deny.xml template.

Thanks, Jan.

…passwords_pam_faillock_interval

Per @iankko's comments, the original patch only updated XCCDF names in RHEL6 content. Extending to RHEL7 and Fedora.

[shawnw@ssgdev-rhel7 scap-security-guide]$ grep -rin accounts_passwords_pam_fail_interval *
Fedora/input/system/accounts/pam.xml:538:<Rule id="accounts_passwords_pam_fail_interval" severity="medium">
Fedora/input/system/accounts/pam.xml:558:<!--oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/-->
RHEL/7/input/auxiliary/stig_overlay.xml:1007:	<overlay owner="disastig" ruleid="accounts_passwords_pam_fail_interval" ownerid="RHEL-06-000357" disa="1452" severity="medium">
RHEL/7/input/profiles/usgcb-rhel7-server.xml:32:<select idref="accounts_passwords_pam_fail_interval" selected="true" />
RHEL/7/input/profiles/stig-rhel7-server-upstream.xml:34:<select idref="accounts_passwords_pam_fail_interval" selected="true" />
RHEL/7/input/system/accounts/pam.xml:571:<Rule id="accounts_passwords_pam_fail_interval" severity="medium">
RHEL/7/input/system/accounts/pam.xml:598:<oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/>
[shawnw@ssgdev-rhel7 scap-security-guide]$ sed -i 's/accounts_passwords_pam_fail_interval/accounts_passwords_pam_faillock_interval/g' Fedora/input/system/accounts/pam.xml RHEL/7/input/auxiliary/stig_overlay.xml RHEL/7/input/profiles/* RHEL/7/input/system/accounts/pam.xml
[shawnw@ssgdev-rhel7 scap-security-guide]$ grep -rin accounts_passwords_pam_fail_interval *
…ts_passwords_pam_faillock_fail_interval

````[shawnw@ssgdev-rhel7 scap-security-guide]$ grep -rin var_accounts_passwords_pam_faillock_interval *
RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:2:populate var_accounts_passwords_pam_faillock_interval
RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:17:			sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(interval *= *\).*/\1\2$var_accounts_passwords_pam_faillock_interval/" $pamFile
RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:18:			sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(interval *= *\).*/\1\2$var_accounts_passwords_pam_faillock_interval/" $pamFile
RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:24:			sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ interval=$var_accounts_passwords_pam_faillock_interval/" $pamFile
RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:25:			sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ interval=$var_accounts_passwords_pam_faillock_interval/" $pamFile
RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:32:		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent interval=$var_accounts_passwords_pam_faillock_interval" $pamFile
RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:33:		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail interval=$var_accounts_passwords_pam_faillock_interval" $pamFile
[shawnw@ssgdev-rhel7 scap-security-guide]$ sed -i s'/var_accounts_passwords_pam_faillock_interval/var_accounts_passwords_pam_faillock_fail_interval/g' RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh
[shawnw@ssgdev-rhel7 scap-security-guide]$ grep -rin var_accounts_passwords_pam_faillock_interval *
[shawnw@ssgdev-rhel7 scap-security-guide]$ pwd
/var/www/html/scap-security-guide
````
@shawndwells
Copy link
Member Author

@iankko, updated the PR with your comments in #1 (rule naming) and #2 (variable naming)

@landscape-bot
Copy link

Code Health
Code quality remained the same when pulling b357322 on shawndwells:accounts_passwords_pam_fail_interval into 998d195 on OpenSCAP:master.

@iankko iankko added enhancement General enhancements to the project. Fedora Fedora product related. RHEL6 RHEL Red Hat Enterprise Linux product related. labels Apr 14, 2015
@iankko iankko added this to the 0.1.22 milestone Apr 14, 2015
@iankko
Copy link

iankko commented Apr 14, 2015

Looks good to me. Thank you for the updates! ACK && Merging.

iankko pushed a commit that referenced this pull request Apr 14, 2015
…interval

updates for accounts_passwords_pam_faillock_unlock_time
@iankko iankko merged commit 8ee485f into ComplianceAsCode:master Apr 14, 2015
@shawndwells shawndwells deleted the accounts_passwords_pam_fail_interval branch April 14, 2015 16:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement General enhancements to the project. Fedora Fedora product related. RHEL Red Hat Enterprise Linux product related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants