-
Notifications
You must be signed in to change notification settings - Fork 695
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
updates for accounts_passwords_pam_faillock_unlock_time #475
updates for accounts_passwords_pam_faillock_unlock_time #475
Conversation
shawndwells
commented
Mar 5, 2015
- Updated XCCDF naming to follow other faillocks (f6a61f7)
- Updated OVAL name (f6a61f7)
- Added remediation using @iankko 's template (adcc8cf)
…ounts_passwords_pam_faillock_interval.xml ```` $ grep -rin accounts_passwords_pam_fail_interval * auxiliary/stig_overlay.xml:1020: <overlay owner="disastig" ruleid="accounts_passwords_pam_fail_interval" ownerid="RHEL-06-000357" disa="1452" severity="medium"> checks/accounts_passwords_pam_fail_interval.xml:2: <definition class="compliance" id="accounts_passwords_pam_fail_interval" version="2"> profiles/nist-CL-IL-AL.xml:169:<select idref="accounts_passwords_pam_fail_interval" selected="true" /> profiles/stig-rhel6-server-upstream.xml:98:<select idref="accounts_passwords_pam_fail_interval" selected="true" /> profiles/CSCF-RHEL6-MLS.xml:67:<select idref="accounts_passwords_pam_fail_interval" selected="false" /> profiles/fisma-medium-rhel6-server.xml:82:<select idref="accounts_passwords_pam_fail_interval" selected="true" /> system/accounts/pam.xml:557:<Rule id="accounts_passwords_pam_fail_interval" severity="medium"> system/accounts/pam.xml:582:<oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/> $ sed -i 's/accounts_passwords_pam_fail_interval/accounts_passwords_pam_faillock_interval/g' auxiliary/stig_overlay.xml checks/accounts_passwords_pam_fail_interval.xml profiles/* system/accounts/pam.xml $ grep -rin accounts_passwords_pam_fail_interval * $ grep -rin accounts_passwords_pam_faillock_interval * auxiliary/stig_overlay.xml:1020: <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_interval" ownerid="RHEL-06-000357" disa="1452" severity="medium"> checks/accounts_passwords_pam_fail_interval.xml:2: <definition class="compliance" id="accounts_passwords_pam_faillock_interval" version="2"> profiles/nist-CL-IL-AL.xml:169:<select idref="accounts_passwords_pam_faillock_interval" selected="true" /> profiles/stig-rhel6-server-upstream.xml:98:<select idref="accounts_passwords_pam_faillock_interval" selected="true" /> profiles/CSCF-RHEL6-MLS.xml:67:<select idref="accounts_passwords_pam_faillock_interval" selected="false" /> profiles/fisma-medium-rhel6-server.xml:82:<select idref="accounts_passwords_pam_faillock_interval" selected="true" /> system/accounts/pam.xml:557:<Rule id="accounts_passwords_pam_faillock_interval" severity="medium"> system/accounts/pam.xml:582:<oval id="accounts_passwords_pam_faillock_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/> $ git mv checks/accounts_passwords_pam_fail_interval.xml checks/accounts_passwords_pam_faillock_interval.xml
based off @iankko's template: ```` $ cp accounts_passwords_pam_faillock_deny.sh accounts_passwords_pam_faillock_interval.sh $ sed -i 's/accounts_passwords_pam_faillock_deny/accounts_passwords_pam_faillock_interval/g' accounts_passwords_pam_faillock_interval.sh $ sed -i 's/deny/interval/g' accounts_passwords_pam_faillock_interval.sh ````
kind bump to get a review :) |
Hi Shawn, three issues basically:
So either update the XCCDF
vs
So IMHO it will be easier to replace
In other words instead of requiring first example from But this is not a blocker, once the issues 1) and 2) are fixed, I can merge this & rewrite the OVAL check to follow the Thanks, Jan. |
…passwords_pam_faillock_interval Per @iankko's comments, the original patch only updated XCCDF names in RHEL6 content. Extending to RHEL7 and Fedora. [shawnw@ssgdev-rhel7 scap-security-guide]$ grep -rin accounts_passwords_pam_fail_interval * Fedora/input/system/accounts/pam.xml:538:<Rule id="accounts_passwords_pam_fail_interval" severity="medium"> Fedora/input/system/accounts/pam.xml:558:<!--oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/--> RHEL/7/input/auxiliary/stig_overlay.xml:1007: <overlay owner="disastig" ruleid="accounts_passwords_pam_fail_interval" ownerid="RHEL-06-000357" disa="1452" severity="medium"> RHEL/7/input/profiles/usgcb-rhel7-server.xml:32:<select idref="accounts_passwords_pam_fail_interval" selected="true" /> RHEL/7/input/profiles/stig-rhel7-server-upstream.xml:34:<select idref="accounts_passwords_pam_fail_interval" selected="true" /> RHEL/7/input/system/accounts/pam.xml:571:<Rule id="accounts_passwords_pam_fail_interval" severity="medium"> RHEL/7/input/system/accounts/pam.xml:598:<oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/> [shawnw@ssgdev-rhel7 scap-security-guide]$ sed -i 's/accounts_passwords_pam_fail_interval/accounts_passwords_pam_faillock_interval/g' Fedora/input/system/accounts/pam.xml RHEL/7/input/auxiliary/stig_overlay.xml RHEL/7/input/profiles/* RHEL/7/input/system/accounts/pam.xml [shawnw@ssgdev-rhel7 scap-security-guide]$ grep -rin accounts_passwords_pam_fail_interval *
…ts_passwords_pam_faillock_fail_interval ````[shawnw@ssgdev-rhel7 scap-security-guide]$ grep -rin var_accounts_passwords_pam_faillock_interval * RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:2:populate var_accounts_passwords_pam_faillock_interval RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:17: sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(interval *= *\).*/\1\2$var_accounts_passwords_pam_faillock_interval/" $pamFile RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:18: sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(interval *= *\).*/\1\2$var_accounts_passwords_pam_faillock_interval/" $pamFile RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:24: sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ interval=$var_accounts_passwords_pam_faillock_interval/" $pamFile RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:25: sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ interval=$var_accounts_passwords_pam_faillock_interval/" $pamFile RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:32: sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent interval=$var_accounts_passwords_pam_faillock_interval" $pamFile RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh:33: sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail interval=$var_accounts_passwords_pam_faillock_interval" $pamFile [shawnw@ssgdev-rhel7 scap-security-guide]$ sed -i s'/var_accounts_passwords_pam_faillock_interval/var_accounts_passwords_pam_faillock_fail_interval/g' RHEL/6/input/fixes/bash/accounts_passwords_pam_faillock_interval.sh [shawnw@ssgdev-rhel7 scap-security-guide]$ grep -rin var_accounts_passwords_pam_faillock_interval * [shawnw@ssgdev-rhel7 scap-security-guide]$ pwd /var/www/html/scap-security-guide ````
Looks good to me. Thank you for the updates! ACK && Merging. |
…interval updates for accounts_passwords_pam_faillock_unlock_time