[BugFix] [Enhancement] Fix 'display_login_attempts' rule for RHEL-7 and Fedora #577
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
June 11, 2015 12:18
…mpts" rule for RHEL-7 and Fedora products to provide correct recommendation wrt to pam_lastlog settings on these products Fixes issue reported in: https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006449.html
…_attempts' OVAL check for RHEL-7 and Fedora products Testing report: --------------- Verified manually on both products the proposed OVAL works fine (=> added test attestations for RHEL-7 && Fedora 20)
iankko
added
bugfix
Member
|
Builds successfully on RHEL6, tested the result on Fedora 22 and it seems to work. ACK. |
mpreisler
added a commit
that referenced
this pull request
Jun 11, 2015
…ts_fix [BugFix] [Enhancement] Fix 'display_login_attempts' rule for RHEL-7 and Fedora
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patchset is doing the following:
RHEL/7andFedoraXCCDF prose fordisplay_login_attemptsrule it to recommend properpam_lastlog.somodule setting (it has been verified with Tomas Mraz, PAM package maintainer that on RHEL-7 and Fedora systems the properpam_lastlog.soPAM module setting should happen in/etc/pam.d/postloginconfiguration file, and not, like currently recommended in/etc/pam.d/system-authfile. The/etc/pam.d/system-authrecommendation is still correct for the case ofRHEL/6system though, therefore the correspondingRHEL/6XCCDF object for this rule hasn't been modified),This change fixes
pam_lastlog.soissue (leading to invalid PAM configuration) as reported in:[1] https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006449.html
/sharedversion of OVAL checks forRHEL/7andFedoraproducts for this rule (display_login_attempts). Also switches using of that rule on for Fedora'scommonprofile and RHEL-7'sPCI-DSSprofile.Testing report:
The proposed OVAL check has been manually tested on both products (RHEL-7 && Fedora 20), and seems to be working fine (AFAICT), therefore also added
test_attestations for these two systems.Please review.
Thank you, Jan.