> On May 27, 2018, at 12:02 PM, Šimon Lukašík <sluka...@redhat.com> wrote: > > On 05/25/2018 11:06 PM, Dan White wrote: >> I just messed up a baker’s dozen of RHEL 6 virtual machines by hand editing >> /etc/pam.d files system-auth-ac and password-auth-ac >> I was able to un-mess 8 of them with an authconfig command. >> The other 5 are in various stages of recovery. One had a snapshot but the >> other 4 are Oracle servers that cannot be snapshot because of shared storage. >> Anyway, what I am looking for here is some brainstorming toward implementing >> security settings with authconfig commands rather than hand editing the >> files that utility can alter. >> Thanks. > > I am not sure this is right forum for this. Nevertheless, I wouldn't be > surprised this brainstorming ended before it even started as You didn't > provide us particular peculiarities you are faced with and thus left us with > very general (and thus hard) task at hand. > > Kind regards, > ~š.
OK, let’s start with RHEL-07-010200 - Set PAM's Password Hashing Algorithm - CCE-27104-9 The Remediation shell script says: AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in "${AUTH_FILES[@]}" do if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" $pamFile fi done But up at the top of both of those files it says : "User changes will be destroyed the next time authconfig is run” Here are more: RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session - CCE-27160-1 RHEL-07-010270 - Limit Password Reuse - CCE-26923-3 RHEL-07-010290 - Prevent Log In to Accounts With Empty Password - CCE-27286-4 RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8 RHEL-07-010320 - Set Interval For Counting Failed Password Attempts - CCE-27297-1 RHEL-07-010320 - Set Lockout Time For Failed Password Attempts - CCE-26884-7 RHEL-07-010330 - Configure the root Account for Failed Password Attempts - CCE-80353-6 Every one, in so many words, directs the hand editing of /etc/pam.d/system-auth(-ac) and/or /etc/pam.d/password-auth(-ac) Hopefully, this provides sufficient "particular peculiarities" Back to my original question: How might one use the authconfig command to remediate each one of those ? How about it ? I will be tinkering on my own as time allows and I will gladly share anything I discover. _______________________________________________________ Dan White : d_e_wh...@icloud.com “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes)
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list