> On May 27, 2018, at 12:02 PM, Šimon Lukašík <sluka...@redhat.com> wrote:
> On 05/25/2018 11:06 PM, Dan White wrote:
>> I just messed up a baker’s dozen of RHEL 6 virtual machines by hand editing 
>> /etc/pam.d files system-auth-ac and password-auth-ac
>> I was able to un-mess 8 of them with an authconfig command.
>> The other 5 are in various stages of recovery.  One had a snapshot but the 
>> other 4 are Oracle servers that cannot be snapshot because of shared storage.
>> Anyway, what I am looking for here is some brainstorming toward implementing 
>> security settings with authconfig commands rather than hand editing the 
>> files that utility can alter.
>> Thanks.
> I am not sure this is right forum for this. Nevertheless, I wouldn't be 
> surprised this brainstorming ended before it even started as You didn't 
> provide us particular peculiarities you are faced with and thus left us with 
> very general (and thus hard) task at hand.
> Kind regards,
> ~š.

OK, let’s start with RHEL-07-010200 - Set PAM's Password Hashing Algorithm - 

The Remediation shell script says:

for pamFile in "${AUTH_FILES[@]}"
        if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then
                sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ 
s/$/ sha512/" $pamFile

But up at the top of both of those files it says : "User changes will be 
destroyed the next time authconfig is run”

Here are more:

RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session - CCE-27160-1
RHEL-07-010270 - Limit Password Reuse - CCE-26923-3
RHEL-07-010290 - Prevent Log In to Accounts With Empty Password - CCE-27286-4
RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8
RHEL-07-010320 - Set Interval For Counting Failed Password Attempts - 
RHEL-07-010320 - Set Lockout Time For Failed Password Attempts - CCE-26884-7
RHEL-07-010330 - Configure the root Account for Failed Password Attempts - 

Every one, in so many words, directs the hand editing of 
/etc/pam.d/system-auth(-ac) and/or /etc/pam.d/password-auth(-ac)

Hopefully, this provides sufficient "particular peculiarities"

Back to my original question: How might one use the authconfig command to 
remediate each one of those ?

How about it ?
I will be tinkering on my own as time allows and I will gladly share anything I 
Dan White : d_e_wh...@icloud.com
“Sometimes I think the surest sign that intelligent life exists elsewhere in 
the universe is that none of it has tried to contact us.” 
Bill Waterson (Calvin & Hobbes)

Open-scap-list mailing list

Reply via email to