> On May 27, 2018, at 12:02 PM, Šimon Lukašík <[email protected]> wrote:
>
> On 05/25/2018 11:06 PM, Dan White wrote:
>> I just messed up a baker’s dozen of RHEL 6 virtual machines by hand editing
>> /etc/pam.d files system-auth-ac and password-auth-ac
>> I was able to un-mess 8 of them with an authconfig command.
>> The other 5 are in various stages of recovery. One had a snapshot but the
>> other 4 are Oracle servers that cannot be snapshot because of shared storage.
>> Anyway, what I am looking for here is some brainstorming toward implementing
>> security settings with authconfig commands rather than hand editing the
>> files that utility can alter.
>> Thanks.
>
> I am not sure this is right forum for this. Nevertheless, I wouldn't be
> surprised this brainstorming ended before it even started as You didn't
> provide us particular peculiarities you are faced with and thus left us with
> very general (and thus hard) task at hand.
>
> Kind regards,
> ~š.
OK, let’s start with RHEL-07-010200 - Set PAM's Password Hashing Algorithm -
CCE-27104-9
The Remediation shell script says:
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"
for pamFile in "${AUTH_FILES[@]}"
do
if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then
sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/
s/$/ sha512/" $pamFile
fi
done
But up at the top of both of those files it says : "User changes will be
destroyed the next time authconfig is run”
Here are more:
RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session - CCE-27160-1
RHEL-07-010270 - Limit Password Reuse - CCE-26923-3
RHEL-07-010290 - Prevent Log In to Accounts With Empty Password - CCE-27286-4
RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8
RHEL-07-010320 - Set Interval For Counting Failed Password Attempts -
CCE-27297-1
RHEL-07-010320 - Set Lockout Time For Failed Password Attempts - CCE-26884-7
RHEL-07-010330 - Configure the root Account for Failed Password Attempts -
CCE-80353-6
Every one, in so many words, directs the hand editing of
/etc/pam.d/system-auth(-ac) and/or /etc/pam.d/password-auth(-ac)
Hopefully, this provides sufficient "particular peculiarities"
Back to my original question: How might one use the authconfig command to
remediate each one of those ?
How about it ?
I will be tinkering on my own as time allows and I will gladly share anything I
discover.
_______________________________________________________
Dan White : [email protected]
“Sometimes I think the surest sign that intelligent life exists elsewhere in
the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
_______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list
