On 05/30/2018 06:44 PM, Dan White wrote:
On May 30, 2018, at 08:03 AM, Pavel Březina <pbrez...@redhat.com> wrote:
On 05/29/2018 03:03 PM, Marek Haicman wrote:
Pavel, can you help us with authconfig? :)
On 05/29/2018 01:08 PM, Dan White wrote:
On May 29, 2018, at 05:26 AM, Marek Haicman <mhaic...@redhat.com> wrote:
On 05/27/2018 08:45 PM, Dan White wrote:
On May 27, 2018, at 12:02 PM, Šimon Lukašík <sluka...@redhat.com
<mailto:sluka...@redhat.com>> wrote:
On 05/25/2018 11:06 PM, Dan White wrote:
I just messed up a baker’s dozen of RHEL 6 virtual machines by hand
editing /etc/pam.d files system-auth-ac and password-auth-ac
I was able to un-mess 8 of them with an authconfig command.
The other 5 are in various stages of recovery. One had a snapshot
but the other 4 are Oracle servers that cannot be snapshot
because of
shared storage.
Anyway, what I am looking for here is some brainstorming toward
implementing security settings with authconfig commands rather than
hand editing the files that utility can alter.
Thanks.
I am not sure this is right forum for this. Nevertheless, I wouldn't
be surprised this brainstorming ended before it even started as You
didn't provide us particular peculiarities you are faced with and
thus
left us with very general (and thus hard) task at hand.
Kind regards,
~š.
OK, let’s start with RHEL-07-010200 - Set PAM's Password Hashing
Algorithm - CCE-27104-9
The Remediation shell script says:
|AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in
"${AUTH_FILES[@]}" do if ! grep -q
"^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then sed -i
--follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/"
$pamFile fi done|
But up at the top of both of those files it says : *"User changes will
be destroyed the next time authconfig is run”*
Here are more:
RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session -
CCE-27160-1
RHEL-07-010270 - Limit Password Reuse - CCE-26923-3
RHEL-07-010290 - Prevent Log In to Accounts With Empty Password -
CCE-27286-4
RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8
RHEL-07-010320 - Set Interval For Counting Failed Password Attempts -
CCE-27297-1
RHEL-07-010320 - Set Lockout Time For Failed Password Attempts -
CCE-26884-7
RHEL-07-010330 - Configure the root Account for Failed Password
Attempts
- CCE-80353-6
Every one, in so many words, directs the hand editing of
/etc/pam.d/system-auth(-ac) and/or /etc/pam.d/password-auth(-ac)
Hopefully, this provides sufficient "particular peculiarities"
Back to my original question: How might one use the /authconfig/
command
to remediate each one of those ?
How about it ?
I will be tinkering on my own as time allows and I will gladly share
anything I discover.
Hello Dan,
historically, we have tried to use authconfig for some of the
remediations (smartcards), as it was kind of obvious choice, right?
Well, it fired back a bit, because you cannot really combine authconfig
and manual fixes. So after you made some of the more complex fixes by
hand (fixes that authconfig was not able to deliver) and then tried to
fix a triviality using authconfig tool, it would revert your manual
change.
One of the problems of old authconfig (got added in RHEL7.4 I think,
RHEL6 is affected) is no support for `faillock`. So you cannot really
fix this one. So we gave up, and reverted to fixing everything by old
style sed-ing :(
Regards,
Marek
I am still looking for suggestions.
Here is an updated list of OpenSCAP references and the partial results
of my tinkering:
Reference:
https://static.open-scap.org/ssg-guides/ssg-rhel6-guide-stig-rhel6-disa.html
RHEL-06-000000 - Set Password Retry Prompts Permitted Per-Session -
CCE-27123-9 - hand changes not overwritten by authconfig
RHEL-06-000030 - Prevent Log In to Accounts With Empty Password -
CCE-27038-9 - hand changes not overwritten by authconfig
RHEL-06-000056 - Set Password Strength Minimum Digit Characters -
CCE-26374-9 - hand changes not overwritten by authconfig
RHEL-06-000057 - Set Password Strength Minimum Uppercase Characters -
CCE-26601-5 - hand changes not overwritten by authconfig
RHEL-06-000058 - Set Password Strength Minimum Special Characters -
CCE-26409-3 - hand changes not overwritten by authconfig
RHEL-06-000059 - Set Password Strength Minimum Lowercase Characters -
CCE-26631-2 - hand changes not overwritten by authconfig
RHEL-06-000060 - Set Password Strength Minimum Different Characters -
CCE-26615-5 - hand changes not overwritten by authconfig
RHEL-06-000061 - Set Deny For Failed Password Attempts - CCE-26844-1
--- PROBLEM !!! authconfig wipes changes and cannot set them
RHEL-06-000062 - Set Password Hashing Algorithm in
/etc/pam.d/system-auth - CCE-26303-8 settable with authconfig
(--passalgo=sha512)
RHEL-06-000274 - Limit Password Reuse - CCE-26741-9 --- PROBLEM !!!
authconfig wipes changes and cannot set them
RHEL-06-000299 - Set Password to Maximum of Three Consecutive
Repeating Characters - CCE-27227-8 not yet tested
RHEL-06-000356 - Set Lockout Time For Failed Password Attempts -
CCE-27110-6 not yet tested
RHEL-06-000357 - Set Interval For Counting Failed Password Attempts -
CCE-27215-3 not yet tested
Reference:
https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-stig-rhel7-disa.html
RHEL-07-010200 - Set PAM's Password Hashing Algorithm - CCE-27104-9
settable with authconfig (--passalgo=sha512)
RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session -
CCE-27160-1 - hand changes not overwritten by authconfig
RHEL-07-010270 - Limit Password Reuse - CCE-26923-3 --- PROBLEM !!!
authconfig wipes changes and cannot set them
RHEL-07-010290 - Prevent Log In to Accounts With Empty Password -
CCE-27286-4 - hand changes not overwritten by authconfig
RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8
--- PROBLEM !!! authconfig wipes hand changes and cannot set all of
them (PARTIAL) --enablefaillock --faillockargs="deny=3
unlock_time=never fail_interval=900"
RHEL-07-010320 - Set Interval For Counting Failed Password Attempts -
CCE-27297-1 not yet tested
RHEL-07-010320 - Set Lockout Time For Failed Password Attempts -
CCE-26884-7 not yet tested
RHEL-07-010330 - Configure the root Account for Failed Password
Attempts - CCE-80353-6 not yet tested
Would a BugZilla ticket get any traction ? Who maintains authconfig ?
BZ for what? I'm not sure what exactly do you want to achieve with
authconfig.
Some of these changes can be done through authconfig, for example it can
configure pam_pwquality for password complexity. See authconfig --help
for all the options.
Manual changes will be overwritten next time authconfig is called.
There are several pam stacks managed by authconfig:
- password-auth
- system-auth
- smartcard-auth
- fingerprint-auth
- postlogin
These files are just symlinks to $name-ac files that are written by
authconfig. If you need to do any changes that should persist, remove
the symlink and than edit the file without -ac suffix. Of course this
means that you stop using authconfig, but that is alright for most cases
as you need to configure it only once.
That is the whole point of the query.
This is for security hardening.
Authconfig removes stuff that needs to stay in.
I am suggesting updates for authconfig to provide the required settings
it currently removes.
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
