On 10/25/13, 7:21 AM, wm-lists wrote:
yes mine is different since we use sssd for authentication, the
placement of the cracklib is the same though. Switching to your
cracklib values, actually caused me to fail more of the categories
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth [default=die] pam_faillock.so authfail deny=3
unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3
unlock_time=604800 fail_interval=900
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
password sufficient pam_unix.so sha512 shadow try_first_pass
use_authtok remember=5
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
I grabbed the zipfile this morning and used it
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; id="RHEL-6"
resolved="1" xml:lang="en-US">
<status date="2013-10-24">draft</status>
My results:
http://people.redhat.com/swells/ssg-results/report.html
system-auth:
http://people.redhat.com/swells/ssg-results/system-auth
password-auth:
http://people.redhat.com/swells/ssg-results/password-auth
Tweaked a few of your settings. You can do a wget & diff against your
local copies to identify them.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
