>From 17387a543e980ef4fa56fe9ed045fe19974faabb Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Sun, 10 Nov 2013 00:40:28 -0500
Subject: [PATCH 03/11] OVAL + remediation for
accounts_max_concurrent_login_sessions
- Updated XCCDF/OVAL naming, used accounts_* scheme for consistency
- Added remediation
TESTING:
[root@SSG-RHEL6 checks]# var_accounts_max_concurrent_login_sessions=10; export
var_accounts_max_concurrent_login_sessions
[root@SSG-RHEL6 checks]# ./testcheck.py
accounts_max_concurrent_login_sessions.xml
external_variable with id : var_accounts_max_concurrent_login_sessions
Evaluating with OVAL tempfile :
/tmp/accounts_max_concurrent_login_sessionsbaLfPY.xml
Writing results to :
/tmp/accounts_max_concurrent_login_sessionsbaLfPY.xml-results
Definition oval:scap-security-guide.testing:def:267: false
Evaluation done.
[root@SSG-RHEL6 checks]# cd ../fixes/bash/
[root@SSG-RHEL6 bash]# bash accounts_max_concurrent_login_sessions.sh
[root@SSG-RHEL6 bash]# cd -
/var/www/html/scap-security-guide/RHEL6/input/checks
[root@SSG-RHEL6 checks]# ./testcheck.py
accounts_max_concurrent_login_sessions.xml
external_variable with id : var_accounts_max_concurrent_login_sessions
Evaluating with OVAL tempfile :
/tmp/accounts_max_concurrent_login_sessionsPCTxZb.xml
Writing results to :
/tmp/accounts_max_concurrent_login_sessionsPCTxZb.xml-results
Definition oval:scap-security-guide.testing:def:267: true
Evaluation done.
---
RHEL6/input/auxiliary/stig_overlay.xml | 2 +-
.../accounts_max_concurrent_login_sessions.xml | 4 ++--
.../bash/accounts_max_concurrent_login_sessions.sh | 4 ++++
RHEL6/input/profiles/CS2.xml | 4 ++--
RHEL6/input/profiles/fisma-medium-rhel6-server.xml | 4 ++--
RHEL6/input/profiles/stig-rhel6-server.xml | 4 ++--
RHEL6/input/system/accounts/session.xml | 6 +++---
7 files changed, 16 insertions(+), 12 deletions(-)
create mode 100644
RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh
diff --git a/RHEL6/input/auxiliary/stig_overlay.xml
b/RHEL6/input/auxiliary/stig_overlay.xml
index d322169..e47d427 100644
--- a/RHEL6/input/auxiliary/stig_overlay.xml
+++ b/RHEL6/input/auxiliary/stig_overlay.xml
@@ -705,7 +705,7 @@
<overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled"
ownerid="RHEL-06-000317" disa="1250" severity="medium">
<title>The system must have USB Mass Storage disabled unless
needed.</title>
</overlay>
- <overlay owner="disastig" ruleid="max_concurrent_login_sessions"
ownerid="RHEL-06-000319" disa="54" severity="low">
+ <overlay owner="disastig"
ruleid="accounts_max_concurrent_login_sessions" ownerid="RHEL-06-000319"
disa="54" severity="low">
<title>The system must limit users to 10 simultaneous system
logins, or a site-defined number, in accordance with operational
requirements.</title>
</overlay>
<overlay owner="disastig" ruleid="set_iptables_default_rule_forward"
ownerid="RHEL-06-000320" disa="1109" severity="medium">
diff --git a/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml
b/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml
index a3658ff..062edb7 100644
--- a/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml
+++ b/RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml
@@ -26,9 +26,9 @@
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_maxlogins" version="1">
- <ind:subexpression operation="less than or equal"
var_ref="max_concurrent_login_sessions_value" datatype="int" />
+ <ind:subexpression operation="less than or equal"
var_ref="var_accounts_max_concurrent_login_sessions" datatype="int" />
</ind:textfilecontent54_state>
- <external_variable comment="maximum number of concurrent logins per user"
datatype="int" id="max_concurrent_login_sessions_value" version="1" />
+ <external_variable comment="maximum number of concurrent logins per user"
datatype="int" id="var_accounts_max_concurrent_login_sessions" version="1" />
</def-group>
diff --git a/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh
b/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh
new file mode 100644
index 0000000..945dd0f
--- /dev/null
+++ b/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh
@@ -0,0 +1,4 @@
+source ./templates/support.sh
+populate var_accounts_max_concurrent_login_sessions
+
+echo "* hard maxlogins
$var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf
diff --git a/RHEL6/input/profiles/CS2.xml b/RHEL6/input/profiles/CS2.xml
index 35b88b5..3958779 100644
--- a/RHEL6/input/profiles/CS2.xml
+++ b/RHEL6/input/profiles/CS2.xml
@@ -19,8 +19,8 @@
<select idref="account_disable_post_pw_expiration" selected="true" />
<select idref="deny_password_attempts" selected="true" />
<select idref="accounts_password_pam_cracklib_retry" selected="true"/>
-<select idref="max_concurrent_login_sessions" selected="true"/>
-<refine-value idref="max_concurrent_login_sessions_value" selector="3"/>
+<select idref="accounts_max_concurrent_login_sessions" selected="true"/>
+<refine-value idref="var_accounts_max_concurrent_login_sessions" selector="3"/>
<select idref="partition_for_tmp" selected="true"/>
<select idref="partition_for_var" selected="true"/>
diff --git a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
index 2d5ae03..558ae63 100644
--- a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml
@@ -94,8 +94,8 @@
<!-- AC-10
FISMA Refine: One session -->
-<refine-value idref="max_concurrent_login_sessions_value" seletor="1" />
-<select idref="max_concurrent_login_sessions" selected="true" />
+<refine-value idref="var_accounts_max_concurrent_login_sessions" seletor="1" />
+<select idref="accounts_max_concurrent_login_sessions" selected="true" />
<!-- AC-11(a), AC-11(b)
FISMA Refine: Lock after 15min -->
diff --git a/RHEL6/input/profiles/stig-rhel6-server.xml
b/RHEL6/input/profiles/stig-rhel6-server.xml
index c917109..03c622b 100644
--- a/RHEL6/input/profiles/stig-rhel6-server.xml
+++ b/RHEL6/input/profiles/stig-rhel6-server.xml
@@ -42,8 +42,8 @@
<select idref="kernel_module_bluetooth_disabled" selected="true"/>
<select idref="kernel_module_usb-storage_disabled" selected="true"/>
-<select idref="max_concurrent_login_sessions" selected="true"/>
-<refine-value idref="max_concurrent_login_sessions_value" selector="10"/>
+<select idref="accounts_max_concurrent_login_sessions" selected="true"/>
+<refine-value idref="var_accounts_max_concurrent_login_sessions"
selector="10"/>
<select idref="set_iptables_default_rule_forward" selected="true"/>
diff --git a/RHEL6/input/system/accounts/session.xml
b/RHEL6/input/system/accounts/session.xml
index e500495..1d71938 100644
--- a/RHEL6/input/system/accounts/session.xml
+++ b/RHEL6/input/system/accounts/session.xml
@@ -11,7 +11,7 @@ correct configuration file permissions for interactive
accounts,
particularly those of privileged users such as root or system
administrators.</description>
-<Value id="max_concurrent_login_sessions_value" type="number"
+<Value id="var_accounts_max_concurrent_login_sessions" type="number"
operator="equals" interactive="0">
<title>Maximum concurrent login sessions</title>
<description>Maximum number of concurrent sessions by a user</description>
@@ -24,7 +24,7 @@ operator="equals" interactive="0">
<value selector="20">20</value>
</Value>
-<Rule id="max_concurrent_login_sessions">
+<Rule id="accounts_max_concurrent_login_sessions">
<title>Limit the Number of Concurrent Login Sessions Allowed Per User</title>
<description>
Limiting the number of allowed users and sessions per user can limit risks
related to Denial of
@@ -44,7 +44,7 @@ on the system:
You should receive output similar to the following:
<pre>* hard maxlogins 10</pre>
</ocil>
-<oval id="accounts_max_concurrent_login_sessions"
value="max_concurrent_login_sessions_value" />
+<oval id="accounts_max_concurrent_login_sessions"
value="var_accounts_max_concurrent_login_sessions" />
<ident cce="27457-1" />
<ref nist="AC-10" disa="54"/>
</Rule>
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
