On 11/12/13, 10:38 PM, Frank Caviggia wrote:
Shawn,
This should be a little bit better of a match to what you wanted for the
password use remediation.
-Frank
0001-accounts_password_reuse_limit.sh-remediation.patch
From c6bd643edc3f9504172225d6a0fce9771a6e1a77 Mon Sep 17 00:00:00 2001
From: Frank Caviggia<[email protected]>
Date: Tue, 12 Nov 2013 22:35:19 -0500
Subject: [PATCH] accounts_password_reuse_limit.sh remediation
Signed-off-by: Frank Caviggia<[email protected]>
---
RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh | 8 ++++++++
1 file changed, 8 insertions(+)
create mode 100644 RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh
diff --git a/RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh
b/RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh
new file mode 100644
index 0000000..e278e54
--- /dev/null
+++ b/RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh
@@ -0,0 +1,8 @@
+source ./templates/support.sh
+populate var_password_history_retain_limit
+
+if [ `grep -c 'remember=' /etc/pam.d/system-auth` -eq 0 ]; then
+ sed 's/^\s*password.*pam_unix\.so.*/&
remember=$var_password_history_retain_limit/' /etc/pam.d/system-auth
+else
+ sed 's/remember=[0-9]*/remember=$var_password_history_retain_limit/'
/etc/pam.d/system-auth
+fi
-- 1.8.3.1
I quickly tested with system-auth containing, and not, remember=. This
is a great start!
Three things remain:
- sed -i ;)
- The variable isn't being expanded when the script is ran, I get:
# bash accounts_password_reuse_limit.sh
.......
password sufficient pam_unix.so sha512 shadow try_first_pass
use_authtok remember=$var_password_history_retain_limit
password sufficient pam_sss.so use_authtok
- What if "password pam_unix.so" isn't present?
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
