In testing the community content, and trying to figure out the correctly configure PAM to meet prose guidance, found that the sym link between system-auth to system-auth-ac had gotten broken. After running in circles for awhile found that according to the man page the default action for sed -i is to break symbolic and hard links, which to be honest was kind of surprising to me. Digging back through the fixes looks like it was the no_empty_passwords.sh that was the culprit.
I'm not sure if there was any kind of community consensus on whether it's better to modify the target file or to add --follow-symlinks to inline sed edits, it's spawned a lively debate here. In looking over the other fix content it looks like only password_require_minimum_class.sh has a sed command with --follow-symlinks flag. That being the case I changed no_empty_password.sh to modify /etc/pam.d/system-auth-ac instead of /etc/pam.d/system-auth since the majority of fixes don't have the --follow-symlinks flag. I considered changing password_require_minimum_class.sh to modify the target file as well for the sake of consistency, but figured I'd wait to see if there was any input from the community on modifying targets versus using the --follow-symlinks flag. I'm unable to push, so if this is accepted if someone that can, could it would be appreciated. Thanks! Jeb Signed-off-by: Jeb Trayer <[email protected]> --- RHEL6/input/fixes/bash/no_empty_passwords.sh | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/RHEL6/input/fixes/bash/no_empty_passwords.sh b/RHEL6/input/fixes/bash/no_empty_passwords.sh index fca40af..cb01287 100644 --- a/RHEL6/input/fixes/bash/no_empty_passwords.sh +++ b/RHEL6/input/fixes/bash/no_empty_passwords.sh @@ -1 +1 @@ -sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth +sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth-ac -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
