On 12/24/13, 7:06 AM, Trayer, Jeb D CTR wrote:
Bump, haven't seen any replies on this, know it's the holidays but don't want
this to get lost in the shuffle.
Thanks!
Appreciate the nudge!
The PAM subsystem points to /etc/pam.d/system-auth. System utilities
(e.g. authconfig) will create the symlink, it's best to follow it.
Now patched via:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=8a4cc92099cf53b3f22e45c7d9287b7ba162244c
Thanks for reporting this!
-----Original Message-----
From:[email protected]
[mailto:[email protected]] On Behalf Of
Trayer, Jeb D CTR
Sent: Tuesday, December 17, 2013 7:49 AM
To:[email protected]
Subject: [Patch] Change to no_empty_passwords.sh fix script for RHEL6
In testing the community content, and trying to figure out the correctly
configure PAM to meet prose guidance, found that the sym link between
system-auth to system-auth-ac had gotten broken. After running in circles for
awhile found that according to the man page the default action for sed -i is to
break symbolic and hard links, which to be honest was kind of surprising to me.
Digging back through the fixes looks like it was the no_empty_passwords.sh
that was the culprit.
I'm not sure if there was any kind of community consensus on whether it's
better to modify the target file or to add --follow-symlinks to inline sed
edits, it's spawned a lively debate here. In looking over the other fix
content it looks like only password_require_minimum_class.sh has a sed command
with --follow-symlinks flag. That being the case I changed
no_empty_password.sh to modify /etc/pam.d/system-auth-ac instead of
/etc/pam.d/system-auth since the majority of fixes don't have the
--follow-symlinks flag.
I considered changing password_require_minimum_class.sh to modify the target
file as well for the sake of consistency, but figured I'd wait to see if there
was any input from the community on modifying targets versus using the
--follow-symlinks flag.
I'm unable to push, so if this is accepted if someone that can, could it would
be appreciated.
Thanks!
Jeb
Signed-off-by: Jeb Trayer<[email protected]>
---
RHEL6/input/fixes/bash/no_empty_passwords.sh | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/fixes/bash/no_empty_passwords.sh
b/RHEL6/input/fixes/bash/no_empty_passwords.sh
index fca40af..cb01287 100644
--- a/RHEL6/input/fixes/bash/no_empty_passwords.sh
+++ b/RHEL6/input/fixes/bash/no_empty_passwords.sh
@@ -1 +1 @@
-sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth
+sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth-ac
-- 1.7.1 _______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________ scap-security-guide
mailing list [email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
--
Shawn Wells
Director, Innovation Programs
[email protected] | 443.534.0130
@shawndwells
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
