[shawnw@ssg-rhel6-devbox checks]$ grep -rin deny_password_attempts_unlock ../ ../system/accounts/pam.xml:442:<Rule id="deny_password_attempts_unlock_time" severity="medium"> ../auxiliary/stig_overlay.xml:1003: <overlay owner="disastig" ruleid="deny_password_attempts_unlock_time" ownerid="RHEL-06-000356" disa="47" severity="medium"> ../profiles/nist-CL-IL-AL.xml:175:<select idref="deny_password_attempts_unlock_time" selected="true" \> ../profiles/stig-rhel6-server-upstream.xml:96:<select idref="deny_password_attempts_unlock_time" selected="true" /> ../profiles/CSCF-RHEL6-MLS.xml:65:<select idref="deny_password_attempts_unlock_time" selected="true" /> ../profiles/fisma-medium-rhel6-server.xml:89:<select idref="deny_password_attempts_unlock_time" selected="true" /> [shawnw@ssg-rhel6-devbox checks]$ sed -i 's/deny_password_attempts_unlock_time/accounts_passwords_pam_faillock_unlock_time/g' ../system/accounts/pam.xml ../auxiliary/* ../profiles/* [shawnw@ssg-rhel6-devbox checks]$ grep -rin deny_password_attempts_unlock ../
Signed-off-by: Shawn Wells <[email protected]> --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml | 2 +- .../6/input/profiles/fisma-medium-rhel6-server.xml | 2 +- RHEL/6/input/profiles/nist-CL-IL-AL.xml | 2 +- .../input/profiles/stig-rhel6-server-upstream.xml | 2 +- RHEL/6/input/system/accounts/pam.xml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 5465ef0..d6139ac 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -1000,7 +1000,7 @@ <VMSinfo VKey="38595" SVKey="50396" VRelease="1" /> <title>The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.</title> </overlay> - <overlay owner="disastig" ruleid="deny_password_attempts_unlock_time" ownerid="RHEL-06-000356" disa="47" severity="medium"> + <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_unlock_time" ownerid="RHEL-06-000356" disa="47" severity="medium"> <VMSinfo VKey="38592" SVKey="50393" VRelease="1" /> <title>The system must require administrator action to unlock an account locked by excessive failed login attempts.</title> </overlay> diff --git a/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml b/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml index 4757cf6..5485faf 100644 --- a/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml +++ b/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml @@ -62,7 +62,7 @@ for production deployment.</description> <select idref="cups_disable_browsing" selected="true" /> <select idref="cups_disable_printserver" selected="true" /> <select idref="deactivate_wireless_interfaces" selected="true" /> -<select idref="deny_password_attempts_unlock_time" selected="true" /> +<select idref="accounts_passwords_pam_faillock_unlock_time" selected="true" /> <select idref="accounts_passwords_pam_faillock_deny" selected="true" /> <select idref="accounts_passwords_pam_fail_interval" selected="true" /> <select idref="dhcp_server_deny_bootp" selected="true" /> diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml index a1c4036..9e639f1 100644 --- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml +++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml @@ -86,7 +86,7 @@ Delay pw prompt for 30min --> <!-- TODO: PASSWORD PROMPT DELAY FOR 30min, possible?! --> <refine-value idref="var_accounts_passwords_pam_faillock_unlock_time" selector="604800"/> -<select idref="deny_password_attempts_unlock_time" selected="true" /> +<select idref="accounts_passwords_pam_faillock_unlock_time" selected="true" /> <!-- AC-8(a), AC-8(b), AC-8(c) --> <refine-value idref="login_banner_text" selector="usgcb_default"/> diff --git a/RHEL/6/input/profiles/nist-CL-IL-AL.xml b/RHEL/6/input/profiles/nist-CL-IL-AL.xml index fd2087e..4ce86e2 100644 --- a/RHEL/6/input/profiles/nist-CL-IL-AL.xml +++ b/RHEL/6/input/profiles/nist-CL-IL-AL.xml @@ -172,7 +172,7 @@ assurance."</description> <select idref="accounts_passwords_pam_fail_interval" selected="true" \> <!-- AC-7(b) --> -<select idref="deny_password_attempts_unlock_time" selected="true" \> +<select idref="accounts_passwords_pam_faillock_unlock_time" selected="true" \> <!-- AC-8(a), AC-8(c) --> <select idref="set_system_login_banner" selected="true" \> diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml index 0ef3c0a..9b01757 100644 --- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml +++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml @@ -93,7 +93,7 @@ upstream project homepage is https://fedorahosted.org/scap-security-guide/. <select idref="display_login_attempts" selected="true" /> -<select idref="deny_password_attempts_unlock_time" selected="true" /> +<select idref="accounts_passwords_pam_faillock_unlock_time" selected="true" /> <refine-value idref="var_accounts_passwords_pam_faillock_unlock_time" selector="604800"/> <select idref="accounts_passwords_pam_fail_interval" selected="true" /> <refine-value idref="var_accounts_passwords_pam_faillock_fail_interval" selector="900"/> diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml index f8af660..feddbb6 100644 --- a/RHEL/6/input/system/accounts/pam.xml +++ b/RHEL/6/input/system/accounts/pam.xml @@ -439,7 +439,7 @@ prevents direct password guessing attacks. <ref nist="AC-7(a)" disa="44" /> </Rule> -<Rule id="deny_password_attempts_unlock_time" severity="medium"> +<Rule id="accounts_passwords_pam_faillock_unlock_time" severity="medium"> <title>Set Lockout Time For Failed Password Attempts</title> <description> To configure the system to lock out accounts after a number of incorrect login -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
