+1 from me as well. On Mon, Aug 17, 2015 at 12:22 PM, Greg Elin <[email protected]> wrote:
> +1 on Shawn's observation: > "The purpose of SSG is to get security configuration guidance and > automation into the public, into the technology natively (e.g. shipping in > RHEL), and developed in an open community with open (in our case, public > domain) licensing." > > Greg > > On Mon, Aug 17, 2015 at 12:18 PM, Shawn Wells <[email protected]> wrote: > >> >> >> On 8/14/15 3:33 PM, Steve Grubb wrote: >> >>> On Friday, August 14, 2015 01:47:49 PM Ron Colvin wrote: >>> >>>> >A patch for the SSH bug that bypassed the MaxAuthTries limit was just >>>> >patched. Has MaxAuthTries been considered as a control in the security >>>> >guide? >>>> >>> The default value for this is set to "no". We set UsePam to "yes". Some >>> platforms do not have PAM and openssh replicates some of that >>> functionality in >>> their code. If you want to control the maximum number of login attempts, >>> you >>> should use the pam_faillock module. It is an improvement over pam_tally2 >>> in >>> that it tracks login attempts per user. Pam_tally2 is global. Both are >>> hooked >>> into the audit system while openssh's MaxAuthTries is not. >>> >> >> While we configure PAM controls, and assume SSH is using them via "UsePam >> yes", there isn't a validation check for "UsePam." Should there be? >> >> -- >> SCAP Security Guide mailing list >> [email protected] >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> https://github.com/OpenSCAP/scap-security-guide/ >> > > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 -- This account not approved for unencrypted proprietary information --
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
