Hi, the attached files don't look like ones that were changed by the USG
hardening script. Specially because the hardening scripts add the
pam_tally2 files in specific places. Below is the script code:
#################################################################################
#5.3.2 Ensure lockout for failed password attempts is configured (Automated)
rule-5.3.2()
{
print_rule_banner "Ensure lockout for failed password attempts is
configured"
egrep -q 'pam_tally2.so.* deny=5 unlock_time=900' /etc/pam.d/common-auth
if [ $? -gt 0 ]; then
sed -i "1i # CIS rule 5.3.2\nauth required pam_tally2.so onerr=fail
audit silent deny=5 unlock_time=900" /etc/pam.d/common-auth
sed -i -E '/account\srequisite\s+pam_deny.so/a # CIS rule
5.3.2\naccount required\t\t\tpam_tally2.so' /etc/pam.d/common-account
fi
}
#################################################################################
As one may see, the code inserts the pam_tally2 line at the 1st line of
the common-auth file and appends the pam_tally2 line just after the
'account requisite pam_deny.so' line, in the common-auth file.
Check with the customer if they move the pam_tally2 lines to their
correct spot if it will work.
I can see a bug in the OVAL used to audit the files, because they just
check for the pam_tally2 lines and not their correct position.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942010
Title:
Ensure lockout for failed password attempts is configured
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1942010/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
