[PATCH] Fix login.defs syntax
by Joe Nall
---
.../accounts/restrictions/password_expiration.xml | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml
index 43179a4..9349fec 100644
--- a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml
+++ b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml
@@ -80,7 +80,7 @@ age, and 7 day warning period with the following command:
<description>To specify password length requirements for new accounts,
edit the file <tt>/etc/login.defs</tt> and add or correct the following
lines:
-<pre>PASS_MIN_LEN=12<!-- <sub idref="var_password_min_len"> --></pre>
+<pre>PASS_MIN_LEN 12<!-- <sub idref="var_password_min_len"> --></pre>
TODO: More research needed to understand exact interaction: when precisely is this file consulted?
<br/><br/>
If a program consults <tt>/etc/login.defs</tt> and also another PAM module
@@ -107,7 +107,7 @@ behavior that may result.
<description>To specify password minimum age for new accounts,
edit the file <tt>/etc/login.defs</tt>
and add or correct the following line, replacing <i>DAYS</i> appropriately:
-<pre>PASS_MIN_DAYS=<i>DAYS</i></pre>
+<pre>PASS_MIN_DAYS <i>DAYS</i></pre>
A value of 7 days is considered for sufficient for many
environments.
</description>
@@ -147,7 +147,7 @@ the utility of a stolen password.</rationale>
expiration that a warning will be issued to users,
edit the file <tt>/etc/login.defs</tt> and add or correct
the following line:
-<pre>PASS_WARN_AGE=<i>DAYS</i></pre>
+<pre>PASS_WARN_AGE <i>DAYS</i></pre>
A value of 7 days is considered for appropriate for many
environments.
<!-- <sub idref="password_warn_age_login_defs_value" /> -->
--
1.7.1
11 years, 10 months
[PATCH] Update bootloader password to use --encrypted instead of --md5
by Joe Nall
In https://access.redhat.com/knowledge/solutions/68828
Redhat says:
Select a password and then generate a hash from it by running:
# grub-crypt --sha-512
Insert the following line into /etc/grub.conf immediately after the header comments. (Use the output from grub-crypt as the value of password-hash)
password --encrypted password-hash
It should look like below.
default=0
timeout=5
password --encrypted password-hash
splashimage=(hd0,0)/grub/splash.xpm.gz
Verify the permissions on /etc/grub.conf (which is a symlink to ../boot/grub/grub.conf):
# chown root:root /etc/grub.conf
# chmod 600 /etc/grub.conf
grub-crypt utility is now shipped with three types of password encryption.
--md5 Use MD5 to encrypt the password
--sha-256 Use SHA-256 to encrypt the password
--sha-512 Use SHA-512 to encrypt the password (default)
Signed-off-by: Joe Nall <joe(a)nall.com>
---
rhel6/src/input/checks/bootloader_password.xml | 2 +-
rhel6/src/input/system/accounts/physical.xml | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/rhel6/src/input/checks/bootloader_password.xml b/rhel6/src/input/checks/bootloader_password.xml
index 8074097..ceff1b7 100644
--- a/rhel6/src/input/checks/bootloader_password.xml
+++ b/rhel6/src/input/checks/bootloader_password.xml
@@ -18,7 +18,7 @@
<ind:textfilecontent54_object id="object_bootloader_password" version="1">
<ind:path>/etc</ind:path>
<ind:filename>grub.conf</ind:filename>
- <ind:pattern operation="pattern match">password[\s]+--md5[\s]+.*</ind:pattern>
+ <ind:pattern operation="pattern match">password[\s]+--encrypted[\s]+.*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/rhel6/src/input/system/accounts/physical.xml b/rhel6/src/input/system/accounts/physical.xml
index 5c3a488..a8db13b 100644
--- a/rhel6/src/input/system/accounts/physical.xml
+++ b/rhel6/src/input/system/accounts/physical.xml
@@ -70,11 +70,11 @@ this file.
<description>The grub boot loader should have password protection
enabled to protect boot-time settings.
To do so, select a password and then generate a hash from it by running:
-<pre># grub-md5-crypt</pre>
+<pre># grub-crypt --sha-512</pre>
Insert the following line into <tt>/etc/grub.conf</tt> immediately
-after the header comments. (Use the output from <tt>grub-md5-crypt</tt> as the
+after the header comments. (Use the output from <tt>grub-crypt</tt> as the
value of <b>password-hash</b>):
-<pre>password --md5 <b>password-hash</b></pre>
+<pre>password --encrypted <b>password-hash</b></pre>
</description>
<rationale>
Password protection on the boot loader configuration ensures that
--
1.7.1
11 years, 10 months
[PATCH 0/3] overhaul of auditing section
by Jeffrey Blank
Added support for Values, tested checks, updated Rules.
Jeffrey Blank (3):
significant overhaul and QA of auditing section
updates to Profiles to support auditing Rules * also removal of
some Rules which don't belong in common Profile
significant overhaul of OVAL checks for auditing * support for
Values * consistent naming (which may yet be made more concise
in the future) * actually tested the checks
.../auditd_data_retention_action_mail_acct.xml | 36 ++
.../auditd_data_retention_admin_space_left.xml | 30 --
...ditd_data_retention_admin_space_left_action.xml | 36 ++
.../checks/auditd_data_retention_mail_acct.xml | 30 --
.../input/checks/auditd_data_retention_max_log.xml | 30 --
.../checks/auditd_data_retention_max_log_file.xml | 28 +-
.../auditd_data_retention_max_log_file_action.xml | 36 ++
.../checks/auditd_data_retention_num_logs.xml | 36 ++
.../checks/auditd_data_retention_space_left.xml | 30 --
.../auditd_data_retention_space_left_action.xml | 36 ++
rhel6/src/input/profiles/common.xml | 22 +-
rhel6/src/input/profiles/test.xml | 20 +-
rhel6/src/input/system/auditing.xml | 362 ++++++++++++++------
13 files changed, 494 insertions(+), 238 deletions(-)
create mode 100644 rhel6/src/input/checks/auditd_data_retention_action_mail_acct.xml
delete mode 100644 rhel6/src/input/checks/auditd_data_retention_admin_space_left.xml
create mode 100644 rhel6/src/input/checks/auditd_data_retention_admin_space_left_action.xml
delete mode 100644 rhel6/src/input/checks/auditd_data_retention_mail_acct.xml
delete mode 100644 rhel6/src/input/checks/auditd_data_retention_max_log.xml
create mode 100644 rhel6/src/input/checks/auditd_data_retention_max_log_file_action.xml
create mode 100644 rhel6/src/input/checks/auditd_data_retention_num_logs.xml
delete mode 100644 rhel6/src/input/checks/auditd_data_retention_space_left.xml
create mode 100644 rhel6/src/input/checks/auditd_data_retention_space_left_action.xml
11 years, 10 months
[PATCH 0/2] reworked text in base services
by Jeffrey Blank
This means that a rationale, as well as consistent prose, exists for this section.
This also meant moving some Rules into appropriate sections (which is the second commit).
Next, I will be reviewing the audit section for prose consistency and also supporting
Values for those items which have variable settings.
Jeffrey Blank (2):
added rationale to base services guidance * moved some service
discussion elsewhere
moved/merged discussion of some services out of base services into
relevant sections
rhel6/src/input/services/base.xml | 516 ++++++++++++---------------
rhel6/src/input/services/cron.xml | 13 +-
rhel6/src/input/services/mail.xml | 17 +
rhel6/src/input/services/ntp.xml | 45 ++-
rhel6/src/input/system/logging.xml | 23 +-
rhel6/src/input/system/network/iptables.xml | 22 +-
rhel6/src/input/system/network/wireless.xml | 52 +++-
rhel6/src/input/system/selinux.xml | 21 ++
8 files changed, 368 insertions(+), 341 deletions(-)
11 years, 10 months