SSG Workbook updated
by Shawn Wells
Based off feedback from the 26-JUNE event, I've updated the workbook to
fix numerous command-line syntax bugs.
New version on the wiki:
https://fedorahosted.org/scap-security-guide/
Reference the "See a workbook...." bullet. Those familiar with the v1
will notice few content changes, except copy/pasting the command-line
examples should work without issue.
Thanks to everyone who gave feedback, and for putting up with the wifi
at the hotel!
10 years, 9 months
Bug in pam_faillock.so Section
by Maura Dailey
The guidance given in the pam_faillock.so section is probably wrong and
misleading.
"Set Deny For Failed Password Attempts" says to insert the two lines
after the pam_unix.so auth line. However, "Set Lockout Time for Failed
Password Attempts" and "Set Interval For Counting Failed Password
Attempts" says to insert the same two lines after the pam_env.so line.
Not only is this a contradiction, it implies that the same two lines
much be added over and over again.
The STIG has the same problem, except the STIG refers to
/etc/pam.d/system-auth-ac while our guide refers to /etc/pam.d/system-auth.
Red Hat's guidance shows four faillock lines, one after pam_env.so, two
after pam_unix.so, and one at the beginning of account:
https://access.redhat.com/site/solutions/62949 The Red Hat solution also
suggests editing /etc/pam.d/password-auth in addition to
/etc/pam.d/system-auth.
Has anyone actually tested this guidance? I've made my own attempts on
our own RHEL network with only moderate success.
- Maura Dailey
10 years, 9 months