Excellent, please push.
On 05/21/2013 01:36 PM, Maura Dailey wrote:
Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
---
RHEL6/input/checks/display_login_attempts.xml | 25 +++++++++++++++++++++++++
RHEL6/input/system/accounts/pam.xml | 2 +-
2 files changed, 26 insertions(+), 1 deletions(-)
create mode 100644 RHEL6/input/checks/display_login_attempts.xml
diff --git a/RHEL6/input/checks/display_login_attempts.xml
b/RHEL6/input/checks/display_login_attempts.xml
new file mode 100644
index 0000000..a4a3143
--- /dev/null
+++ b/RHEL6/input/checks/display_login_attempts.xml
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="display_login_attempts"
version="1">
+ <metadata>
+ <title>Set Last Logon/Access Notification</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>Configure the system to notify users of last logon/access using
pam_lastlog.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="Conditions for pam_lastlog are satisfied"
test_ref="test_display_login_attempts" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" comment="check the
configuration of /etc/pam.d/system-auth" id="test_display_login_attempts"
version="1">
+ <ind:object object_ref="obj_display_login_attempts" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_display_login_attempts"
version="1">
+ <ind:path>/etc/pam.d</ind:path>
+ <ind:filename>system-auth</ind:filename>
+ <ind:pattern operation="pattern
match">^\s*session\s+(required|requisite)?\s+pam_lastlog.so[\s\w\d\=]+showfailed</ind:pattern>
+ <ind:instance datatype="int"
operation="equals">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml
index ee18189..98dd568 100644
--- a/RHEL6/input/system/accounts/pam.xml
+++ b/RHEL6/input/system/accounts/pam.xml
@@ -75,7 +75,7 @@ allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators.
</rationale>
<ident cce="27291-4" />
-<oval id="TODO" />
+<oval id="display_login_attempts" />
<ref disa="53" />
</Rule>