Signed-off-by: Willy Santos <wsantos(a)redhat.com>
---
.../accounts_passwords_pam_faillock_deny.xml | 50 ++++++++++++++++++++
1 files changed, 50 insertions(+), 0 deletions(-)
create mode 100644 RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
diff --git a/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
b/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
new file mode 100644
index 0000000..ee594ff
--- /dev/null
+++ b/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
@@ -0,0 +1,50 @@
+<def-group>
+ <definition class="compliance"
id="accounts_passwords_pam_faillock_deny" version="1">
+ <metadata>
+ <title>Lock out account after failed login attempts</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <reference ref_id="TODO" source="CCE" />
+ <description>The number of allowed failed logins should be set
correctly.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="default is set to 5"
test_ref="test_accounts_passwords_pam_faillock_deny_system-auth" />
+ <criterion comment="default is set to 5"
test_ref="test_accounts_passwords_pam_faillock_deny_password-auth" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist" comment="check maximum failed login attempts
allowed in /etc/pam.d/system-auth"
id="test_accounts_passwords_pam_faillock_deny_system-auth"
version="1">
+ <ind:object
object_ref="object_accounts_passwords_pam_faillock_deny_system-auth" />
+ <ind:state
state_ref="state_accounts_passwords_pam_faillock_deny_system-auth" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist" comment="check maximum failed login attempts
allowed in /etc/pam.d/password-auth"
id="test_accounts_passwords_pam_faillock_deny_password-auth"
version="1">
+ <ind:object
object_ref="object_accounts_passwords_pam_faillock_deny_password-auth" />
+ <ind:state
state_ref="state_accounts_passwords_pam_faillock_deny_password-auth" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_deny_system-auth"
version="1">
+ <ind:path>/etc/pam.d</ind:path>
+ <ind:filename>system-auth</ind:filename>
+ <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:required))\s+pam_faillock\.so.*deny=([0-9]*).*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_deny_password-auth"
version="1">
+ <ind:path>/etc/pam.d</ind:path>
+ <ind:filename>password-auth</ind:filename>
+ <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so.*deny=([0-9]*).*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_deny_system-auth"
version="1">
+ <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_deny" />
+ </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_deny_password-auth"
version="1">
+ <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_deny" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="number of failed login attempts allowed"
datatype="int" id="var_accounts_passwords_pam_faillock_deny"
version="1" />
+</def-group>
--
1.7.7.6