Jeff,
Successfully pulled and merged the new content. I made the changes you
requested.
-Willy
Willy Santos, RHCE
Consultant
Red Hat Consulting
Cell: +1 (301) 254-7077
Email: wsantos(a)redhat.com
On 06/29/2012 02:07 PM, Jeffrey Blank wrote:
I just pushed with modification.
Willy may want to update mappings to some combination of CCIs 15, 16,
and 17 for some combinations of this new Group (account_expiration) and
Rule (account_disable_post_pw_expiration).
(And perhaps remove the "new rule needed" ref to CCI 17, and correct the
closing-tag comments for the Groups in srg_support.xml).
I figure it's easier to ask than to cross commits mid-stream...
Thanks!
On 06/28/2012 12:27 PM, Shawn Wells wrote:
> Ack
>
> --
> Shawn Wells
> Technical Director,
> U.S. Intelligence Programs
> (e) shawn(a)redhat.com
> (c) 443-534-0130
>
> On Jun 28, 2012, at 9:38 AM, Jeffrey Blank <blank(a)eclipse.ncsc.mil> wrote:
>
>> We want to have them edit this text file since we want the setting to
>> apply to ALL accounts by default when they are created.
>>
>> Running chage on one account just sets it for that one account at that time.
>>
>> That said, I can amend my commit prior to push to mention the existence
>> of chage in the enclosing <Group>, so that the information is there.
>>
>> Sound good?
>>
>>
>>
>> On 06/27/2012 06:45 PM, Shawn Wells wrote:
>>> On 6/27/12 6:35 PM, Jeffrey Blank wrote:
>>>> +<Rule id="account_disable_post_pw_expiration">
>>>> +<title>Set Account Expiration Following Inactivity</title>
>>>> +<description>To specify the number of days after a password
expires
>>>> +(which signifies inactivity) until an
>>>> +account is permanently disabled, edit the file
>>>> <tt>/etc/defaults/useradd</tt>
>>>> +and add or correct the following lines, substituting
>>>> <tt><i>NUM_DAYS</i></tt> appropriately:
>>>> +<pre>INACTIVE=<i>NUM_DAYS</i></pre>
>>>> +A value of 35 is recommended. If a password is currently on the
>>>> +verge of expiration, then 35 days remain until the account is
>>>> automatically
>>>> +disabled. However, if the password will not expire for another 60
>>>> days, then 95
>>>> +days could elapse until the account would be automatically disabled.
>>>> See the
>>>> +<tt>useradd</tt> man page for more information. Determining
the
>>>> inactivity
>>>> +timeout must be done with careful consideration of the length of a
>>>> "normal"
>>>> +period of inactivity for users in the particular environment. Setting
>>>> +the timeout too low incurs support costs and also has the potential
>>>> to impact
>>>> +availability of the system to legitimate users.
>>>> +</description>
>>>> +<rationale>
>>> nitpick. kinda.
>>>
>>> do we want to have them edit text files, or just issue a chage command ala
>>> # chage -I 35 shawn
>>>
>>> ^ that's an uppercase i
>>>
>>> and the idea of using this concept as the definition of 'inactive
>>> account' is novel, I haven't thought of this before!
>>> _______________________________________________
>>> scap-security-guide mailing list
>>> scap-security-guide(a)lists.fedorahosted.org
>>>
https://fedorahosted.org/mailman/listinfo/scap-security-guide
>> _______________________________________________
>> scap-security-guide mailing list
>> scap-security-guide(a)lists.fedorahosted.org
>>
https://fedorahosted.org/mailman/listinfo/scap-security-guide
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
>
https://fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/scap-security-guide