[PATCH 0/2] checks for faillock.sh accounts passwords

List overview All Threads
Download

newer

older

BUMP [PATCH] a check and fix for...

iptables

Brian Millett

28 Jun 2013 28 Jun '13

2:40 p.m.

Added the checks for faillock unlock_tine and fail_interval as there was only the check for faillock deny.

small change for the comment dealing with faillock deny default NOT being 5, but 3

Fixed (in my mind) a typo in RHEL6/input/system/accounts/pam.xml where the oval id for rule deny_password_attempts_fail_interval from accounts_passwords_pam_fail_interval to accounts_passwords_pam_faillock_fail_interval. This matches the oval id's for accounts_passwords_pam_faillock_deny and accounts_passwords_pam_faillock_unlock_time

Brian Millett (2): Added the checks for accounts_passwords_pam_fail_interval and accounts_passwords_pam_faillock_unlock_time as there was only the check for accounts_passwords_pam_faillock_deny Fixed the oval id from accounts_passwords_pam_fail_interval to accounts_passwords_pam_faillock_fail_interval to be consistant.

.../accounts_passwords_pam_fail_interval.xml | 49 ++++++++++++++++++++++ .../accounts_passwords_pam_faillock_deny.xml | 4 +- ...accounts_passwords_pam_faillock_unlock_time.xml | 49 ++++++++++++++++++++++ RHEL6/input/system/accounts/pam.xml | 2 +- 4 files changed, 101 insertions(+), 3 deletions(-) create mode 100644 RHEL6/input/checks/accounts_passwords_pam_fail_interval.xml create mode 100644 RHEL6/input/checks/accounts_passwords_pam_faillock_unlock_time.xml

-- 1.8.2.1

Show replies by date

Brian Millett

28 Jun 28 Jun

2:40 p.m.

New subject: [PATCH 1/2] Added the checks for accounts_passwords_pam_fail_interval and accounts_passwords_pam_faillock_unlock_time as there was only the check for accounts_passwords_pam_faillock_deny

Signed-off-by: Brian Millett bmillett@gmail.com --- .../accounts_passwords_pam_fail_interval.xml | 49 ++++++++++++++++++++++ ...accounts_passwords_pam_faillock_unlock_time.xml | 49 ++++++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 RHEL6/input/checks/accounts_passwords_pam_fail_interval.xml create mode 100644 RHEL6/input/checks/accounts_passwords_pam_faillock_unlock_time.xml

diff --git a/RHEL6/input/checks/accounts_passwords_pam_fail_interval.xml b/RHEL6/input/checks/accounts_passwords_pam_fail_interval.xml new file mode 100644 index 0000000..59d29a1 --- /dev/null +++ b/RHEL6/input/checks/accounts_passwords_pam_fail_interval.xml @@ -0,0 +1,49 @@ +<def-group> + <definition class="compliance" id="accounts_passwords_pam_faillock_fail_interval" version="1"> + <metadata> + <title>Lock out account after failed login attempts</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The number of allowed failed logins should be set correctly.</description> + </metadata> + <criteria> + <criterion comment="default is set to 900" test_ref="test_accounts_passwords_pam_faillock_fail_interval_system-auth" /> + <criterion comment="default is set to 900" test_ref="test_accounts_passwords_pam_faillock_fail_interval_password-auth" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum failed login attempts allowed in /etc/pam.d/system-auth" id="test_accounts_passwords_pam_faillock_fail_interval_system-auth" version="1"> + <ind:object object_ref="object_accounts_passwords_pam_faillock_fail_interval_system-auth" /> + <ind:state state_ref="state_accounts_passwords_pam_faillock_fail_interval_system-auth" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum failed login attempts allowed in /etc/pam.d/password-auth" id="test_accounts_passwords_pam_faillock_fail_interval_password-auth" version="1"> + <ind:object object_ref="object_accounts_passwords_pam_faillock_fail_interval_password-auth" /> + <ind:state state_ref="state_accounts_passwords_pam_faillock_fail_interval_password-auth" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_fail_interval_system-auth" version="1"> + ind:path/etc/pam.d</ind:path> + ind:filenamesystem-auth</ind:filename> + <ind:pattern operation="pattern match">^\s*auth\s+(?:(?:required))\s+pam_faillock.so.*fail_interval=([0-9]*).*$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_fail_interval_password-auth" version="1"> + ind:path/etc/pam.d</ind:path> + ind:filenamepassword-auth</ind:filename> + <ind:pattern operation="pattern match">^\s*auth\s+(?:(?:sufficient)|(?:[default=die]))\s+pam_faillock.so.*fail_interval=([0-9]*).*$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="state_accounts_passwords_pam_faillock_fail_interval_system-auth" version="1"> + <ind:subexpression datatype="int" operation="equals" var_ref="var_accounts_passwords_pam_faillock_fail_interval" /> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_state id="state_accounts_passwords_pam_faillock_fail_interval_password-auth" version="1"> + <ind:subexpression datatype="int" operation="equals" var_ref="var_accounts_passwords_pam_faillock_fail_interval" /> + </ind:textfilecontent54_state> + + <external_variable comment="number of failed login attempts allowed" datatype="int" id="var_accounts_passwords_pam_faillock_fail_interval" version="1" /> +</def-group> diff --git a/RHEL6/input/checks/accounts_passwords_pam_faillock_unlock_time.xml b/RHEL6/input/checks/accounts_passwords_pam_faillock_unlock_time.xml new file mode 100644 index 0000000..118489a --- /dev/null +++ b/RHEL6/input/checks/accounts_passwords_pam_faillock_unlock_time.xml @@ -0,0 +1,49 @@ +<def-group> + <definition class="compliance" id="accounts_passwords_pam_faillock_unlock_time" version="1"> + <metadata> + <title>Lock out account after failed login attempts</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The number of allowed failed logins should be set correctly.</description> + </metadata> + <criteria> + <criterion comment="default is set to 604800" test_ref="test_accounts_passwords_pam_faillock_unlock_time_system-auth" /> + <criterion comment="default is set to 604800" test_ref="test_accounts_passwords_pam_faillock_unlock_time_password-auth" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum failed login attempts allowed in /etc/pam.d/system-auth" id="test_accounts_passwords_pam_faillock_unlock_time_system-auth" version="1"> + <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_system-auth" /> + <ind:state state_ref="state_accounts_passwords_pam_faillock_unlock_time_system-auth" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum failed login attempts allowed in /etc/pam.d/password-auth" id="test_accounts_passwords_pam_faillock_unlock_time_password-auth" version="1"> + <ind:object object_ref="object_accounts_passwords_pam_faillock_unlock_time_password-auth" /> + <ind:state state_ref="state_accounts_passwords_pam_faillock_unlock_time_password-auth" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_unlock_time_system-auth" version="1"> + ind:path/etc/pam.d</ind:path> + ind:filenamesystem-auth</ind:filename> + <ind:pattern operation="pattern match">^\s*auth\s+(?:(?:required))\s+pam_faillock.so.*unlock_time=([0-9]*).*$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_unlock_time_password-auth" version="1"> + ind:path/etc/pam.d</ind:path> + ind:filenamepassword-auth</ind:filename> + <ind:pattern operation="pattern match">^\s*auth\s+(?:(?:sufficient)|(?:[default=die]))\s+pam_faillock.so.*unlock_time=([0-9]*).*$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="state_accounts_passwords_pam_faillock_unlock_time_system-auth" version="1"> + <ind:subexpression datatype="int" operation="equals" var_ref="var_accounts_passwords_pam_faillock_unlock_time" /> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_state id="state_accounts_passwords_pam_faillock_unlock_time_password-auth" version="1"> + <ind:subexpression datatype="int" operation="equals" var_ref="var_accounts_passwords_pam_faillock_unlock_time" /> + </ind:textfilecontent54_state> + + <external_variable comment="number of failed login attempts allowed" datatype="int" id="var_accounts_passwords_pam_faillock_unlock_time" version="1" /> +</def-group>

-- 1.8.2.1

Brian Millett

2:40 p.m.

New subject: [PATCH 2/2] Fixed the oval id from accounts_passwords_pam_fail_interval to accounts_passwords_pam_faillock_fail_interval to be consistant.

Signed-off-by: Brian Millett bmillett@gmail.com --- RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml | 4 ++-- RHEL6/input/system/accounts/pam.xml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml b/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml index 79dedfa..78ea42e 100644 --- a/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml +++ b/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml @@ -8,8 +8,8 @@ <description>The number of allowed failed logins should be set correctly.</description> </metadata> <criteria> - <criterion comment="default is set to 5" test_ref="test_accounts_passwords_pam_faillock_deny_system-auth" /> - <criterion comment="default is set to 5" test_ref="test_accounts_passwords_pam_faillock_deny_password-auth" /> + <criterion comment="default is set to 3" test_ref="test_accounts_passwords_pam_faillock_deny_system-auth" /> + <criterion comment="default is set to 3" test_ref="test_accounts_passwords_pam_faillock_deny_password-auth" /> </criteria> </definition>

diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index f754743..a62d25a 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -485,7 +485,7 @@ Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks. </rationale> <ident cce="27215-3" /> -<oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/> +<oval id="accounts_passwords_pam_faillock_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/> <ref nist="AC-7(a)" disa="1452" /> </Rule>

-- 1.8.2.1

4278

Age (days ago)

4278

Last active (days ago)

scap-security-guide@lists.fedorahosted.org

2 comments

1 participants

tags (0)

participants (1)

Brian Millett