Added the checks for faillock unlock_tine and fail_interval as there was only the
check for faillock deny.
small change for the comment dealing with faillock deny default NOT being 5, but 3
Fixed (in my mind) a typo in RHEL6/input/system/accounts/pam.xml where the oval id for
rule deny_password_attempts_fail_interval from accounts_passwords_pam_fail_interval to
accounts_passwords_pam_faillock_fail_interval. This matches the oval id's for
accounts_passwords_pam_faillock_deny and accounts_passwords_pam_faillock_unlock_time
Brian Millett (2):
Added the checks for accounts_passwords_pam_fail_interval and
accounts_passwords_pam_faillock_unlock_time as there was only the
check for accounts_passwords_pam_faillock_deny
Fixed the oval id from accounts_passwords_pam_fail_interval to
accounts_passwords_pam_faillock_fail_interval to be consistant.
.../accounts_passwords_pam_fail_interval.xml | 49 ++++++++++++++++++++++
.../accounts_passwords_pam_faillock_deny.xml | 4 +-
...accounts_passwords_pam_faillock_unlock_time.xml | 49 ++++++++++++++++++++++
RHEL6/input/system/accounts/pam.xml | 2 +-
4 files changed, 101 insertions(+), 3 deletions(-)
create mode 100644 RHEL6/input/checks/accounts_passwords_pam_fail_interval.xml
create mode 100644 RHEL6/input/checks/accounts_passwords_pam_faillock_unlock_time.xml
--
1.8.2.1
Show replies by thread
Signed-off-by: Brian Millett <bmillett(a)gmail.com>
---
.../accounts_passwords_pam_fail_interval.xml | 49 ++++++++++++++++++++++
...accounts_passwords_pam_faillock_unlock_time.xml | 49 ++++++++++++++++++++++
2 files changed, 98 insertions(+)
create mode 100644 RHEL6/input/checks/accounts_passwords_pam_fail_interval.xml
create mode 100644 RHEL6/input/checks/accounts_passwords_pam_faillock_unlock_time.xml
diff --git a/RHEL6/input/checks/accounts_passwords_pam_fail_interval.xml
b/RHEL6/input/checks/accounts_passwords_pam_fail_interval.xml
new file mode 100644
index 0000000..59d29a1
--- /dev/null
+++ b/RHEL6/input/checks/accounts_passwords_pam_fail_interval.xml
@@ -0,0 +1,49 @@
+<def-group>
+ <definition class="compliance"
id="accounts_passwords_pam_faillock_fail_interval" version="1">
+ <metadata>
+ <title>Lock out account after failed login attempts</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>The number of allowed failed logins should be set
correctly.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="default is set to 900"
test_ref="test_accounts_passwords_pam_faillock_fail_interval_system-auth" />
+ <criterion comment="default is set to 900"
test_ref="test_accounts_passwords_pam_faillock_fail_interval_password-auth"
/>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist" comment="check maximum failed login attempts
allowed in /etc/pam.d/system-auth"
id="test_accounts_passwords_pam_faillock_fail_interval_system-auth"
version="1">
+ <ind:object
object_ref="object_accounts_passwords_pam_faillock_fail_interval_system-auth"
/>
+ <ind:state
state_ref="state_accounts_passwords_pam_faillock_fail_interval_system-auth"
/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist" comment="check maximum failed login attempts
allowed in /etc/pam.d/password-auth"
id="test_accounts_passwords_pam_faillock_fail_interval_password-auth"
version="1">
+ <ind:object
object_ref="object_accounts_passwords_pam_faillock_fail_interval_password-auth"
/>
+ <ind:state
state_ref="state_accounts_passwords_pam_faillock_fail_interval_password-auth"
/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_fail_interval_system-auth"
version="1">
+ <ind:path>/etc/pam.d</ind:path>
+ <ind:filename>system-auth</ind:filename>
+ <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:required))\s+pam_faillock\.so.*fail_interval=([0-9]*).*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_fail_interval_password-auth"
version="1">
+ <ind:path>/etc/pam.d</ind:path>
+ <ind:filename>password-auth</ind:filename>
+ <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so.*fail_interval=([0-9]*).*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_fail_interval_system-auth"
version="1">
+ <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_fail_interval" />
+ </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_fail_interval_password-auth"
version="1">
+ <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_fail_interval" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="number of failed login attempts allowed"
datatype="int" id="var_accounts_passwords_pam_faillock_fail_interval"
version="1" />
+</def-group>
diff --git a/RHEL6/input/checks/accounts_passwords_pam_faillock_unlock_time.xml
b/RHEL6/input/checks/accounts_passwords_pam_faillock_unlock_time.xml
new file mode 100644
index 0000000..118489a
--- /dev/null
+++ b/RHEL6/input/checks/accounts_passwords_pam_faillock_unlock_time.xml
@@ -0,0 +1,49 @@
+<def-group>
+ <definition class="compliance"
id="accounts_passwords_pam_faillock_unlock_time" version="1">
+ <metadata>
+ <title>Lock out account after failed login attempts</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>The number of allowed failed logins should be set
correctly.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="default is set to 604800"
test_ref="test_accounts_passwords_pam_faillock_unlock_time_system-auth" />
+ <criterion comment="default is set to 604800"
test_ref="test_accounts_passwords_pam_faillock_unlock_time_password-auth" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist" comment="check maximum failed login attempts
allowed in /etc/pam.d/system-auth"
id="test_accounts_passwords_pam_faillock_unlock_time_system-auth"
version="1">
+ <ind:object
object_ref="object_accounts_passwords_pam_faillock_unlock_time_system-auth"
/>
+ <ind:state
state_ref="state_accounts_passwords_pam_faillock_unlock_time_system-auth" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist" comment="check maximum failed login attempts
allowed in /etc/pam.d/password-auth"
id="test_accounts_passwords_pam_faillock_unlock_time_password-auth"
version="1">
+ <ind:object
object_ref="object_accounts_passwords_pam_faillock_unlock_time_password-auth"
/>
+ <ind:state
state_ref="state_accounts_passwords_pam_faillock_unlock_time_password-auth"
/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_unlock_time_system-auth"
version="1">
+ <ind:path>/etc/pam.d</ind:path>
+ <ind:filename>system-auth</ind:filename>
+ <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:required))\s+pam_faillock\.so.*unlock_time=([0-9]*).*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_unlock_time_password-auth"
version="1">
+ <ind:path>/etc/pam.d</ind:path>
+ <ind:filename>password-auth</ind:filename>
+ <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so.*unlock_time=([0-9]*).*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_unlock_time_system-auth"
version="1">
+ <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_unlock_time" />
+ </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_unlock_time_password-auth"
version="1">
+ <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_unlock_time" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="number of failed login attempts allowed"
datatype="int" id="var_accounts_passwords_pam_faillock_unlock_time"
version="1" />
+</def-group>
--
1.8.2.1
Signed-off-by: Brian Millett <bmillett(a)gmail.com>
---
RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml | 4 ++--
RHEL6/input/system/accounts/pam.xml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
b/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
index 79dedfa..78ea42e 100644
--- a/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
+++ b/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
@@ -8,8 +8,8 @@
<description>The number of allowed failed logins should be set
correctly.</description>
</metadata>
<criteria>
- <criterion comment="default is set to 5"
test_ref="test_accounts_passwords_pam_faillock_deny_system-auth" />
- <criterion comment="default is set to 5"
test_ref="test_accounts_passwords_pam_faillock_deny_password-auth" />
+ <criterion comment="default is set to 3"
test_ref="test_accounts_passwords_pam_faillock_deny_system-auth" />
+ <criterion comment="default is set to 3"
test_ref="test_accounts_passwords_pam_faillock_deny_password-auth" />
</criteria>
</definition>
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml
index f754743..a62d25a 100644
--- a/RHEL6/input/system/accounts/pam.xml
+++ b/RHEL6/input/system/accounts/pam.xml
@@ -485,7 +485,7 @@ Locking out user accounts after a number of incorrect attempts within
a
specific period of time prevents direct password guessing attacks.
</rationale>
<ident cce="27215-3" />
-<oval id="accounts_passwords_pam_fail_interval"
value="var_accounts_passwords_pam_faillock_fail_interval"/>
+<oval id="accounts_passwords_pam_faillock_fail_interval"
value="var_accounts_passwords_pam_faillock_fail_interval"/>
<ref nist="AC-7(a)" disa="1452" />
</Rule>
--
1.8.2.1