This set of patches are all related to adding value selectors to the
deny_password_attempts rule, based on feedback from DISA FSO.
Willy Santos (4):
Added Value section for login retries and made necessary changes to
the deny_password_attempts to reflect the use of these values.
Created OVAL check accounts_passwords_pam_faillock_deny, for checking
the configured maximum number of failed login attempts the system
will allow before locking the account.
Added <sub> sections to the deny_password_attempts rule for automatic
substitution of correct value depending on profile.
Added <refine-value> for STIG-specific value for failed login
attempts.
.../accounts_passwords_pam_faillock_deny.xml | 50 ++++++++++++++++++++
RHEL6/input/profiles/STIG-server.xml | 2 +
RHEL6/input/system/accounts/pam.xml | 25 +++++++---
3 files changed, 70 insertions(+), 7 deletions(-)
create mode 100644 RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
--
1.7.7.6
Show replies by date
Signed-off-by: Willy Santos <wsantos(a)redhat.com>
---
RHEL6/input/system/accounts/pam.xml | 19 +++++++++++++++----
1 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml
index 97193d9..16f0bf3 100644
--- a/RHEL6/input/system/accounts/pam.xml
+++ b/RHEL6/input/system/accounts/pam.xml
@@ -164,6 +164,15 @@ passwords</warning>
<value selector="4">4</value>
<value selector="5">5</value>
</Value>
+<Value id="var_accounts_passwords_pam_faillock_deny"
type="number"
+operator="equals" interactive="0">
+<title>fail_deny</title>
+<description>Number of failed login attempts before account
lockout</description>
+<value selector="">5</value>
+<value selector="3">3</value>
+<value selector="5">5</value>
+<value selector="10">10</value>
+</Value>
<Rule id="password_retry">
<title>Set Password Retry Prompts Permitted Per-session</title>
@@ -298,9 +307,9 @@ attempts using
<tt>pam_faillock.so</tt>,
<br /><br />
Find the following line in <tt>/etc/pam.d/system-auth</tt> and
<tt>/etc/pam.d/password-auth</tt>:
-<pre>auth sufficient pam_unix.so nullok try_first_pass</pre>
+<pre>auth sufficient pam_unix.so try_first_pass</pre>
and then change it so that it reads as follows:
-<pre>auth required pam_unix.so nullok try_first_pass</pre>
+<pre>auth required pam_unix.so try_first_pass</pre>
In the same file, comment out or delete the lines:
<pre>auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so</pre>
@@ -308,17 +317,19 @@ To enforce password
lockout, add the following to <tt>/etc/pam.d/system-auth</tt> and
<tt>/etc/pam.d/password-auth</tt>.
First, add the following just before the pam_unix.so auth line:
<pre>auth required pam_faillock.so preauth audit silent deny=5
unlock_time=900</pre>
-<!-- TOOD: this implies we need to create a Value and associated refine-value -->
Second, add the following two lines just after the pam_unix.so auth line:
<pre>auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5
unlock_time=900</pre>
+<ul><li>NOTE: The DoD requires accounts be locked out after 3 failed login
attempts,
+accomplished by changing the value of the <tt>deny</tt> option to
<i>3</i> in the example
+above.</li></ul>
</description>
<rationale>
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks.
</rationale>
<ident cce="3410-8" />
-<oval id="accounts_passwords_pam_faillock_deny" />
+<oval id="accounts_passwords_pam_faillock_deny"
value="var_accounts_passwords_pam_faillock_deny"/>
<ref nist="AC-7, CM-6" disa="1452,44,47" />
</Rule>
--
1.7.7.6
Signed-off-by: Willy Santos <wsantos(a)redhat.com>
---
.../accounts_passwords_pam_faillock_deny.xml | 50 ++++++++++++++++++++
1 files changed, 50 insertions(+), 0 deletions(-)
create mode 100644 RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
diff --git a/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
b/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
new file mode 100644
index 0000000..ee594ff
--- /dev/null
+++ b/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
@@ -0,0 +1,50 @@
+<def-group>
+ <definition class="compliance"
id="accounts_passwords_pam_faillock_deny" version="1">
+ <metadata>
+ <title>Lock out account after failed login attempts</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <reference ref_id="TODO" source="CCE" />
+ <description>The number of allowed failed logins should be set
correctly.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="default is set to 5"
test_ref="test_accounts_passwords_pam_faillock_deny_system-auth" />
+ <criterion comment="default is set to 5"
test_ref="test_accounts_passwords_pam_faillock_deny_password-auth" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist" comment="check maximum failed login attempts
allowed in /etc/pam.d/system-auth"
id="test_accounts_passwords_pam_faillock_deny_system-auth"
version="1">
+ <ind:object
object_ref="object_accounts_passwords_pam_faillock_deny_system-auth" />
+ <ind:state
state_ref="state_accounts_passwords_pam_faillock_deny_system-auth" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist" comment="check maximum failed login attempts
allowed in /etc/pam.d/password-auth"
id="test_accounts_passwords_pam_faillock_deny_password-auth"
version="1">
+ <ind:object
object_ref="object_accounts_passwords_pam_faillock_deny_password-auth" />
+ <ind:state
state_ref="state_accounts_passwords_pam_faillock_deny_password-auth" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_deny_system-auth"
version="1">
+ <ind:path>/etc/pam.d</ind:path>
+ <ind:filename>system-auth</ind:filename>
+ <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:required))\s+pam_faillock\.so.*deny=([0-9]*).*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object
id="object_accounts_passwords_pam_faillock_deny_password-auth"
version="1">
+ <ind:path>/etc/pam.d</ind:path>
+ <ind:filename>password-auth</ind:filename>
+ <ind:pattern operation="pattern
match">^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so.*deny=([0-9]*).*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or
equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_deny_system-auth"
version="1">
+ <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_deny" />
+ </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_state
id="state_accounts_passwords_pam_faillock_deny_password-auth"
version="1">
+ <ind:subexpression datatype="int" operation="equals"
var_ref="var_accounts_passwords_pam_faillock_deny" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="number of failed login attempts allowed"
datatype="int" id="var_accounts_passwords_pam_faillock_deny"
version="1" />
+</def-group>
--
1.7.7.6
Signed-off-by: Willy Santos <wsantos(a)redhat.com>
---
RHEL6/input/system/accounts/pam.xml | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml
index 16f0bf3..da19749 100644
--- a/RHEL6/input/system/accounts/pam.xml
+++ b/RHEL6/input/system/accounts/pam.xml
@@ -316,10 +316,10 @@ auth required pam_deny.so</pre>
To enforce password
lockout, add the following to <tt>/etc/pam.d/system-auth</tt> and
<tt>/etc/pam.d/password-auth</tt>.
First, add the following just before the pam_unix.so auth line:
-<pre>auth required pam_faillock.so preauth audit silent deny=5
unlock_time=900</pre>
+<pre>auth required pam_faillock.so preauth audit silent deny=<sub
idref="var_accounts_passwords_pam_faillock_deny" />
unlock_time=900</pre>
Second, add the following two lines just after the pam_unix.so auth line:
-<pre>auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
-auth sufficient pam_faillock.so authsucc audit deny=5
unlock_time=900</pre>
+<pre>auth [default=die] pam_faillock.so authfail audit deny=<sub
idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=900
+auth sufficient pam_faillock.so authsucc audit deny=<sub
idref="var_accounts_passwords_pam_faillock_deny" />
unlock_time=900</pre>
<ul><li>NOTE: The DoD requires accounts be locked out after 3 failed login
attempts,
accomplished by changing the value of the <tt>deny</tt> option to
<i>3</i> in the example
above.</li></ul>
--
1.7.7.6
Signed-off-by: Willy Santos <wsantos(a)redhat.com>
---
RHEL6/input/profiles/STIG-server.xml | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml
index fa11c8e..fb7b235 100644
--- a/RHEL6/input/profiles/STIG-server.xml
+++ b/RHEL6/input/profiles/STIG-server.xml
@@ -42,4 +42,6 @@
<refine-value idref="password_history_retain_number"
selector="24"/>
<refine-value idref="var_password_max_age" selector="60"/>
+<!-- from inherited Rule, deny_password_attempts -->
+<refine-value idref="var_accounts_passwords_pam_faillock_deny"
selector="3"/>
</Profile>
--
1.7.7.6