On 10/3/13 1:08 PM, Frank Caviggia wrote:
0001-Adding-remediation-fix-for-accounts_max_concurrent_l.patch
From 3616e7abaf9d9b1c71d211ff435c77ef96c297d3 Mon Sep 17 00:00:00 2001
From: Frank Caviggia<fcaviggi(a)redhat.com>
Date: Thu, 3 Oct 2013 12:48:54 -0400
Subject: [PATCH] Adding remediation fix for
accounts_max_concurrent_login_sessions
Signed-off-by: Frank Caviggia<fcaviggi(a)redhat.com>
---
RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh
diff --git a/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh
b/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh
new file mode 100644
index 0000000..0ec1e06
--- /dev/null
+++ b/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh
@@ -0,0 +1,4 @@
+source ./templates/support.sh
+populate max_concurrent_login_sessions_value
+
+echo "* hard maxlogins $max_concurrent_login_sessions_value" >>
/etc/security/limits.conf
-- 1.8.3.1
There are two failure conditions which we'll need to remediate:
- maxlogins value to high
- maxlogins not set (which your patch handles)
Here's an example of how to address both:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/inpu...
A sed command will change any existing values, and should there not be
any, the appropriate string is concatenated to the file. What do you
think of that approach? I wasn't clever enough to get everything into a
single one-liner, not sure if the efficiency could be increased.