0001-Adding-remediation-fix-for-accounts_max_concurrent_l.patch From 3616e7abaf9d9b1c71d211ff435c77ef96c297d3 Mon Sep 17 00:00:00 2001 From: Frank Caviggia<fcaviggi(a)redhat.com> Date: Thu, 3 Oct 2013 12:48:54 -0400 Subject: [PATCH] Adding remediation fix for accounts_max_concurrent_login_sessions Signed-off-by: Frank Caviggia<fcaviggi(a)redhat.com> --- RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh diff --git a/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh b/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh new file mode 100644 index 0000000..0ec1e06 --- /dev/null +++ b/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh @@ -0,0 +1,4 @@ +source ./templates/support.sh +populate max_concurrent_login_sessions_value + +echo "* hard maxlogins $max_concurrent_login_sessions_value" >> /etc/security/limits.conf -- 1.8.3.1

On Oct 3, 2013, at 4:06 PM, fcaviggi(a)redhat.com wrote: Shawn, This is probably a better approach - I'll resubmit the patch for accounts_max_concurrent_login_sessions - do you think we should probably do the same thing for disable_user_coredumps? -Frank

> On 10/03/2013 02:25 PM, Shawn Wells wrote: >> On 10/3/13 1:08 PM, Frank Caviggia wrote: >> >> 0001-Adding-remediation-fix-for-accounts_max_concurrent_l.patch >> >> From 3616e7abaf9d9b1c71d211ff435c77ef96c297d3 Mon Sep 17 00:00:00 2001 >> From: Frank Caviggia <fcaviggi(a)redhat.com&gt; >> Date: Thu, 3 Oct 2013 12:48:54 -0400 >> Subject: [PATCH] Adding remediation fix for >> accounts_max_concurrent_login_sessions >> >> Signed-off-by: Frank Caviggia <fcaviggi(a)redhat.com&gt; >> --- >> RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh | 4 ++++ >> 1 file changed, 4 insertions(+) >> create mode 100644 RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh >> >> diff --git a/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh b/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh >> new file mode 100644 >> index 0000000..0ec1e06 >> --- /dev/null >> +++ b/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh >> @@ -0,0 +1,4 @@ >> +source ./templates/support.sh >> +populate max_concurrent_login_sessions_value >> + >> +echo "* hard maxlogins $max_concurrent_login_sessions_value" >> /etc/security/limits.conf >> -- >> 1.8.3.1 >> > > There are two failure conditions which we'll need to remediate: > - maxlogins value to high > - maxlogins not set (which your patch handles) > > Here's an example of how to address both: > https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/inpu... > > A sed command will change any existing values, and should there not be any, the appropriate string is concatenated to the file. What do you think of that approach? I wasn't clever enough to get everything into a single one-liner, not sure if the efficiency could be increased. > > > > _______________________________________________ > scap-security-guide mailing list > scap-security-guide(a)lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide -- Frank Caviggia Consultant, Public Sector fcaviggi(a)redhat.com (M) (571) 295-4560 _______________________________________________ scap-security-guide mailing list scap-security-guide(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide