Mr. Spice:
I think the lines should go beneath the pam_unix.so line. There should be a patch
forthcoming.
Regards,
--
Leland Steinke, Security+
DISA FSO Technical Support Contractor
tapestry technologies, Inc
717-267-5797 (DSN 570)
leland.j.steinke.ctr(a)mail.mil (gov't)
lsteinke(a)tapestrytech.com (com'l)
-----Original Message-----
From: scap-security-guide-bounces(a)lists.fedorahosted.org [mailto:scap-
security-guide-bounces(a)lists.fedorahosted.org] On Behalf Of Spice, Adam
M CTR USARMY ARL (US)
Sent: Tuesday, January 07, 2014 3:13 PM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Problem with Setting faillock Account Lock Time
All,
My systems failed the scans for CCE-26844-1 (Set Deny For Failed
Password
Attempts), CCE-27110-6 (Set Lockout Time For Failed Password Attempts)
and
CCE-27215-3 (Set Interval For Counting Failed Password Attempts). I was
able
to resolve the first and last by following the fix text, but CCE-27110-
6
remains a problem.
The fix text instructs me to add the following lines:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800
fail_interval=900
... directly beneath the following line in /etc/pam.d/system-auth:
auth required pam_env.so
However, following these instructions results in a system whose GDM
prompts
me for a username, but never gets to the password. The logs show "gkr-
pam:
no password is available for user." I performed many Google searches,
not
really finding much that helped me other than an old message in this
group:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-
February/0
02601.html
Unfortunately, I didn't see a resolution. The person who started that
thread
opened a ticket, but it doesn't look like it was addressed:
https://fedorahosted.org/scap-security-guide/ticket/255
He also referenced a Red Hat Solution that provides instructions on
enabling
faillock; following this, I was able to restore my system to
functionality.
I could login; if I failed my attempt three times, I could no longer
login;
pam_tally2 no longer reported failed logins, but faillock did. I
haven't yet
spent the week to determine whether or not the unlock_time parameter is
being applied (if you know of a way to report remaining time until an
account unlocks, that would help).
Is there any guidance available regarding passing this scan without
disabling my system?
Thank you!
--
Adam Spice
Contractor, STG
Unix support, Army Research Labs