Shawn,
This is probably a better approach - I'll resubmit the patch for accounts_max_concurrent_login_sessions - do you think we should probably do the same thing for disable_user_coredumps?
-Frank
On 10/03/2013 02:25 PM, Shawn Wells wrote:
On 10/3/13 1:08 PM, Frank Caviggia wrote:
From 3616e7abaf9d9b1c71d211ff435c77ef96c297d3 Mon Sep 17 00:00:00 2001 From: Frank Caviggia <fcaviggi@redhat.com> Date: Thu, 3 Oct 2013 12:48:54 -0400 Subject: [PATCH] Adding remediation fix for accounts_max_concurrent_login_sessions Signed-off-by: Frank Caviggia <fcaviggi@redhat.com> --- RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh diff --git a/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh b/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh new file mode 100644 index 0000000..0ec1e06 --- /dev/null +++ b/RHEL6/input/fixes/bash/accounts_max_concurrent_login_sessions.sh @@ -0,0 +1,4 @@ +source ./templates/support.sh +populate max_concurrent_login_sessions_value + +echo "* hard maxlogins $max_concurrent_login_sessions_value" >> /etc/security/limits.conf-- 1.8.3.1
There are two failure conditions which we'll need to remediate:
- maxlogins value to high
- maxlogins not set (which your patch handles)
Here's an example of how to address both:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/fixes/bash/accounts_password_minlen_login_defs.sh
A sed command will change any existing values, and should there not be any, the appropriate string is concatenated to the file. What do you think of that approach? I wasn't clever enough to get everything into a single one-liner, not sure if the efficiency could be increased.
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
-- Frank Caviggia Consultant, Public Sector fcaviggi@redhat.com (M) (571) 295-4560
_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide