All,
I haven't seen a patch regarding the below-described faillock error come out. Is there one in the works? May I assist with its creation / release?
Thank you!
-- Adam Spice Contractor, STG Unix support, Army Research Labs
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Spice, Adam M CTR USARMY ARL (US) Sent: Wednesday, January 08, 2014 6:11 AM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Problem with Setting faillock Account Lock Time
Thank you, Leland.
-- Adam Spice Contractor, STG Unix support, Army Research Labs
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Steinke, Leland J Sr CTR DISA FSO (US) Sent: Tuesday, January 07, 2014 4:18 PM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Problem with Setting faillock Account Lock Time
Mr. Spice:
I think the lines should go beneath the pam_unix.so line. There should be a patch forthcoming.
Regards, -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap- security-guide-bounces@lists.fedorahosted.org] On Behalf Of Spice, Adam M CTR USARMY ARL (US) Sent: Tuesday, January 07, 2014 3:13 PM To: scap-security-guide@lists.fedorahosted.org Subject: Problem with Setting faillock Account Lock Time
All,
My systems failed the scans for CCE-26844-1 (Set Deny For Failed Password Attempts), CCE-27110-6 (Set Lockout Time For Failed Password Attempts) and CCE-27215-3 (Set Interval For Counting Failed Password Attempts). I was able to resolve the first and last by following the fix text, but CCE-27110- 6 remains a problem.
The fix text instructs me to add the following lines: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
... directly beneath the following line in /etc/pam.d/system-auth: auth required pam_env.so
However, following these instructions results in a system whose GDM prompts me for a username, but never gets to the password. The logs show "gkr- pam: no password is available for user." I performed many Google searches, not really finding much that helped me other than an old message in this group: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013- February/0 02601.html
Unfortunately, I didn't see a resolution. The person who started that thread opened a ticket, but it doesn't look like it was addressed: https://fedorahosted.org/scap-security-guide/ticket/255
He also referenced a Red Hat Solution that provides instructions on enabling faillock; following this, I was able to restore my system to functionality. I could login; if I failed my attempt three times, I could no longer login; pam_tally2 no longer reported failed logins, but faillock did. I haven't yet spent the week to determine whether or not the unlock_time parameter is being applied (if you know of a way to report remaining time until an account unlocks, that would help).
Is there any guidance available regarding passing this scan without disabling my system?
Thank you!
-- Adam Spice Contractor, STG Unix support, Army Research Labs