All,
My systems failed the scans for CCE-26844-1 (Set Deny For Failed Password Attempts), CCE-27110-6 (Set Lockout Time For Failed Password Attempts) and CCE-27215-3 (Set Interval For Counting Failed Password Attempts). I was able to resolve the first and last by following the fix text, but CCE-27110-6 remains a problem.
The fix text instructs me to add the following lines: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
... directly beneath the following line in /etc/pam.d/system-auth: auth required pam_env.so
However, following these instructions results in a system whose GDM prompts me for a username, but never gets to the password. The logs show "gkr-pam: no password is available for user." I performed many Google searches, not really finding much that helped me other than an old message in this group: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-February/0 02601.html
Unfortunately, I didn't see a resolution. The person who started that thread opened a ticket, but it doesn't look like it was addressed: https://fedorahosted.org/scap-security-guide/ticket/255
He also referenced a Red Hat Solution that provides instructions on enabling faillock; following this, I was able to restore my system to functionality. I could login; if I failed my attempt three times, I could no longer login; pam_tally2 no longer reported failed logins, but faillock did. I haven't yet spent the week to determine whether or not the unlock_time parameter is being applied (if you know of a way to report remaining time until an account unlocks, that would help).
Is there any guidance available regarding passing this scan without disabling my system?
Thank you!
-- Adam Spice Contractor, STG Unix support, Army Research Labs