On 10/19/12 12:23 PM, Andrew Gilmore wrote:
So in digging through all this, I'm finding a couple of things
that
either aren't working right or that will require alterations to my
current configuration to comply.
Where do I ask the following questions? It seems that this group isn't
the place, but my google-fu is coming up short.
gov-sec is a great place. It's a community group of security interested
parties running RHEL. Mailing list here:
http://www.redhat.com/mailman/listinfo/gov-sec
Note that we (Red Hat) moderate the list to ensure only U.S. customers
join. If you do send a request to join give your primary Red Hat contact
a heads up to ensure you don't get rejected (if you don't know who that
is, feel free to ping me so I can pass your name/email to the list
moderator).
And if you have paid Red Hat subscriptions, just you can always email
Red Hat support at customerservice(a)redhat.com. They eat questions like
this up.
auth pam_tally2 ... deny=5
in /etc/pam.d/system_auth doesn't appear to reset if I successfully
enter my password after a failure. Eventually I get locked out and the
audit scripts do not appear to allow "unlock="
What is the best practice for application of pam_tally2?
Note pam_tally2 is a carryover from RHEL5, we'll be updating the guides
to reflect pam_faillock soonish. Regardless, the lockout controls
generally are time based. Say, for example, the requirement is: "Allow 5
password attempts in 3 minutes"
In that case, say I SSH in:
0.01: Failed password
0.02: Failed password
0.03: Failed password
0.04: I'm in!
and then I decide to open another SSH terminal a minute later:
1.00: Failed password
1.01: Failed password
... Even though I did eventually establish my first connection, at this
point my account would be locked out since I had 5 failed attempts
within 3 minutes.
SRG requires no .forward files. I currently do some data processing
on
automated emails via procmail configured in .forward in a dedicated
user. What is the best practice for configuring such?
That's only for RHEL5, we
went ahead and dropped it for RHEL6.
Personally I setup /etc/aliases to take care of this. I don't want local
mail sitting on my servers, so I alias root to whatever sysadmin group
I'm working for (e.g. "root: customerproject-admins(a)redhat.com") and my
non-privileged username to my work address (e.g. "shawn:
shawn(a)redhat.com")
-shawn
--
Shawn Wells
Technical Director,
U.S. Intelligence Programs
(e) shawn(a)redhat.com
(c) 443.534.0130