All,
My systems failed the scans for CCE-26844-1 (Set Deny For Failed Password Attempts), CCE-27110-6 (Set Lockout Time For Failed Password Attempts) and CCE-27215-3 (Set Interval For Counting Failed Password Attempts). I was able to resolve the first and last by following the fix text, but CCE-27110-6 remains a problem.
The fix text instructs me to add the following lines: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
... directly beneath the following line in /etc/pam.d/system-auth: auth required pam_env.so
However, following these instructions results in a system whose GDM prompts me for a username, but never gets to the password. The logs show "gkr-pam: no password is available for user." I performed many Google searches, not really finding much that helped me other than an old message in this group: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-February/0 02601.html
Unfortunately, I didn't see a resolution. The person who started that thread opened a ticket, but it doesn't look like it was addressed: https://fedorahosted.org/scap-security-guide/ticket/255
He also referenced a Red Hat Solution that provides instructions on enabling faillock; following this, I was able to restore my system to functionality. I could login; if I failed my attempt three times, I could no longer login; pam_tally2 no longer reported failed logins, but faillock did. I haven't yet spent the week to determine whether or not the unlock_time parameter is being applied (if you know of a way to report remaining time until an account unlocks, that would help).
Is there any guidance available regarding passing this scan without disabling my system?
Thank you!
-- Adam Spice Contractor, STG Unix support, Army Research Labs
Mr. Spice:
I think the lines should go beneath the pam_unix.so line. There should be a patch forthcoming.
Regards, -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap- security-guide-bounces@lists.fedorahosted.org] On Behalf Of Spice, Adam M CTR USARMY ARL (US) Sent: Tuesday, January 07, 2014 3:13 PM To: scap-security-guide@lists.fedorahosted.org Subject: Problem with Setting faillock Account Lock Time
All,
My systems failed the scans for CCE-26844-1 (Set Deny For Failed Password Attempts), CCE-27110-6 (Set Lockout Time For Failed Password Attempts) and CCE-27215-3 (Set Interval For Counting Failed Password Attempts). I was able to resolve the first and last by following the fix text, but CCE-27110- 6 remains a problem.
The fix text instructs me to add the following lines: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
... directly beneath the following line in /etc/pam.d/system-auth: auth required pam_env.so
However, following these instructions results in a system whose GDM prompts me for a username, but never gets to the password. The logs show "gkr- pam: no password is available for user." I performed many Google searches, not really finding much that helped me other than an old message in this group: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013- February/0 02601.html
Unfortunately, I didn't see a resolution. The person who started that thread opened a ticket, but it doesn't look like it was addressed: https://fedorahosted.org/scap-security-guide/ticket/255
He also referenced a Red Hat Solution that provides instructions on enabling faillock; following this, I was able to restore my system to functionality. I could login; if I failed my attempt three times, I could no longer login; pam_tally2 no longer reported failed logins, but faillock did. I haven't yet spent the week to determine whether or not the unlock_time parameter is being applied (if you know of a way to report remaining time until an account unlocks, that would help).
Is there any guidance available regarding passing this scan without disabling my system?
Thank you!
-- Adam Spice Contractor, STG Unix support, Army Research Labs
Thank you, Leland.
-- Adam Spice Contractor, STG Unix support, Army Research Labs
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Steinke, Leland J Sr CTR DISA FSO (US) Sent: Tuesday, January 07, 2014 4:18 PM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Problem with Setting faillock Account Lock Time
Mr. Spice:
I think the lines should go beneath the pam_unix.so line. There should be a patch forthcoming.
Regards, -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap- security-guide-bounces@lists.fedorahosted.org] On Behalf Of Spice, Adam M CTR USARMY ARL (US) Sent: Tuesday, January 07, 2014 3:13 PM To: scap-security-guide@lists.fedorahosted.org Subject: Problem with Setting faillock Account Lock Time
All,
My systems failed the scans for CCE-26844-1 (Set Deny For Failed Password Attempts), CCE-27110-6 (Set Lockout Time For Failed Password Attempts) and CCE-27215-3 (Set Interval For Counting Failed Password Attempts). I was able to resolve the first and last by following the fix text, but CCE-27110- 6 remains a problem.
The fix text instructs me to add the following lines: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
... directly beneath the following line in /etc/pam.d/system-auth: auth required pam_env.so
However, following these instructions results in a system whose GDM prompts me for a username, but never gets to the password. The logs show "gkr- pam: no password is available for user." I performed many Google searches, not really finding much that helped me other than an old message in this group: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013- February/0 02601.html
Unfortunately, I didn't see a resolution. The person who started that thread opened a ticket, but it doesn't look like it was addressed: https://fedorahosted.org/scap-security-guide/ticket/255
He also referenced a Red Hat Solution that provides instructions on enabling faillock; following this, I was able to restore my system to functionality. I could login; if I failed my attempt three times, I could no longer login; pam_tally2 no longer reported failed logins, but faillock did. I haven't yet spent the week to determine whether or not the unlock_time parameter is being applied (if you know of a way to report remaining time until an account unlocks, that would help).
Is there any guidance available regarding passing this scan without disabling my system?
Thank you!
-- Adam Spice Contractor, STG Unix support, Army Research Labs
All,
I haven't seen a patch regarding the below-described faillock error come out. Is there one in the works? May I assist with its creation / release?
Thank you!
-- Adam Spice Contractor, STG Unix support, Army Research Labs
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Spice, Adam M CTR USARMY ARL (US) Sent: Wednesday, January 08, 2014 6:11 AM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Problem with Setting faillock Account Lock Time
Thank you, Leland.
-- Adam Spice Contractor, STG Unix support, Army Research Labs
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Steinke, Leland J Sr CTR DISA FSO (US) Sent: Tuesday, January 07, 2014 4:18 PM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Problem with Setting faillock Account Lock Time
Mr. Spice:
I think the lines should go beneath the pam_unix.so line. There should be a patch forthcoming.
Regards, -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap- security-guide-bounces@lists.fedorahosted.org] On Behalf Of Spice, Adam M CTR USARMY ARL (US) Sent: Tuesday, January 07, 2014 3:13 PM To: scap-security-guide@lists.fedorahosted.org Subject: Problem with Setting faillock Account Lock Time
All,
My systems failed the scans for CCE-26844-1 (Set Deny For Failed Password Attempts), CCE-27110-6 (Set Lockout Time For Failed Password Attempts) and CCE-27215-3 (Set Interval For Counting Failed Password Attempts). I was able to resolve the first and last by following the fix text, but CCE-27110- 6 remains a problem.
The fix text instructs me to add the following lines: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
... directly beneath the following line in /etc/pam.d/system-auth: auth required pam_env.so
However, following these instructions results in a system whose GDM prompts me for a username, but never gets to the password. The logs show "gkr- pam: no password is available for user." I performed many Google searches, not really finding much that helped me other than an old message in this group: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013- February/0 02601.html
Unfortunately, I didn't see a resolution. The person who started that thread opened a ticket, but it doesn't look like it was addressed: https://fedorahosted.org/scap-security-guide/ticket/255
He also referenced a Red Hat Solution that provides instructions on enabling faillock; following this, I was able to restore my system to functionality. I could login; if I failed my attempt three times, I could no longer login; pam_tally2 no longer reported failed logins, but faillock did. I haven't yet spent the week to determine whether or not the unlock_time parameter is being applied (if you know of a way to report remaining time until an account unlocks, that would help).
Is there any guidance available regarding passing this scan without disabling my system?
Thank you!
-- Adam Spice Contractor, STG Unix support, Army Research Labs
Another member of my organization has spoken with me and let me know he resolved this independently; apparently, we had a configuration error in another file, which caused this issue. Please disregard my request and thank you for your help.
-- Adam Spice Contractor, STG Unix support, Army Research Labs
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Spice, Adam M CTR USARMY ARL (US) Sent: Tuesday, May 13, 2014 3:19 PM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Problem with Setting faillock Account Lock Time
All,
I haven't seen a patch regarding the below-described faillock error come out. Is there one in the works? May I assist with its creation / release?
Thank you!
-- Adam Spice Contractor, STG Unix support, Army Research Labs
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Spice, Adam M CTR USARMY ARL (US) Sent: Wednesday, January 08, 2014 6:11 AM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Problem with Setting faillock Account Lock Time
Thank you, Leland.
-- Adam Spice Contractor, STG Unix support, Army Research Labs
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Steinke, Leland J Sr CTR DISA FSO (US) Sent: Tuesday, January 07, 2014 4:18 PM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Problem with Setting faillock Account Lock Time
Mr. Spice:
I think the lines should go beneath the pam_unix.so line. There should be a patch forthcoming.
Regards, -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap- security-guide-bounces@lists.fedorahosted.org] On Behalf Of Spice, Adam M CTR USARMY ARL (US) Sent: Tuesday, January 07, 2014 3:13 PM To: scap-security-guide@lists.fedorahosted.org Subject: Problem with Setting faillock Account Lock Time
All,
My systems failed the scans for CCE-26844-1 (Set Deny For Failed Password Attempts), CCE-27110-6 (Set Lockout Time For Failed Password Attempts) and CCE-27215-3 (Set Interval For Counting Failed Password Attempts). I was able to resolve the first and last by following the fix text, but CCE-27110- 6 remains a problem.
The fix text instructs me to add the following lines: auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
... directly beneath the following line in /etc/pam.d/system-auth: auth required pam_env.so
However, following these instructions results in a system whose GDM prompts me for a username, but never gets to the password. The logs show "gkr- pam: no password is available for user." I performed many Google searches, not really finding much that helped me other than an old message in this group: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013- February/0 02601.html
Unfortunately, I didn't see a resolution. The person who started that thread opened a ticket, but it doesn't look like it was addressed: https://fedorahosted.org/scap-security-guide/ticket/255
He also referenced a Red Hat Solution that provides instructions on enabling faillock; following this, I was able to restore my system to functionality. I could login; if I failed my attempt three times, I could no longer login; pam_tally2 no longer reported failed logins, but faillock did. I haven't yet spent the week to determine whether or not the unlock_time parameter is being applied (if you know of a way to report remaining time until an account unlocks, that would help).
Is there any guidance available regarding passing this scan without disabling my system?
Thank you!
-- Adam Spice Contractor, STG Unix support, Army Research Labs
On 5/13/14, 3:32 PM, Spice, Adam M CTR USARMY ARL (US) wrote:
Another member of my organization has spoken with me and let me know he resolved this independently; apparently, we had a configuration error in another file, which caused this issue. Please disregard my request and thank you for your help.
Glad SSG is useful to you guys!
It sounds like you're going through STIGing; would be most interested in false positive feedback.
Shawn
Classification: UNCLASSIFIED Caveats: NONE
Oh, you've heard quite a bit from us :) (Adam and I are co-workers). Aside from the patches I said I'd write (e.g. for accounts_max_concurrent_login_sessions also checking /etc/security/limits.d/*), which I really will have time to do one of these days...
- The "world_writeable_files" check is flagging a ton of stuff in /proc
- The "no_shelllogin_for_systemaccounts" check doesn't allow /bin/false as one of the options. This seems to be the default for most system accounts on our RHEL6 systems; I don't think that's something we're setting, but I could be wrong:
bin:x:1:1:bin:/bin:/bin/false daemon:x:2:2:daemon:/sbin:/bin/false adm:x:3:4:adm:/var/adm:/bin/false lp:x:4:7:lp:/var/spool/lpd:/bin/false mail:x:8:12:mail:/var/spool/mail:/bin/false uucp:x:10:14:uucp:/var/spool/uucp:/bin/false nobody:x:99:99:Nobody:/:/bin/false dbus:x:81:81:System message bus:/:/bin/false usbmuxd:x:113:113:usbmuxd user:/:/bin/false
It also seems to be flagging people with UIDs well over 1000, but GIDs of 100; do accounts like these fall into the category of "system accounts"? I'm not sure where the logic for this is located.
Another oddity with this check is that --oval-results only ever gives me one entry, when it clearly would flag a bunch of stuff as failures.
Note that the above are using the version of OpenSCAP shipped with RHEL6.
That's mostly it; I do have one other thing (for which, amazingly, I have actually written a patch), but that's not exactly a false positive, so I'd rather start a new topic for it.
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap- security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: Tuesday, May 13, 2014 3:55 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: Problem with Setting faillock Account Lock Time
On 5/13/14, 3:32 PM, Spice, Adam M CTR USARMY ARL (US) wrote:
Another member of my organization has spoken with me and let me know he resolved this independently; apparently, we had a configuration error in another file, which caused this issue. Please disregard my request and thank you for your help.
Glad SSG is useful to you guys!
It sounds like you're going through STIGing; would be most interested in false positive feedback.
Shawn _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Classification: UNCLASSIFIED Caveats: NONE
scap-security-guide@lists.fedorahosted.org