<html><body><div>On May 29, 2018, at 05:26 AM, Marek Haicman <mhaicman@redhat.com> wrote:</div><div><span class="body-text-content">On 05/27/2018 08:45 PM, Dan White wrote:</span><br><span class="body-text-content"></span><div><blockquote type="cite"><div class="msg-quote"><div class="_stretch"><span class="body-text-content"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">On May 27, 2018, at 12:02 PM, Šimon Lukašík <slukasik@redhat.com</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><mailto:slukasik@redhat.com>> wrote:</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">On 05/25/2018 11:06 PM, Dan White wrote:</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">I just messed up a baker’s dozen of RHEL 6 virtual machines by hand</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">editing /etc/pam.d files system-auth-ac and password-auth-ac</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">I was able to un-mess 8 of them with an authconfig command.</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">The other 5 are in various stages of recovery.  One had a snapshot</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">but the other 4 are Oracle servers that cannot be snapshot because of</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">shared storage.</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Anyway, what I am looking for here is some brainstorming toward</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">implementing security settings with authconfig commands rather than</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">hand editing the files that utility can alter.</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Thanks.</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">I am not sure this is right forum for this. Nevertheless, I wouldn't</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">be surprised this brainstorming ended before it even started as You</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">didn't provide us particular peculiarities you are faced with and thus</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">left us with very general (and thus hard) task at hand.</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Kind regards,</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">~š.</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text">OK, let’s start with RHEL-07-010200 - Set PAM's Password Hashing</blockquote><blockquote type="cite" class="quoted-plain-text">Algorithm - CCE-27104-9</blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text">The Remediation shell script says:</blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text">|AUTH_FILES[0]="/etc/pam.d/system-auth"</blockquote><blockquote type="cite" class="quoted-plain-text">AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in</blockquote><blockquote type="cite" class="quoted-plain-text">"${AUTH_FILES[@]}" do if ! grep -q</blockquote><blockquote type="cite" class="quoted-plain-text">"^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then sed -i</blockquote><blockquote type="cite" class="quoted-plain-text">--follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/"</blockquote><blockquote type="cite" class="quoted-plain-text">$pamFile fi done|</blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text">But up at the top of both of those files it says : *"User changes will</blockquote><blockquote type="cite" class="quoted-plain-text">be destroyed the next time authconfig is run”*</blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text">Here are more:</blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text">RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session -</blockquote><blockquote type="cite" class="quoted-plain-text">CCE-27160-1</blockquote><blockquote type="cite" class="quoted-plain-text">RHEL-07-010270 - Limit Password Reuse - CCE-26923-3</blockquote><blockquote type="cite" class="quoted-plain-text">RHEL-07-010290 - Prevent Log In to Accounts With Empty Password -</blockquote><blockquote type="cite" class="quoted-plain-text">CCE-27286-4</blockquote><blockquote type="cite" class="quoted-plain-text">RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8</blockquote><blockquote type="cite" class="quoted-plain-text">RHEL-07-010320 - Set Interval For Counting Failed Password Attempts -</blockquote><blockquote type="cite" class="quoted-plain-text">CCE-27297-1</blockquote><blockquote type="cite" class="quoted-plain-text">RHEL-07-010320 - Set Lockout Time For Failed Password Attempts - CCE-26884-7</blockquote><blockquote type="cite" class="quoted-plain-text">RHEL-07-010330 - Configure the root Account for Failed Password Attempts</blockquote><blockquote type="cite" class="quoted-plain-text">- CCE-80353-6</blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text">Every one, in so many words, directs the hand editing of</blockquote><blockquote type="cite" class="quoted-plain-text">/etc/pam.d/system-auth(-ac) and/or /etc/pam.d/password-auth(-ac)</blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text">Hopefully, this provides sufficient "particular peculiarities"</blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text">Back to my original question: How might one use the /authconfig/ command</blockquote><blockquote type="cite" class="quoted-plain-text">to remediate each one of those ?</blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text">How about it ?</blockquote><blockquote type="cite" class="quoted-plain-text">I will be tinkering on my own as time allows and I will gladly share</blockquote><blockquote type="cite" class="quoted-plain-text">anything I discover.</blockquote><br>Hello Dan,<br>historically, we have tried to use authconfig for some of the <br>remediations (smartcards), as it was kind of obvious choice, right? <br>Well, it fired back a bit, because you cannot really combine authconfig <br>and manual fixes. So after you made some of the more complex fixes by <br>hand (fixes that authconfig was not able to deliver) and then tried to <br>fix a triviality using authconfig tool, it would revert your manual change.<br><br>One of the problems of old authconfig (got added in RHEL7.4 I think, <br>RHEL6 is affected) is no support for `faillock`. So you cannot really <br>fix this one. So we gave up, and reverted to fixing everything by old <br>style sed-ing :(<br><br>Regards,<br>Marek<br></span></div></div></blockquote><div class="msg-quote"><div class="_stretch"><span class="body-text-content"><br></span></div><div class="_stretch"><span class="body-text-content">I am still looking for suggestions.<br data-mce-bogus="1"></span></div><div class="_stretch"><span class="body-text-content"><br data-mce-bogus="1"></span></div><div class="_stretch"><span class="body-text-content">Here is an updated list of OpenSCAP references and the partial results of my tinkering:<br data-mce-bogus="1"></span></div><div class="_stretch"><span class="body-text-content"><br data-mce-bogus="1"></span></div><div class="_stretch"><span class="body-text-content">Reference: https://static.open-scap.org/ssg-guides/ssg-rhel6-guide-stig-rhel6-disa.html<br><br>RHEL-06-000000 - Set Password Retry Prompts Permitted Per-Session - CCE-27123-9 - hand changes not overwritten by authconfig<br>RHEL-06-000030 - Prevent Log In to Accounts With Empty Password - CCE-27038-9 - hand changes not overwritten by authconfig<br>RHEL-06-000056 - Set Password Strength Minimum Digit Characters - CCE-26374-9 - hand changes not overwritten by authconfig<br>RHEL-06-000057 - Set Password Strength Minimum Uppercase Characters - CCE-26601-5 - hand changes not overwritten by authconfig<br>RHEL-06-000058 - Set Password Strength Minimum Special Characters - CCE-26409-3 - hand changes not overwritten by authconfig<br>RHEL-06-000059 - Set Password Strength Minimum Lowercase Characters - CCE-26631-2 - hand changes not overwritten by authconfig<br>RHEL-06-000060 - Set Password Strength Minimum Different Characters - CCE-26615-5 - hand changes not overwritten by authconfig<br>RHEL-06-000061 - Set Deny For Failed Password Attempts - CCE-26844-1 --- PROBLEM !!! authconfig wipes changes and cannot set them<br>RHEL-06-000062 - Set Password Hashing Algorithm in /etc/pam.d/system-auth - CCE-26303-8 settable with authconfig (--passalgo=sha512)<br>RHEL-06-000274 - Limit Password Reuse - CCE-26741-9 --- PROBLEM !!! authconfig wipes changes and cannot set them<br>RHEL-06-000299 - Set Password to Maximum of Three Consecutive Repeating Characters - CCE-27227-8 not yet tested<br>RHEL-06-000356 - Set Lockout Time For Failed Password Attempts - CCE-27110-6 not yet tested<br>RHEL-06-000357 - Set Interval For Counting Failed Password Attempts - CCE-27215-3 not yet tested<br><br>Reference: https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-stig-rhel7-disa.html<br><br>RHEL-07-010200 - Set PAM's Password Hashing Algorithm - CCE-27104-9 settable with authconfig (--passalgo=sha512)<br>RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session - CCE-27160-1 - hand changes not overwritten by authconfig<br>RHEL-07-010270 - Limit Password Reuse - CCE-26923-3 --- PROBLEM !!! authconfig wipes changes and cannot set them<br>RHEL-07-010290 - Prevent Log In to Accounts With Empty Password - CCE-27286-4 - hand changes not overwritten by authconfig<br>RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8 --- PROBLEM !!! authconfig wipes hand changes and cannot set all of them (PARTIAL) --enablefaillock --faillockargs="deny=3 unlock_time=never fail_interval=900"<br>RHEL-07-010320 - Set Interval For Counting Failed Password Attempts - CCE-27297-1 not yet tested<br>RHEL-07-010320 - Set Lockout Time For Failed Password Attempts - CCE-26884-7 not yet tested<br>RHEL-07-010330 - Configure the root Account for Failed Password Attempts - CCE-80353-6 not yet tested<br></span></div><div class="_stretch"><span class="body-text-content"><br data-mce-bogus="1"></span></div><div class="_stretch"><span class="body-text-content">Would a BugZilla ticket get any traction ?  Who maintains authconfig ?<br data-mce-bogus="1"></span></div><div class="_stretch"><span class="body-text-content"><div><br></div><div class="x-apple-signature">Dan White | d_e_white@icloud.com<br>------------------------------------------------<br>“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & Hobbes)</div></span></div></div></div></div></body></html>