[Open-scap] Using authconfig rather than hand editing files

Sun May 27 18:45:53 UTC 2018

> On May 27, 2018, at 12:02 PM, Šimon Lukašík <slukasik at redhat.com> wrote:
> 
> On 05/25/2018 11:06 PM, Dan White wrote:
>> I just messed up a baker’s dozen of RHEL 6 virtual machines by hand editing /etc/pam.d files system-auth-ac and password-auth-ac
>> I was able to un-mess 8 of them with an authconfig command.
>> The other 5 are in various stages of recovery.  One had a snapshot but the other 4 are Oracle servers that cannot be snapshot because of shared storage.
>> Anyway, what I am looking for here is some brainstorming toward implementing security settings with authconfig commands rather than hand editing the files that utility can alter.
>> Thanks.
> 
> I am not sure this is right forum for this. Nevertheless, I wouldn't be surprised this brainstorming ended before it even started as You didn't provide us particular peculiarities you are faced with and thus left us with very general (and thus hard) task at hand.
> 
> Kind regards,
> ~š.

OK, let’s start with RHEL-07-010200 - Set PAM's Password Hashing Algorithm - CCE-27104-9

The Remediation shell script says:
AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"

for pamFile in "${AUTH_FILES[@]}"
do
	if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then
		sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" $pamFile
	fi
done

But up at the top of both of those files it says : "User changes will be destroyed the next time authconfig is run”

Here are more:

RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session - CCE-27160-1
RHEL-07-010270 - Limit Password Reuse - CCE-26923-3
RHEL-07-010290 - Prevent Log In to Accounts With Empty Password - CCE-27286-4
RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8
RHEL-07-010320 - Set Interval For Counting Failed Password Attempts - CCE-27297-1
RHEL-07-010320 - Set Lockout Time For Failed Password Attempts - CCE-26884-7
RHEL-07-010330 - Configure the root Account for Failed Password Attempts - CCE-80353-6

Every one, in so many words, directs the hand editing of /etc/pam.d/system-auth(-ac) and/or /etc/pam.d/password-auth(-ac)

Hopefully, this provides sufficient "particular peculiarities"

Back to my original question: How might one use the authconfig command to remediate each one of those ?

How about it ?
I will be tinkering on my own as time allows and I will gladly share anything I discover.
_______________________________________________________
Dan White : d_e_white at icloud.com
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” 
Bill Waterson (Calvin & Hobbes)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20180527/172775ea/attachment.htm>