[Open-scap] Using authconfig rather than hand editing files

Tue May 29 13:03:23 UTC 2018

Pavel, can you help us with authconfig? :)

On 05/29/2018 01:08 PM, Dan White wrote:
> On May 29, 2018, at 05:26 AM, Marek Haicman <mhaicman at redhat.com> wrote:
> On 05/27/2018 08:45 PM, Dan White wrote:
>>>> On May 27, 2018, at 12:02 PM, Šimon Lukašík <slukasik at redhat.com
>>>> <mailto:slukasik at redhat.com>> wrote:
>>>>
>>>> On 05/25/2018 11:06 PM, Dan White wrote:
>>>>> I just messed up a baker’s dozen of RHEL 6 virtual machines by hand
>>>>> editing /etc/pam.d files system-auth-ac and password-auth-ac
>>>>> I was able to un-mess 8 of them with an authconfig command.
>>>>> The other 5 are in various stages of recovery.  One had a snapshot
>>>>> but the other 4 are Oracle servers that cannot be snapshot because of
>>>>> shared storage.
>>>>> Anyway, what I am looking for here is some brainstorming toward
>>>>> implementing security settings with authconfig commands rather than
>>>>> hand editing the files that utility can alter.
>>>>> Thanks.
>>>>
>>>> I am not sure this is right forum for this. Nevertheless, I wouldn't
>>>> be surprised this brainstorming ended before it even started as You
>>>> didn't provide us particular peculiarities you are faced with and thus
>>>> left us with very general (and thus hard) task at hand.
>>>>
>>>> Kind regards,
>>>> ~š.
>>>
>>> OK, let’s start with RHEL-07-010200 - Set PAM's Password Hashing
>>> Algorithm - CCE-27104-9
>>>
>>> The Remediation shell script says:
>>>
>>> |AUTH_FILES[0]="/etc/pam.d/system-auth"
>>> AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in
>>> "${AUTH_FILES[@]}" do if ! grep -q
>>> "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then sed -i
>>> --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/"
>>> $pamFile fi done|
>>>
>>>
>>> But up at the top of both of those files it says : *"User changes will
>>> be destroyed the next time authconfig is run”*
>>>
>>> Here are more:
>>>
>>> RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session -
>>> CCE-27160-1
>>> RHEL-07-010270 - Limit Password Reuse - CCE-26923-3
>>> RHEL-07-010290 - Prevent Log In to Accounts With Empty Password -
>>> CCE-27286-4
>>> RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8
>>> RHEL-07-010320 - Set Interval For Counting Failed Password Attempts -
>>> CCE-27297-1
>>> RHEL-07-010320 - Set Lockout Time For Failed Password Attempts - 
>>> CCE-26884-7
>>> RHEL-07-010330 - Configure the root Account for Failed Password Attempts
>>> - CCE-80353-6
>>>
>>> Every one, in so many words, directs the hand editing of
>>> /etc/pam.d/system-auth(-ac) and/or /etc/pam.d/password-auth(-ac)
>>>
>>> Hopefully, this provides sufficient "particular peculiarities"
>>>
>>> Back to my original question: How might one use the /authconfig/ command
>>> to remediate each one of those ?
>>>
>>> How about it ?
>>> I will be tinkering on my own as time allows and I will gladly share
>>> anything I discover.
>>
>> Hello Dan,
>> historically, we have tried to use authconfig for some of the
>> remediations (smartcards), as it was kind of obvious choice, right?
>> Well, it fired back a bit, because you cannot really combine authconfig
>> and manual fixes. So after you made some of the more complex fixes by
>> hand (fixes that authconfig was not able to deliver) and then tried to
>> fix a triviality using authconfig tool, it would revert your manual 
>> change.
>>
>> One of the problems of old authconfig (got added in RHEL7.4 I think,
>> RHEL6 is affected) is no support for `faillock`. So you cannot really
>> fix this one. So we gave up, and reverted to fixing everything by old
>> style sed-ing :(
>>
>> Regards,
>> Marek
> 
> I am still looking for suggestions.
> 
> Here is an updated list of OpenSCAP references and the partial results 
> of my tinkering:
> 
> Reference: 
> https://static.open-scap.org/ssg-guides/ssg-rhel6-guide-stig-rhel6-disa.html
> 
> RHEL-06-000000 - Set Password Retry Prompts Permitted Per-Session - 
> CCE-27123-9 - hand changes not overwritten by authconfig
> RHEL-06-000030 - Prevent Log In to Accounts With Empty Password - 
> CCE-27038-9 - hand changes not overwritten by authconfig
> RHEL-06-000056 - Set Password Strength Minimum Digit Characters - 
> CCE-26374-9 - hand changes not overwritten by authconfig
> RHEL-06-000057 - Set Password Strength Minimum Uppercase Characters - 
> CCE-26601-5 - hand changes not overwritten by authconfig
> RHEL-06-000058 - Set Password Strength Minimum Special Characters - 
> CCE-26409-3 - hand changes not overwritten by authconfig
> RHEL-06-000059 - Set Password Strength Minimum Lowercase Characters - 
> CCE-26631-2 - hand changes not overwritten by authconfig
> RHEL-06-000060 - Set Password Strength Minimum Different Characters - 
> CCE-26615-5 - hand changes not overwritten by authconfig
> RHEL-06-000061 - Set Deny For Failed Password Attempts - CCE-26844-1 --- 
> PROBLEM !!! authconfig wipes changes and cannot set them
> RHEL-06-000062 - Set Password Hashing Algorithm in 
> /etc/pam.d/system-auth - CCE-26303-8 settable with authconfig 
> (--passalgo=sha512)
> RHEL-06-000274 - Limit Password Reuse - CCE-26741-9 --- PROBLEM !!! 
> authconfig wipes changes and cannot set them
> RHEL-06-000299 - Set Password to Maximum of Three Consecutive Repeating 
> Characters - CCE-27227-8 not yet tested
> RHEL-06-000356 - Set Lockout Time For Failed Password Attempts - 
> CCE-27110-6 not yet tested
> RHEL-06-000357 - Set Interval For Counting Failed Password Attempts - 
> CCE-27215-3 not yet tested
> 
> Reference: 
> https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-stig-rhel7-disa.html
> 
> RHEL-07-010200 - Set PAM's Password Hashing Algorithm - CCE-27104-9 
> settable with authconfig (--passalgo=sha512)
> RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session - 
> CCE-27160-1 - hand changes not overwritten by authconfig
> RHEL-07-010270 - Limit Password Reuse - CCE-26923-3 --- PROBLEM !!! 
> authconfig wipes changes and cannot set them
> RHEL-07-010290 - Prevent Log In to Accounts With Empty Password - 
> CCE-27286-4 - hand changes not overwritten by authconfig
> RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8 --- 
> PROBLEM !!! authconfig wipes hand changes and cannot set all of them 
> (PARTIAL) --enablefaillock --faillockargs="deny=3 unlock_time=never 
> fail_interval=900"
> RHEL-07-010320 - Set Interval For Counting Failed Password Attempts - 
> CCE-27297-1 not yet tested
> RHEL-07-010320 - Set Lockout Time For Failed Password Attempts - 
> CCE-26884-7 not yet tested
> RHEL-07-010330 - Configure the root Account for Failed Password Attempts 
> - CCE-80353-6 not yet tested
> 
> Would a BugZilla ticket get any traction ?  Who maintains authconfig ?
> 
> Dan White | d_e_white at icloud.com
> ------------------------------------------------
> “Sometimes I think the surest sign that intelligent life exists 
> elsewhere in the universe is that none of it has tried to contact us.”  
> (Bill Waterson: Calvin & Hobbes)