[Open-scap] Using authconfig rather than hand editing files

Wed May 30 12:03:03 UTC 2018

On 05/29/2018 03:03 PM, Marek Haicman wrote:
> Pavel, can you help us with authconfig? :)
> 
> On 05/29/2018 01:08 PM, Dan White wrote:
>> On May 29, 2018, at 05:26 AM, Marek Haicman <mhaicman at redhat.com> wrote:
>> On 05/27/2018 08:45 PM, Dan White wrote:
>>>>> On May 27, 2018, at 12:02 PM, Šimon Lukašík <slukasik at redhat.com
>>>>> <mailto:slukasik at redhat.com>> wrote:
>>>>>
>>>>> On 05/25/2018 11:06 PM, Dan White wrote:
>>>>>> I just messed up a baker’s dozen of RHEL 6 virtual machines by hand
>>>>>> editing /etc/pam.d files system-auth-ac and password-auth-ac
>>>>>> I was able to un-mess 8 of them with an authconfig command.
>>>>>> The other 5 are in various stages of recovery.  One had a snapshot
>>>>>> but the other 4 are Oracle servers that cannot be snapshot because of
>>>>>> shared storage.
>>>>>> Anyway, what I am looking for here is some brainstorming toward
>>>>>> implementing security settings with authconfig commands rather than
>>>>>> hand editing the files that utility can alter.
>>>>>> Thanks.
>>>>>
>>>>> I am not sure this is right forum for this. Nevertheless, I wouldn't
>>>>> be surprised this brainstorming ended before it even started as You
>>>>> didn't provide us particular peculiarities you are faced with and thus
>>>>> left us with very general (and thus hard) task at hand.
>>>>>
>>>>> Kind regards,
>>>>> ~š.
>>>>
>>>> OK, let’s start with RHEL-07-010200 - Set PAM's Password Hashing
>>>> Algorithm - CCE-27104-9
>>>>
>>>> The Remediation shell script says:
>>>>
>>>> |AUTH_FILES[0]="/etc/pam.d/system-auth"
>>>> AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in
>>>> "${AUTH_FILES[@]}" do if ! grep -q
>>>> "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then sed -i
>>>> --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/"
>>>> $pamFile fi done|
>>>>
>>>>
>>>> But up at the top of both of those files it says : *"User changes will
>>>> be destroyed the next time authconfig is run”*
>>>>
>>>> Here are more:
>>>>
>>>> RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session -
>>>> CCE-27160-1
>>>> RHEL-07-010270 - Limit Password Reuse - CCE-26923-3
>>>> RHEL-07-010290 - Prevent Log In to Accounts With Empty Password -
>>>> CCE-27286-4
>>>> RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8
>>>> RHEL-07-010320 - Set Interval For Counting Failed Password Attempts -
>>>> CCE-27297-1
>>>> RHEL-07-010320 - Set Lockout Time For Failed Password Attempts - 
>>>> CCE-26884-7
>>>> RHEL-07-010330 - Configure the root Account for Failed Password 
>>>> Attempts
>>>> - CCE-80353-6
>>>>
>>>> Every one, in so many words, directs the hand editing of
>>>> /etc/pam.d/system-auth(-ac) and/or /etc/pam.d/password-auth(-ac)
>>>>
>>>> Hopefully, this provides sufficient "particular peculiarities"
>>>>
>>>> Back to my original question: How might one use the /authconfig/ 
>>>> command
>>>> to remediate each one of those ?
>>>>
>>>> How about it ?
>>>> I will be tinkering on my own as time allows and I will gladly share
>>>> anything I discover.
>>>
>>> Hello Dan,
>>> historically, we have tried to use authconfig for some of the
>>> remediations (smartcards), as it was kind of obvious choice, right?
>>> Well, it fired back a bit, because you cannot really combine authconfig
>>> and manual fixes. So after you made some of the more complex fixes by
>>> hand (fixes that authconfig was not able to deliver) and then tried to
>>> fix a triviality using authconfig tool, it would revert your manual 
>>> change.
>>>
>>> One of the problems of old authconfig (got added in RHEL7.4 I think,
>>> RHEL6 is affected) is no support for `faillock`. So you cannot really
>>> fix this one. So we gave up, and reverted to fixing everything by old
>>> style sed-ing :(
>>>
>>> Regards,
>>> Marek
>>
>> I am still looking for suggestions.
>>
>> Here is an updated list of OpenSCAP references and the partial results 
>> of my tinkering:
>>
>> Reference: 
>> https://static.open-scap.org/ssg-guides/ssg-rhel6-guide-stig-rhel6-disa.html 
>>
>>
>> RHEL-06-000000 - Set Password Retry Prompts Permitted Per-Session - 
>> CCE-27123-9 - hand changes not overwritten by authconfig
>> RHEL-06-000030 - Prevent Log In to Accounts With Empty Password - 
>> CCE-27038-9 - hand changes not overwritten by authconfig
>> RHEL-06-000056 - Set Password Strength Minimum Digit Characters - 
>> CCE-26374-9 - hand changes not overwritten by authconfig
>> RHEL-06-000057 - Set Password Strength Minimum Uppercase Characters - 
>> CCE-26601-5 - hand changes not overwritten by authconfig
>> RHEL-06-000058 - Set Password Strength Minimum Special Characters - 
>> CCE-26409-3 - hand changes not overwritten by authconfig
>> RHEL-06-000059 - Set Password Strength Minimum Lowercase Characters - 
>> CCE-26631-2 - hand changes not overwritten by authconfig
>> RHEL-06-000060 - Set Password Strength Minimum Different Characters - 
>> CCE-26615-5 - hand changes not overwritten by authconfig
>> RHEL-06-000061 - Set Deny For Failed Password Attempts - CCE-26844-1 
>> --- PROBLEM !!! authconfig wipes changes and cannot set them
>> RHEL-06-000062 - Set Password Hashing Algorithm in 
>> /etc/pam.d/system-auth - CCE-26303-8 settable with authconfig 
>> (--passalgo=sha512)
>> RHEL-06-000274 - Limit Password Reuse - CCE-26741-9 --- PROBLEM !!! 
>> authconfig wipes changes and cannot set them
>> RHEL-06-000299 - Set Password to Maximum of Three Consecutive 
>> Repeating Characters - CCE-27227-8 not yet tested
>> RHEL-06-000356 - Set Lockout Time For Failed Password Attempts - 
>> CCE-27110-6 not yet tested
>> RHEL-06-000357 - Set Interval For Counting Failed Password Attempts - 
>> CCE-27215-3 not yet tested
>>
>> Reference: 
>> https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-stig-rhel7-disa.html 
>>
>>
>> RHEL-07-010200 - Set PAM's Password Hashing Algorithm - CCE-27104-9 
>> settable with authconfig (--passalgo=sha512)
>> RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session - 
>> CCE-27160-1 - hand changes not overwritten by authconfig
>> RHEL-07-010270 - Limit Password Reuse - CCE-26923-3 --- PROBLEM !!! 
>> authconfig wipes changes and cannot set them
>> RHEL-07-010290 - Prevent Log In to Accounts With Empty Password - 
>> CCE-27286-4 - hand changes not overwritten by authconfig
>> RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8 
>> --- PROBLEM !!! authconfig wipes hand changes and cannot set all of 
>> them (PARTIAL) --enablefaillock --faillockargs="deny=3 
>> unlock_time=never fail_interval=900"
>> RHEL-07-010320 - Set Interval For Counting Failed Password Attempts - 
>> CCE-27297-1 not yet tested
>> RHEL-07-010320 - Set Lockout Time For Failed Password Attempts - 
>> CCE-26884-7 not yet tested
>> RHEL-07-010330 - Configure the root Account for Failed Password 
>> Attempts - CCE-80353-6 not yet tested
>>
>> Would a BugZilla ticket get any traction ?  Who maintains authconfig ?

BZ for what? I'm not sure what exactly do you want to achieve with 
authconfig.

Some of these changes can be done through authconfig, for example it can 
configure pam_pwquality for password complexity. See authconfig --help 
for all the options.

Manual changes will be overwritten next time authconfig is called.