[Open-scap] Using authconfig rather than hand editing files

Thu May 31 08:01:08 UTC 2018

On 05/30/2018 06:44 PM, Dan White wrote:
> On May 30, 2018, at 08:03 AM, Pavel Březina <pbrezina at redhat.com> wrote:
>> On 05/29/2018 03:03 PM, Marek Haicman wrote:
>>> Pavel, can you help us with authconfig? :)
>>>
>>> On 05/29/2018 01:08 PM, Dan White wrote:
>>>> On May 29, 2018, at 05:26 AM, Marek Haicman <mhaicman at redhat.com> wrote:
>>>> On 05/27/2018 08:45 PM, Dan White wrote:
>>>>>>> On May 27, 2018, at 12:02 PM, Šimon Lukašík <slukasik at redhat.com
>>>>>>> <mailto:slukasik at redhat.com>> wrote:
>>>>>>>
>>>>>>> On 05/25/2018 11:06 PM, Dan White wrote:
>>>>>>>> I just messed up a baker’s dozen of RHEL 6 virtual machines by hand
>>>>>>>> editing /etc/pam.d files system-auth-ac and password-auth-ac
>>>>>>>> I was able to un-mess 8 of them with an authconfig command.
>>>>>>>> The other 5 are in various stages of recovery.  One had a snapshot
>>>>>>>> but the other 4 are Oracle servers that cannot be snapshot 
>>>>>>>> because of
>>>>>>>> shared storage.
>>>>>>>> Anyway, what I am looking for here is some brainstorming toward
>>>>>>>> implementing security settings with authconfig commands rather than
>>>>>>>> hand editing the files that utility can alter.
>>>>>>>> Thanks.
>>>>>>>
>>>>>>> I am not sure this is right forum for this. Nevertheless, I wouldn't
>>>>>>> be surprised this brainstorming ended before it even started as You
>>>>>>> didn't provide us particular peculiarities you are faced with and 
>>>>>>> thus
>>>>>>> left us with very general (and thus hard) task at hand.
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> ~š.
>>>>>>
>>>>>> OK, let’s start with RHEL-07-010200 - Set PAM's Password Hashing
>>>>>> Algorithm - CCE-27104-9
>>>>>>
>>>>>> The Remediation shell script says:
>>>>>>
>>>>>> |AUTH_FILES[0]="/etc/pam.d/system-auth"
>>>>>> AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in
>>>>>> "${AUTH_FILES[@]}" do if ! grep -q
>>>>>> "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then sed -i
>>>>>> --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/"
>>>>>> $pamFile fi done|
>>>>>>
>>>>>>
>>>>>> But up at the top of both of those files it says : *"User changes will
>>>>>> be destroyed the next time authconfig is run”*
>>>>>>
>>>>>> Here are more:
>>>>>>
>>>>>> RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session -
>>>>>> CCE-27160-1
>>>>>> RHEL-07-010270 - Limit Password Reuse - CCE-26923-3
>>>>>> RHEL-07-010290 - Prevent Log In to Accounts With Empty Password -
>>>>>> CCE-27286-4
>>>>>> RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8
>>>>>> RHEL-07-010320 - Set Interval For Counting Failed Password Attempts -
>>>>>> CCE-27297-1
>>>>>> RHEL-07-010320 - Set Lockout Time For Failed Password Attempts -
>>>>>> CCE-26884-7
>>>>>> RHEL-07-010330 - Configure the root Account for Failed Password
>>>>>> Attempts
>>>>>> - CCE-80353-6
>>>>>>
>>>>>> Every one, in so many words, directs the hand editing of
>>>>>> /etc/pam.d/system-auth(-ac) and/or /etc/pam.d/password-auth(-ac)
>>>>>>
>>>>>> Hopefully, this provides sufficient "particular peculiarities"
>>>>>>
>>>>>> Back to my original question: How might one use the /authconfig/
>>>>>> command
>>>>>> to remediate each one of those ?
>>>>>>
>>>>>> How about it ?
>>>>>> I will be tinkering on my own as time allows and I will gladly share
>>>>>> anything I discover.
>>>>>
>>>>> Hello Dan,
>>>>> historically, we have tried to use authconfig for some of the
>>>>> remediations (smartcards), as it was kind of obvious choice, right?
>>>>> Well, it fired back a bit, because you cannot really combine authconfig
>>>>> and manual fixes. So after you made some of the more complex fixes by
>>>>> hand (fixes that authconfig was not able to deliver) and then tried to
>>>>> fix a triviality using authconfig tool, it would revert your manual
>>>>> change.
>>>>>
>>>>> One of the problems of old authconfig (got added in RHEL7.4 I think,
>>>>> RHEL6 is affected) is no support for `faillock`. So you cannot really
>>>>> fix this one. So we gave up, and reverted to fixing everything by old
>>>>> style sed-ing :(
>>>>>
>>>>> Regards,
>>>>> Marek
>>>>
>>>> I am still looking for suggestions.
>>>>
>>>> Here is an updated list of OpenSCAP references and the partial results
>>>> of my tinkering:
>>>>
>>>> Reference:
>>>> https://static.open-scap.org/ssg-guides/ssg-rhel6-guide-stig-rhel6-disa.html
>>>>
>>>>
>>>> RHEL-06-000000 - Set Password Retry Prompts Permitted Per-Session -
>>>> CCE-27123-9 - hand changes not overwritten by authconfig
>>>> RHEL-06-000030 - Prevent Log In to Accounts With Empty Password -
>>>> CCE-27038-9 - hand changes not overwritten by authconfig
>>>> RHEL-06-000056 - Set Password Strength Minimum Digit Characters -
>>>> CCE-26374-9 - hand changes not overwritten by authconfig
>>>> RHEL-06-000057 - Set Password Strength Minimum Uppercase Characters -
>>>> CCE-26601-5 - hand changes not overwritten by authconfig
>>>> RHEL-06-000058 - Set Password Strength Minimum Special Characters -
>>>> CCE-26409-3 - hand changes not overwritten by authconfig
>>>> RHEL-06-000059 - Set Password Strength Minimum Lowercase Characters -
>>>> CCE-26631-2 - hand changes not overwritten by authconfig
>>>> RHEL-06-000060 - Set Password Strength Minimum Different Characters -
>>>> CCE-26615-5 - hand changes not overwritten by authconfig
>>>> RHEL-06-000061 - Set Deny For Failed Password Attempts - CCE-26844-1
>>>> --- PROBLEM !!! authconfig wipes changes and cannot set them
>>>> RHEL-06-000062 - Set Password Hashing Algorithm in
>>>> /etc/pam.d/system-auth - CCE-26303-8 settable with authconfig
>>>> (--passalgo=sha512)
>>>> RHEL-06-000274 - Limit Password Reuse - CCE-26741-9 --- PROBLEM !!!
>>>> authconfig wipes changes and cannot set them
>>>> RHEL-06-000299 - Set Password to Maximum of Three Consecutive
>>>> Repeating Characters - CCE-27227-8 not yet tested
>>>> RHEL-06-000356 - Set Lockout Time For Failed Password Attempts -
>>>> CCE-27110-6 not yet tested
>>>> RHEL-06-000357 - Set Interval For Counting Failed Password Attempts -
>>>> CCE-27215-3 not yet tested
>>>>
>>>> Reference:
>>>> https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-stig-rhel7-disa.html
>>>>
>>>>
>>>> RHEL-07-010200 - Set PAM's Password Hashing Algorithm - CCE-27104-9
>>>> settable with authconfig (--passalgo=sha512)
>>>> RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session -
>>>> CCE-27160-1 - hand changes not overwritten by authconfig
>>>> RHEL-07-010270 - Limit Password Reuse - CCE-26923-3 --- PROBLEM !!!
>>>> authconfig wipes changes and cannot set them
>>>> RHEL-07-010290 - Prevent Log In to Accounts With Empty Password -
>>>> CCE-27286-4 - hand changes not overwritten by authconfig
>>>> RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8
>>>> --- PROBLEM !!! authconfig wipes hand changes and cannot set all of
>>>> them (PARTIAL) --enablefaillock --faillockargs="deny=3
>>>> unlock_time=never fail_interval=900"
>>>> RHEL-07-010320 - Set Interval For Counting Failed Password Attempts -
>>>> CCE-27297-1 not yet tested
>>>> RHEL-07-010320 - Set Lockout Time For Failed Password Attempts -
>>>> CCE-26884-7 not yet tested
>>>> RHEL-07-010330 - Configure the root Account for Failed Password
>>>> Attempts - CCE-80353-6 not yet tested
>>>>
>>>> Would a BugZilla ticket get any traction ?  Who maintains authconfig ?
>>
>> BZ for what? I'm not sure what exactly do you want to achieve with
>> authconfig.
>>
>> Some of these changes can be done through authconfig, for example it can
>> configure pam_pwquality for password complexity. See authconfig --help
>> for all the options.
>>
>> Manual changes will be overwritten next time authconfig is called.

There are several pam stacks managed by authconfig:
- password-auth
- system-auth
- smartcard-auth
- fingerprint-auth
- postlogin

These files are just symlinks to $name-ac files that are written by 
authconfig. If you need to do any changes that should persist, remove 
the symlink and than edit the file without -ac suffix. Of course this 
means that you stop using authconfig, but that is alright for most cases 
as you need to configure it only once.

> That is the whole point of the query.
> 
> This is for security hardening.
> Authconfig removes stuff that needs to stay in.
> I am suggesting updates for authconfig to provide the required settings 
> it currently removes.