<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><blockquote type="cite" class=""><div class="">On May 27, 2018, at 12:02 PM, Šimon Lukašík <<a href="mailto:slukasik@redhat.com" class="">slukasik@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">On 05/25/2018 11:06 PM, Dan White wrote:<br class=""><blockquote type="cite" class="">I just messed up a baker’s dozen of RHEL 6 virtual machines by hand editing /etc/pam.d files system-auth-ac and password-auth-ac<br class="">I was able to un-mess 8 of them with an authconfig command.<br class="">The other 5 are in various stages of recovery. One had a snapshot but the other 4 are Oracle servers that cannot be snapshot because of shared storage.<br class="">Anyway, what I am looking for here is some brainstorming toward implementing security settings with authconfig commands rather than hand editing the files that utility can alter.<br class="">Thanks.<br class=""></blockquote><br class="">I am not sure this is right forum for this. Nevertheless, I wouldn't be surprised this brainstorming ended before it even started as You didn't provide us particular peculiarities you are faced with and thus left us with very general (and thus hard) task at hand.<br class=""><br class="">Kind regards,<br class="">~š.<br class=""></div></blockquote><div class=""><br class=""></div><div class="">OK, let’s start with RHEL-07-010200 - Set PAM's Password Hashing Algorithm - CCE-27104-9</div></div><div class=""><br class=""></div><div class="">The Remediation shell script says:</div><div class=""><pre style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, 'Courier New', monospace; font-size: 13px; padding: 9.5px; margin-top: 0px; margin-bottom: 10px; line-height: 1.42857143; word-break: break-all; color: rgb(51, 51, 51); background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); border-top-left-radius: 4px; border-top-right-radius: 4px; border-bottom-right-radius: 4px; border-bottom-left-radius: 4px; white-space: pre-wrap; overflow: auto !important; word-wrap: normal !important;" class=""><code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, 'Courier New', monospace; font-size: inherit; padding: 0px; color: inherit; background-color: transparent; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px;" class="">AUTH_FILES[0]="/etc/pam.d/system-auth"
AUTH_FILES[1]="/etc/pam.d/password-auth"
for pamFile in "${AUTH_FILES[@]}"
do
if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then
sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" $pamFile
fi
done</code></pre><div class=""><br class=""></div></div><div class="">But up at the top of both of those files it says : <span style="font-size: 14px;" class=""><b class="">"User changes will be destroyed the next time authconfig is run”</b></span></div><div class=""><br class=""></div><div class=""><div class="">Here are more:</div><div class=""><br class=""></div><div class=""><div class=""><div class="">RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session - CCE-27160-1</div><div class="">RHEL-07-010270 - Limit Password Reuse - CCE-26923-3</div><div class="">RHEL-07-010290 - Prevent Log In to Accounts With Empty Password - CCE-27286-4</div><div class="">RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8</div><div class="">RHEL-07-010320 - Set Interval For Counting Failed Password Attempts - CCE-27297-1</div><div class="">RHEL-07-010320 - Set Lockout Time For Failed Password Attempts - CCE-26884-7</div><div class="">RHEL-07-010330 - Configure the root Account for Failed Password Attempts - CCE-80353-6</div></div></div><div class=""><br class=""></div><div class="">Every one, in so many words, directs the hand editing of /etc/pam.d/system-auth(-ac) and/or /etc/pam.d/password-auth(-ac)</div><div class=""><br class=""></div><div class="">Hopefully, this provides sufficient "particular peculiarities"</div><div class=""><br class=""></div><div class="">Back to my original question: How might one use the <i class="">authconfig</i> command to remediate each one of those ?</div><div class=""><br class=""></div><div class="">How about it ?</div><div class="">I will be tinkering on my own as time allows and I will gladly share anything I discover.</div><div class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">_______________________________________________________</div><div class=""><u class="">Dan White : <a href="mailto:d_e_white@icloud.com" class="">d_e_white@icloud.com</a></u></div><div class="">“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” <br class="">Bill Waterson (Calvin & Hobbes)</div></div></div></div></div>
</div>
<br class=""><br class=""></div></div></body></html>