<html><body><div>On May 30, 2018, at 08:03 AM, Pavel Březina <pbrezina@redhat.com> wrote:<br><div><blockquote type="cite"><div class="msg-quote"><div class="_stretch"><span class="body-text-content">On 05/29/2018 03:03 PM, Marek Haicman wrote:<br><blockquote type="cite" class="quoted-plain-text">Pavel, can you help us with authconfig? :)</blockquote><blockquote type="cite" class="quoted-plain-text"><br></blockquote><blockquote type="cite" class="quoted-plain-text">On 05/29/2018 01:08 PM, Dan White wrote:</blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">On May 29, 2018, at 05:26 AM, Marek Haicman <mhaicman@redhat.com> wrote:</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">On 05/27/2018 08:45 PM, Dan White wrote:</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">On May 27, 2018, at 12:02 PM, Šimon Lukašík <slukasik@redhat.com</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><mailto:slukasik@redhat.com>> wrote:</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">On 05/25/2018 11:06 PM, Dan White wrote:</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">I just messed up a baker’s dozen of RHEL 6 virtual machines by hand</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">editing /etc/pam.d files system-auth-ac and password-auth-ac</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">I was able to un-mess 8 of them with an authconfig command.</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">The other 5 are in various stages of recovery.  One had a snapshot</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">but the other 4 are Oracle servers that cannot be snapshot because of</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">shared storage.</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Anyway, what I am looking for here is some brainstorming toward</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">implementing security settings with authconfig commands rather than</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">hand editing the files that utility can alter.</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Thanks.</blockquote></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">I am not sure this is right forum for this. Nevertheless, I wouldn't</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">be surprised this brainstorming ended before it even started as You</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">didn't provide us particular peculiarities you are faced with and thus</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">left us with very general (and thus hard) task at hand.</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Kind regards,</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">~š.</blockquote></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">OK, let’s start with RHEL-07-010200 - Set PAM's Password Hashing</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Algorithm - CCE-27104-9</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">The Remediation shell script says:</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">|AUTH_FILES[0]="/etc/pam.d/system-auth"</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">"${AUTH_FILES[@]}" do if ! grep -q</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">"^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then sed -i</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">--follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/"</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">$pamFile fi done|</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">But up at the top of both of those files it says : *"User changes will</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">be destroyed the next time authconfig is run”*</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Here are more:</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session -</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-27160-1</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010270 - Limit Password Reuse - CCE-26923-3</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010290 - Prevent Log In to Accounts With Empty Password -</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-27286-4</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010320 - Set Interval For Counting Failed Password Attempts -</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-27297-1</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010320 - Set Lockout Time For Failed Password Attempts -</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-26884-7</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010330 - Configure the root Account for Failed Password</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Attempts</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">- CCE-80353-6</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Every one, in so many words, directs the hand editing of</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">/etc/pam.d/system-auth(-ac) and/or /etc/pam.d/password-auth(-ac)</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Hopefully, this provides sufficient "particular peculiarities"</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Back to my original question: How might one use the /authconfig/</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">command</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">to remediate each one of those ?</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">How about it ?</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">I will be tinkering on my own as time allows and I will gladly share</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">anything I discover.</blockquote></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Hello Dan,</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">historically, we have tried to use authconfig for some of the</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">remediations (smartcards), as it was kind of obvious choice, right?</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Well, it fired back a bit, because you cannot really combine authconfig</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">and manual fixes. So after you made some of the more complex fixes by</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">hand (fixes that authconfig was not able to deliver) and then tried to</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">fix a triviality using authconfig tool, it would revert your manual</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">change.</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">One of the problems of old authconfig (got added in RHEL7.4 I think,</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL6 is affected) is no support for `faillock`. So you cannot really</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">fix this one. So we gave up, and reverted to fixing everything by old</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">style sed-ing :(</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Regards,</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Marek</blockquote></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">I am still looking for suggestions.</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Here is an updated list of OpenSCAP references and the partial results</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">of my tinkering:</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Reference:</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><a href="https://static.open-scap.org/ssg-guides/ssg-rhel6-guide-stig-rhel6-disa.html" data-mce-href="https://static.open-scap.org/ssg-guides/ssg-rhel6-guide-stig-rhel6-disa.html">https://static.open-scap.org/ssg-guides/ssg-rhel6-guide-stig-rhel6-disa.html</a><br data-mce-bogus="1"></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000000 - Set Password Retry Prompts Permitted Per-Session -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-27123-9 - hand changes not overwritten by authconfig</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000030 - Prevent Log In to Accounts With Empty Password -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-27038-9 - hand changes not overwritten by authconfig</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000056 - Set Password Strength Minimum Digit Characters -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-26374-9 - hand changes not overwritten by authconfig</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000057 - Set Password Strength Minimum Uppercase Characters -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-26601-5 - hand changes not overwritten by authconfig</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000058 - Set Password Strength Minimum Special Characters -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-26409-3 - hand changes not overwritten by authconfig</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000059 - Set Password Strength Minimum Lowercase Characters -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-26631-2 - hand changes not overwritten by authconfig</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000060 - Set Password Strength Minimum Different Characters -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-26615-5 - hand changes not overwritten by authconfig</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000061 - Set Deny For Failed Password Attempts - CCE-26844-1</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">--- PROBLEM !!! authconfig wipes changes and cannot set them</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000062 - Set Password Hashing Algorithm in</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">/etc/pam.d/system-auth - CCE-26303-8 settable with authconfig</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">(--passalgo=sha512)</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000274 - Limit Password Reuse - CCE-26741-9 --- PROBLEM !!!</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">authconfig wipes changes and cannot set them</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000299 - Set Password to Maximum of Three Consecutive</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Repeating Characters - CCE-27227-8 not yet tested</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000356 - Set Lockout Time For Failed Password Attempts -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-27110-6 not yet tested</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-06-000357 - Set Interval For Counting Failed Password Attempts -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-27215-3 not yet tested</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Reference:</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><a href="https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-stig-rhel7-disa.html" data-mce-href="https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-stig-rhel7-disa.html">https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-stig-rhel7-disa.html</a><br data-mce-bogus="1"></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010200 - Set PAM's Password Hashing Algorithm - CCE-27104-9</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">settable with authconfig (--passalgo=sha512)</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010119 - Set Password Retry Prompts Permitted Per-Session -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-27160-1 - hand changes not overwritten by authconfig</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010270 - Limit Password Reuse - CCE-26923-3 --- PROBLEM !!!</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">authconfig wipes changes and cannot set them</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010290 - Prevent Log In to Accounts With Empty Password -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-27286-4 - hand changes not overwritten by authconfig</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010320 - Set Deny For Failed Password Attempts - CCE-27350-8</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">--- PROBLEM !!! authconfig wipes hand changes and cannot set all of</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">them (PARTIAL) --enablefaillock --faillockargs="deny=3</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">unlock_time=never fail_interval=900"</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010320 - Set Interval For Counting Failed Password Attempts -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-27297-1 not yet tested</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010320 - Set Lockout Time For Failed Password Attempts -</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">CCE-26884-7 not yet tested</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">RHEL-07-010330 - Configure the root Account for Failed Password</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Attempts - CCE-80353-6 not yet tested</blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text"><br></blockquote></blockquote><blockquote type="cite" class="quoted-plain-text"><blockquote type="cite" class="quoted-plain-text">Would a BugZilla ticket get any traction ?  Who maintains authconfig ?</blockquote></blockquote><br>BZ for what? I'm not sure what exactly do you want to achieve with <br>authconfig.<br><br>Some of these changes can be done through authconfig, for example it can <br>configure pam_pwquality for password complexity. See authconfig --help <br>for all the options.<br><br>Manual changes will be overwritten next time authconfig is called.</span></div></div></blockquote></div><div><span><br data-mce-bogus="1"></span></div><div><span><div>That is the whole point of the query.<br></div><div><span><br data-mce-bogus="1"></span></div><div><span>This is for security hardening.<br data-mce-bogus="1"></span></div><div><span><span>Authconfig removes stuff that needs to stay in.</span></span></div><div><span><span>I am suggesting updates for authconfig to provide the required settings it currently removes.<br data-mce-bogus="1"></span></span></div><div><span><span><span><br data-mce-bogus="1"></span></span></span></div><div class="x-apple-signature">Dan White | d_e_white@icloud.com<br>------------------------------------------------<br>“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & Hobbes)</div><div><br data-mce-bogus="1"></div> </span></div></div></body></html>