This set of patches are all related to adding value selectors to the deny_password_attempts rule, based on feedback from DISA FSO.
Willy Santos (4): Added Value section for login retries and made necessary changes to the deny_password_attempts to reflect the use of these values. Created OVAL check accounts_passwords_pam_faillock_deny, for checking the configured maximum number of failed login attempts the system will allow before locking the account. Added <sub> sections to the deny_password_attempts rule for automatic substitution of correct value depending on profile. Added <refine-value> for STIG-specific value for failed login attempts.
.../accounts_passwords_pam_faillock_deny.xml | 50 ++++++++++++++++++++ RHEL6/input/profiles/STIG-server.xml | 2 + RHEL6/input/system/accounts/pam.xml | 25 +++++++--- 3 files changed, 70 insertions(+), 7 deletions(-) create mode 100644 RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
Signed-off-by: Willy Santos wsantos@redhat.com --- RHEL6/input/system/accounts/pam.xml | 19 +++++++++++++++---- 1 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index 97193d9..16f0bf3 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -164,6 +164,15 @@ passwords</warning> <value selector="4">4</value> <value selector="5">5</value> </Value> +<Value id="var_accounts_passwords_pam_faillock_deny" type="number" +operator="equals" interactive="0"> +<title>fail_deny</title> +<description>Number of failed login attempts before account lockout</description> +<value selector="">5</value> +<value selector="3">3</value> +<value selector="5">5</value> +<value selector="10">10</value> +</Value>
<Rule id="password_retry"> <title>Set Password Retry Prompts Permitted Per-session</title> @@ -298,9 +307,9 @@ attempts using <tt>pam_faillock.so</tt>, <br /><br /> Find the following line in <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>: -<pre>auth sufficient pam_unix.so nullok try_first_pass</pre> +<pre>auth sufficient pam_unix.so try_first_pass</pre> and then change it so that it reads as follows: -<pre>auth required pam_unix.so nullok try_first_pass</pre> +<pre>auth required pam_unix.so try_first_pass</pre> In the same file, comment out or delete the lines: <pre>auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so</pre> @@ -308,17 +317,19 @@ To enforce password lockout, add the following to <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>. First, add the following just before the pam_unix.so auth line: <pre>auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900</pre> -<!-- TOOD: this implies we need to create a Value and associated refine-value --> Second, add the following two lines just after the pam_unix.so auth line: <pre>auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900</pre> +<ul><li>NOTE: The DoD requires accounts be locked out after 3 failed login attempts, +accomplished by changing the value of the <tt>deny</tt> option to <i>3</i> in the example +above.</li></ul> </description> <rationale> Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. </rationale> <ident cce="3410-8" /> -<oval id="accounts_passwords_pam_faillock_deny" /> +<oval id="accounts_passwords_pam_faillock_deny" value="var_accounts_passwords_pam_faillock_deny"/> <ref nist="AC-7, CM-6" disa="1452,44,47" /> </Rule>
Signed-off-by: Willy Santos wsantos@redhat.com --- .../accounts_passwords_pam_faillock_deny.xml | 50 ++++++++++++++++++++ 1 files changed, 50 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
diff --git a/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml b/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml new file mode 100644 index 0000000..ee594ff --- /dev/null +++ b/RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml @@ -0,0 +1,50 @@ +<def-group> + <definition class="compliance" id="accounts_passwords_pam_faillock_deny" version="1"> + <metadata> + <title>Lock out account after failed login attempts</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="TODO" source="CCE" /> + <description>The number of allowed failed logins should be set correctly.</description> + </metadata> + <criteria> + <criterion comment="default is set to 5" test_ref="test_accounts_passwords_pam_faillock_deny_system-auth" /> + <criterion comment="default is set to 5" test_ref="test_accounts_passwords_pam_faillock_deny_password-auth" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum failed login attempts allowed in /etc/pam.d/system-auth" id="test_accounts_passwords_pam_faillock_deny_system-auth" version="1"> + <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_system-auth" /> + <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_system-auth" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum failed login attempts allowed in /etc/pam.d/password-auth" id="test_accounts_passwords_pam_faillock_deny_password-auth" version="1"> + <ind:object object_ref="object_accounts_passwords_pam_faillock_deny_password-auth" /> + <ind:state state_ref="state_accounts_passwords_pam_faillock_deny_password-auth" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_deny_system-auth" version="1"> + ind:path/etc/pam.d</ind:path> + ind:filenamesystem-auth</ind:filename> + <ind:pattern operation="pattern match">^\s*auth\s+(?:(?:required))\s+pam_faillock.so.*deny=([0-9]*).*$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_deny_password-auth" version="1"> + ind:path/etc/pam.d</ind:path> + ind:filenamepassword-auth</ind:filename> + <ind:pattern operation="pattern match">^\s*auth\s+(?:(?:sufficient)|(?:[default=die]))\s+pam_faillock.so.*deny=([0-9]*).*$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="state_accounts_passwords_pam_faillock_deny_system-auth" version="1"> + <ind:subexpression datatype="int" operation="equals" var_ref="var_accounts_passwords_pam_faillock_deny" /> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_state id="state_accounts_passwords_pam_faillock_deny_password-auth" version="1"> + <ind:subexpression datatype="int" operation="equals" var_ref="var_accounts_passwords_pam_faillock_deny" /> + </ind:textfilecontent54_state> + + <external_variable comment="number of failed login attempts allowed" datatype="int" id="var_accounts_passwords_pam_faillock_deny" version="1" /> +</def-group>
Signed-off-by: Willy Santos wsantos@redhat.com --- RHEL6/input/system/accounts/pam.xml | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index 16f0bf3..da19749 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -316,10 +316,10 @@ auth required pam_deny.so</pre> To enforce password lockout, add the following to <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>. First, add the following just before the pam_unix.so auth line: -<pre>auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900</pre> +<pre>auth required pam_faillock.so preauth audit silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=900</pre> Second, add the following two lines just after the pam_unix.so auth line: -<pre>auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 -auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900</pre> +<pre>auth [default=die] pam_faillock.so authfail audit deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=900 +auth sufficient pam_faillock.so authsucc audit deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=900</pre> <ul><li>NOTE: The DoD requires accounts be locked out after 3 failed login attempts, accomplished by changing the value of the <tt>deny</tt> option to <i>3</i> in the example above.</li></ul>
Signed-off-by: Willy Santos wsantos@redhat.com --- RHEL6/input/profiles/STIG-server.xml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index fa11c8e..fb7b235 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -42,4 +42,6 @@ <refine-value idref="password_history_retain_number" selector="24"/>
<refine-value idref="var_password_max_age" selector="60"/> +<!-- from inherited Rule, deny_password_attempts --> +<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="3"/> </Profile>
scap-security-guide@lists.fedorahosted.org