On 10/19/12 12:23 PM, Andrew Gilmore wrote:
So in digging through all this, I'm finding a couple of things that
either aren't working right or that will require alterations to my
current configuration to comply.
Where do I ask the following questions? It seems that this group isn't
the place, but my google-fu is coming up short.
gov-sec is a great place. It's a community group of security interested
parties running RHEL. Mailing list here:
http://www.redhat.com/mailman/listinfo/gov-sec
Note that we (Red Hat) moderate the list to ensure only U.S. customers
join. If you do send a request to join give your primary Red Hat contact
a heads up to ensure you don't get rejected (if you don't know who that
is, feel free to ping me so I can pass your name/email to the list
moderator).
And if you have paid Red Hat subscriptions, just you can always email
Red Hat support at [email protected]. They eat questions like
this up.
auth pam_tally2 ... deny=5
in /etc/pam.d/system_auth doesn't appear to reset if I successfully
enter my password after a failure. Eventually I get locked out and the
audit scripts do not appear to allow "unlock="
What is the best practice for application of pam_tally2?
Note pam_tally2 is a carryover from RHEL5, we'll be updating the guides
to reflect pam_faillock soonish. Regardless, the lockout controls
generally are time based. Say, for example, the requirement is: "Allow 5
password attempts in 3 minutes"
In that case, say I SSH in:
0.01: Failed password
0.02: Failed password
0.03: Failed password
0.04: I'm in!
and then I decide to open another SSH terminal a minute later:
1.00: Failed password
1.01: Failed password
... Even though I did eventually establish my first connection, at this
point my account would be locked out since I had 5 failed attempts
within 3 minutes.
SRG requires no .forward files. I currently do some data processing on
automated emails via procmail configured in .forward in a dedicated
user. What is the best practice for configuring such?
That's only for RHEL5, we went ahead and dropped it for RHEL6.
Personally I setup /etc/aliases to take care of this. I don't want local
mail sitting on my servers, so I alias root to whatever sysadmin group
I'm working for (e.g. "root: [email protected]") and my
non-privileged username to my work address (e.g. "shawn:
[email protected]")
-shawn
--
Shawn Wells
Technical Director,
U.S. Intelligence Programs
(e) [email protected]
(c) 443.534.0130
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
