Thanks to Philip S. for reporting this!
>From 6b3cfb6e41ddaab2f375b68af3cb93968a947664 Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Thu, 31 Jan 2013 09:49:58 -0500
Subject: [PATCH] [bugfix] var_accounts_passwords_pam_faillock_unlock_time value
exceeded MAX_TIME_INTERVAL
As reported by Philip S., the 100000000 value for
var_accounts_passwords_pam_faillock_unlock_time exceeded the MAX_TIME_INTERVAL
value of which PAM would accept.
Updated the selector values within pam.xml,
r/unlock_time=100000000/unlock_time=604800/g within the XCCDF content, updated
the profiles which also used var_accounts_passwords_pam_faillock_unlock_time.
---
RHEL6/input/profiles/nist-CL-IL-AL.xml | 2 +-
RHEL6/input/profiles/stig-rhel6-server.xml | 2 +-
RHEL6/input/system/accounts/pam.xml | 16 ++++++++--------
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/RHEL6/input/profiles/nist-CL-IL-AL.xml
b/RHEL6/input/profiles/nist-CL-IL-AL.xml
index 3c5c465..9bbb86b 100644
--- a/RHEL6/input/profiles/nist-CL-IL-AL.xml
+++ b/RHEL6/input/profiles/nist-CL-IL-AL.xml
@@ -67,7 +67,7 @@ assurance."</description>
- 1800 (30 minutes)
- 3600 (1 hour)
- 86400 (1 day)
- - 100000000 (3.1 years) -->
+ - 604800 (7 days) -->
<refine-value idref="var_accounts_passwords_pam_faillock_unlock_time"
selector="900" \>
<!-- AC-11(a): Prevents further access to the system by initiating a session
lock
diff --git a/RHEL6/input/profiles/stig-rhel6-server.xml
b/RHEL6/input/profiles/stig-rhel6-server.xml
index d8a8b59..0261176 100644
--- a/RHEL6/input/profiles/stig-rhel6-server.xml
+++ b/RHEL6/input/profiles/stig-rhel6-server.xml
@@ -84,7 +84,7 @@
<select idref="smartcard_auth" selected="true" />
<select idref="deny_password_attempts_unlock_time" selected="true" />
-<refine-value idref="var_accounts_passwords_pam_faillock_unlock_time"
selector="100000000"/>
+<refine-value idref="var_accounts_passwords_pam_faillock_unlock_time"
selector="604800"/>
<select idref="deny_password_attempts_fail_interval" selected="true" />
<refine-value idref="var_accounts_passwords_pam_faillock_fail_interval"
selector="900"/>
diff --git a/RHEL6/input/system/accounts/pam.xml
b/RHEL6/input/system/accounts/pam.xml
index 58d9011..b4d7098 100644
--- a/RHEL6/input/system/accounts/pam.xml
+++ b/RHEL6/input/system/accounts/pam.xml
@@ -176,12 +176,12 @@ operator="equals" interactive="0">
operator="equals" interactive="0">
<title>fail_unlock_time</title>
<description>Seconds before automatic unlocking after excessive failed
logins</description>
-<value selector="">100000000</value>
+<value selector="">604800</value>
<value selector="900">900</value> <!-- 15 minutes -->
<value selector="1800">1800</value> <!-- 30 minutes -->
<value selector="3600">3600</value> <!-- 1 hour -->
<value selector="86400">86400</value> <!-- 1 day -->
-<value selector="100000000">100000000</value> <!-- 3.16 years -->
+<value selector="100000000">604800</value> <!-- 7 days -->
</Value>
<Value id="var_accounts_passwords_pam_faillock_fail_interval" type="number"
operator="equals" interactive="0">
@@ -396,8 +396,8 @@ To configure the system to lock out accounts after a number
of incorrect login
attempts using <tt>pam_faillock.so</tt>:
<br /><br />
Add the following lines immediately below the <tt>pam_env.so</tt> statement in
<tt>/etc/pam.d/system-auth</tt>:
-<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=100000000
fail_interval=900</pre>
-<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=100000000
fail_interval=900</pre>
+<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
fail_interval=900</pre>
+<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800
fail_interval=900</pre>
</description>
<ocil clause="that is not the case">
To ensure the failed password attempt policy is configured correctly, run the
following command:
@@ -420,8 +420,8 @@ To configure the system to lock out accounts after a number
of incorrect login
attempts and require an administrator to unlock the account using
<tt>pam_faillock.so</tt>:
<br /><br />
Add the following lines immediately below the <tt>pam_env.so</tt> statement in
<tt>/etc/pam.d/system-auth</tt>:
-<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=100000000
fail_interval=900</pre>
-<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=100000000
fail_interval=900</pre>
+<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
fail_interval=900</pre>
+<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800
fail_interval=900</pre>
</description>
<ocil clause="that is not the case">
To ensure the failed password attempt policy is configured correctly, run the
following command:
@@ -446,8 +446,8 @@ To configure the system to lock out accounts after a number
of incorrect login
attempts within a 15 minute interval using <tt>pam_faillock.so</tt>:
<br /><br />
Add the following lines immediately below the <tt>pam_env.so</tt> statement in
<tt>/etc/pam.d/system-auth</tt>:
-<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=100000000
fail_interval=900</pre>
-<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=100000000
fail_interval=900</pre>
+<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
fail_interval=900</pre>
+<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800
fail_interval=900</pre>
</description>
<ocil clause="that is not the case">
To ensure the failed password attempt policy is configured correctly, run the
following command:
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
