>From cad93088c87b41574e897fead8434448818f558a Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Wed, 20 Mar 2013 19:07:37 -0400 Subject: [PATCH] ticket 317: Update RHEL-06-000372-PF * Created new PAM rule to address CCI 53 per RH documented solution at: https://access.redhat.com/discussion/how-do-i-display-number-failed-login-attempts-when-user-logs
* Updated STIG profile to reflect new rule * Removed PF mapping --- RHEL6/input/auxiliary/srg_support.xml | 2 +- RHEL6/input/profiles/stig-rhel6-server.xml | 2 ++ RHEL6/input/system/accounts/pam.xml | 24 ++++++++++++++++++++++++ 3 files changed, 27 insertions(+), 1 deletions(-) diff --git a/RHEL6/input/auxiliary/srg_support.xml b/RHEL6/input/auxiliary/srg_support.xml index 1a7ba77..369d3bd 100644 --- a/RHEL6/input/auxiliary/srg_support.xml +++ b/RHEL6/input/auxiliary/srg_support.xml @@ -112,7 +112,7 @@ This requirement is a permanent finding and cannot be fixed. An appropriate mitigation for the system must be implemented but this finding cannot be considered fixed. </description> -<ref disa="20,31,52,53,144,218,219,1158,1294,1295,1500" /> +<ref disa="20,31,52,144,218,219,1158,1294,1295,1500" /> <!-- Note: CCI 52 supported for text login, but not graphical --> </Rule> diff --git a/RHEL6/input/profiles/stig-rhel6-server.xml b/RHEL6/input/profiles/stig-rhel6-server.xml index a478b88..f744205 100644 --- a/RHEL6/input/profiles/stig-rhel6-server.xml +++ b/RHEL6/input/profiles/stig-rhel6-server.xml @@ -80,6 +80,8 @@ <select idref="smartcard_auth" selected="true" /> +<select idref="display_login_attempts" selected="true" /> + <select idref="deny_password_attempts_unlock_time" selected="true" /> <refine-value idref="var_accounts_passwords_pam_faillock_unlock_time" selector="604800"/> <select idref="deny_password_attempts_fail_interval" selected="true" /> diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index 0253b48..2ca9e54 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -55,6 +55,30 @@ frequently.</description> <value selector="24">24</value> </Value> +<Rule id="display_login_attempts"> +<title>Set Last Logon/Access Notification</title> +<description>To configure the system to notify users of last logon/access +using <tt>pam_lastlog</tt>, add the following line immediately after <tt>session required pam_limits.so</tt>: +<pre>session required pam_lastlog.so showfailed</pre> +</description> +<ocil clause="that is not the case"> +To ensure that last logon/access notification is configured correctly, run +the following command: +<pre># grep pam_lastlog.so /etc/pam.d/system-auth</pre> +The output should show output <tt>showfailed</tt>. +</ocil> +<rationale> +Users need to be aware of activity that occurs regarding +their account. Providing users with information regarding the number +of unsuccessful attempts that were made to login to their account +allows the user to determine if any unauthorized activity has occurred +and gives them an opportunity to notify administrators. +</rationale> +<ident cce="TODO" /> +<oval id="TODO" /> +<ref disa="53" /> +</Rule> + <Group id="password_quality"> <title>Set Password Quality Requirements</title> <description>The default <tt>pam_cracklib</tt> PAM module provides strength -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
