On 11/11/13, 2:39 PM, Frank Caviggia wrote:
All,
Here is a remediation fix for account password reuse in SSG. Updated to use the
'/etc/pam.d/system-auth' file.
Regards,
Frank Caviggia
-- Frank Caviggia Consultant, Public [email protected]
0001-accounts_password_reuse_limit.sh-remediation.patch
From f07acaac1fd235037a22d116ff27293f3e8e29d5 Mon Sep 17 00:00:00 2001
From: Frank Caviggia<[email protected]>
Date: Mon, 11 Nov 2013 14:11:00 -0500
Subject: [PATCH] accounts_password_reuse_limit.sh remediation
Signed-off-by: Frank Caviggia<[email protected]>
---
RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh
diff --git a/RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh
b/RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh
new file mode 100644
index 0000000..b4e9351
--- /dev/null
+++ b/RHEL6/input/fixes/bash/accounts_password_reuse_limit.sh
@@ -0,0 +1,4 @@
+source ./templates/support.sh
+populate var_password_history_retain_limit
+
+sed -i
's/^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so\ssha512*/password
required pam_unix.so sha512 shadow try_first_pass use_authtok
remember=$var_password_history_retain_limit/g' /etc/pam.d/system-auth
-- 1.8.3.1
I don't know what it is (yet), but there may be a different approach to
take here.
If I'm reading this correctly (... ok, fine, big if!), then this will:
- if configuration has "password sufficient....", this regex will
overwrite with "password required." This could cause issues for some users.
- While the proper line (password sufficient|required pam_unix.so) is
matched, any user options may be overwritten
Is there a way to only match against "remember=", and change only that
field?
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
