Another member of my organization has spoken with me and let me know he resolved this independently; apparently, we had a configuration error in another file, which caused this issue. Please disregard my request and thank you for your help.
-- Adam Spice Contractor, STG Unix support, Army Research Labs -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Spice, Adam M CTR USARMY ARL (US) Sent: Tuesday, May 13, 2014 3:19 PM To: [email protected] Subject: RE: Problem with Setting faillock Account Lock Time All, I haven't seen a patch regarding the below-described faillock error come out. Is there one in the works? May I assist with its creation / release? Thank you! -- Adam Spice Contractor, STG Unix support, Army Research Labs -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Spice, Adam M CTR USARMY ARL (US) Sent: Wednesday, January 08, 2014 6:11 AM To: [email protected] Subject: RE: Problem with Setting faillock Account Lock Time Thank you, Leland. -- Adam Spice Contractor, STG Unix support, Army Research Labs -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Steinke, Leland J Sr CTR DISA FSO (US) Sent: Tuesday, January 07, 2014 4:18 PM To: [email protected] Subject: RE: Problem with Setting faillock Account Lock Time Mr. Spice: I think the lines should go beneath the pam_unix.so line. There should be a patch forthcoming. Regards, -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) [email protected] (gov't) [email protected] (com'l) > -----Original Message----- > From: [email protected] [mailto:scap- > [email protected]] On Behalf Of Spice, > Adam M CTR USARMY ARL (US) > Sent: Tuesday, January 07, 2014 3:13 PM > To: [email protected] > Subject: Problem with Setting faillock Account Lock Time > > All, > > My systems failed the scans for CCE-26844-1 (Set Deny For Failed > Password Attempts), CCE-27110-6 (Set Lockout Time For Failed Password > Attempts) and > CCE-27215-3 (Set Interval For Counting Failed Password Attempts). I > was able to resolve the first and last by following the fix text, but > CCE-27110- > 6 > remains a problem. > > The fix text instructs me to add the following lines: > auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 > fail_interval=900 > auth required pam_faillock.so authsucc deny=3 unlock_time=604800 > fail_interval=900 > > ... directly beneath the following line in /etc/pam.d/system-auth: > auth required pam_env.so > > However, following these instructions results in a system whose GDM > prompts me for a username, but never gets to the password. The logs > show "gkr- > pam: > no password is available for user." I performed many Google searches, > not really finding much that helped me other than an old message in > this > group: > https://lists.fedorahosted.org/pipermail/scap-security-guide/2013- > February/0 > 02601.html > > Unfortunately, I didn't see a resolution. The person who started that > thread opened a ticket, but it doesn't look like it was addressed: > https://fedorahosted.org/scap-security-guide/ticket/255 > > He also referenced a Red Hat Solution that provides instructions on > enabling faillock; following this, I was able to restore my system to > functionality. > I could login; if I failed my attempt three times, I could no longer > login; > pam_tally2 no longer reported failed logins, but faillock did. I > haven't yet spent the week to determine whether or not the unlock_time > parameter is being applied (if you know of a way to report remaining > time until an account unlocks, that would help). > > Is there any guidance available regarding passing this scan without > disabling my system? > > Thank you! > > -- > Adam Spice > Contractor, STG > Unix support, Army Research Labs >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
