That might make the test easier. Otherwise it's going to be fairly complicated to ensure the all of the pieces are in the right spot. Although I think even with your suggestion the pre-auth is still required in the auth section prior to pam_unix.
> On Aug 8, 2014, at 15:17, "Kayse, Josh" <[email protected]> wrote: > > >> On Aug 8, 2014, at 3:35 PM, Jeremiah Jahn <[email protected]> >> wrote: >> >> accounts_passwords_pam_fail_interval and >> accounts_passwords_pam_faillock_unlock_time have bad description >> >> The description needs to be changed in these from currently telling >> the user to put them under pam_env.so to under pam_unix.so. >> >> Also there are a number of things you have to do. And I'll walk though >> this example so you can see. >> >> normal pam system-auth file, same allied for password file >> auth required pam_env.so >> auth [success=1 default=bad] pam_unix.so >> auth [default=die] pam_faillock.so authfail deny=3 >> even_deny_root unlock_time=604800 fail_interval=900 >> auth sufficient pam_faillock.so authsucc deny=3 >> even_deny_root unlock_time=604800 fail_interval=900 >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth required pam_deny.so >> >> fist things first. you must skip the authfail on a successful login, >> and set default equal to bad. the faillock authfail will ALWAYS lock >> the user out if run. Which is why if you follow the guidance, you'll >> brick your machine. so pam_unix.so must be set to [success=1 >> default=bad]. >> >> second pam_faillock.so authsucc must be set to sufficient, and always >> placed before pam_deny. >> >> your description currently says required, but you've got to alter >> unix.so to fall through on success instead of simply being sufficient, >> so now pam_faillock.so authsucc has to be sufficient to pick up the >> slack. The test for this is also going to have to be rewritten as >> well. >> >> -jj- > > Thanks for this information. > > An alternative to this dire situation is to include: > > account required pam_faillock.so > > > -josh > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
