Hello, Thanks for the info! I've been trying to make these changes to our systems and am currently waiting for a solution on a redhat bug I submitted over a month ago. (trying to make a lockout presist after reboot)
I tried making these changes on a test-vm I have and it seems to have bricked it. Can you copy and paste the entire contents of your system-auth file into a message and send it to me? (I can't recieve attachments at this email address) Luke K ________________________________________ From: [email protected] [[email protected]] on behalf of Jeremiah Jahn [[email protected]] Sent: Friday, August 08, 2014 3:35 PM To: SCAP Security Guide Subject: EXTERNAL: faillock related descriptions are wrong and dangerous accounts_passwords_pam_fail_interval and accounts_passwords_pam_faillock_unlock_time have bad description The description needs to be changed in these from currently telling the user to put them under pam_env.so to under pam_unix.so. Also there are a number of things you have to do. And I'll walk though this example so you can see. normal pam system-auth file, same allied for password file auth required pam_env.so auth [success=1 default=bad] pam_unix.so auth [default=die] pam_faillock.so authfail deny=3 even_deny_root unlock_time=604800 fail_interval=900 auth sufficient pam_faillock.so authsucc deny=3 even_deny_root unlock_time=604800 fail_interval=900 auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so fist things first. you must skip the authfail on a successful login, and set default equal to bad. the faillock authfail will ALWAYS lock the user out if run. Which is why if you follow the guidance, you'll brick your machine. so pam_unix.so must be set to [success=1 default=bad]. second pam_faillock.so authsucc must be set to sufficient, and always placed before pam_deny. your description currently says required, but you've got to alter unix.so to fall through on success instead of simply being sufficient, so now pam_faillock.so authsucc has to be sufficient to pick up the slack. The test for this is also going to have to be rewritten as well. -jj- -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
