On Monday, August 17, 2015 12:18:44 PM Shawn Wells wrote:
> On 8/14/15 3:33 PM, Steve Grubb wrote:
> > On Friday, August 14, 2015 01:47:49 PM Ron Colvin wrote:
> >> >A patch for the SSH bug that bypassed the MaxAuthTries limit was just
> >> >patched. Has MaxAuthTries been considered as a control in
+1 from me as well.
On Mon, Aug 17, 2015 at 12:22 PM, Greg Elin
wrote:
> +1 on Shawn's observation:
> "The purpose of SSG is to get security configuration guidance and
> automation into the public, into the technology natively (e.g. shipping in
> RHEL), and developed in an open community with op
+1 on Shawn's observation:
"The purpose of SSG is to get security configuration guidance and
automation into the public, into the technology natively (e.g. shipping in
RHEL), and developed in an open community with open (in our case, public
domain) licensing."
Greg
On Mon, Aug 17, 2015 at 12:18 P
On 8/14/15 3:33 PM, Steve Grubb wrote:
On Friday, August 14, 2015 01:47:49 PM Ron Colvin wrote:
>A patch for the SSH bug that bypassed the MaxAuthTries limit was just
>patched. Has MaxAuthTries been considered as a control in the security
>guide?
The default value for this is set to "no". We
+1 to PAM over internal SSH controls.
SIMP ties it back to both the local system faillock as well as LDAP
controls for full environment lockouts.
Trevor
On Fri, Aug 14, 2015 at 3:33 PM, Steve Grubb wrote:
> On Friday, August 14, 2015 01:47:49 PM Ron Colvin wrote:
> > A patch for the SSH bug t
On Friday, August 14, 2015 01:47:49 PM Ron Colvin wrote:
> A patch for the SSH bug that bypassed the MaxAuthTries limit was just
> patched. Has MaxAuthTries been considered as a control in the security
> guide?
The default value for this is set to "no". We set UsePam to "yes". Some
platforms do n
On 8/14/15 2:44 PM, Ron Colvin wrote:
The CVE in this case was to remedy a flaw that allowed the
MaxAuthTries limit to be bypassed. The security guide has no control
for MaxAuthTries.
SSG configures authentication retries at a system level through PAM via
the accounts_password_pam_retry rul
The CVE in this case was to remedy a flaw that allowed the MaxAuthTries
limit to be bypassed. The security guide has no control for
MaxAuthTries. The CIS Benchmark control for RHEL 6 is 4.
On 8/14/15 2:41 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote:
In my view, this would fall under CVEs
In my view, this would fall under CVEs -- SSG is used to verify configuration
compliance (CCEs).
--
Paul C. Arnold
IT Systems Engineer
Cole Engineering Services, Inc.
From: scap-security-guide-boun...@lists.fedorahosted.org
[scap-security-guide-boun...@l
OK. I was mostly looking for a scorable control(s).
On 8/14/15 2:34 PM, Paul Whitney wrote:
I use pam_tally2 for that.
Paul Whitney
email: paul.whit...@mac.com
cell: 410.493.9448
Sent from my iPhone
On Aug 14, 2015, at 13:47, Ron Colvin wrote:
A patch for the SSH bug that bypassed the Max
I use pam_tally2 for that.
Paul Whitney
email: paul.whit...@mac.com
cell: 410.493.9448
Sent from my iPhone
> On Aug 14, 2015, at 13:47, Ron Colvin wrote:
>
> A patch for the SSH bug that bypassed the MaxAuthTries limit was just
> patched. Has MaxAuthTries been considered as a control in the
11 matches
Mail list logo
