Navigation

← Previous Changeset
Next Changeset →

Changeset 154

Timestamp:

01/08/08 08:08:26 (11 months ago)

Author:

slawrence

Message:

Fix rpm/kickstart pam differences

Files:

trunk/RHEL5.1/conf/pam/login.pam (modified) (1 diff)
trunk/RHEL5.1/conf/pam/sshd.pam (modified) (1 diff)
trunk/RHEL5.1/conf/pam/system-auth.pam (modified) (2 diffs)
trunk/RHEL5.1/kickstart/clip.ks (modified) (5 diffs)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen000460.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen000600.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen000800.sh (modified) (1 diff)
trunk/RHEL5.1/scripts/stig-fix/cat2/gen001020.sh (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5.1/conf/pam/login.pam

r59	r154
8	8	#ACCOUNT-------------------------------------------------------------------
9	9	account include system-auth
	10	account required pam_access.so
10	11
11	12	#PASSWORD ----------------------------------------------------------------

trunk/RHEL5.1/conf/pam/sshd.pam

r63 r154

4 4
5 5 account include system-auth
6 account required pam_access.so
6 7
7 8 password include system-auth

trunk/RHEL5.1/conf/pam/system-auth.pam

r73	r154
3	3	# User changes will be destroyed the next time authconfig is run.
4	4	#5 login attempts within 30 seconds. Locked out for 60 seconds if fail
5		auth required pam_tally3.so deny=~~5 deny_interval=30 onerr=fail unlock_time=6~~0 quiet
	5	auth required pam_tally3.so deny=3 deny_interval=30 onerr=fail unlock_time=900 quiet
6	6
7	7	auth required pam_env.so
…	…
10	10	account required pam_unix.so
11	11	account required pam_tally3.so
12		password required pam_cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=~~1 ucredit=1 ocredit=2 lcredit=0~~
	12	password required pam_cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2
13	13	password required pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=12
14	14

trunk/RHEL5.1/kickstart/clip.ks

r152	r154
331	331	## failed logon attempts for an account, the account is locked for 15 minutes or until
332	332	## the SA unlocks the account.
333		sed -i '/^auth.*pam_deny/ a\
334		auth\t required\t /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root' /etc/pam.d/system-auth
335		sed -i '/^account.*pam_unix/ a\
336		account\t required\t /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset' /etc/pam.d/system-auth
	333	cat <<-EOF > /etc/pam.d/system-auth
	334	#%PAM-1.0
	335	auth required pam_tally.so deny=3 onerr=fail unlock_time=900 quiet
	336
	337	auth required pam_env.so
	338	auth required pam_unix.so nullok try_first_pass audit
	339
	340	account required pam_unix.so
	341	account required pam_tally.so
	342	password required pam_cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2
	343	password required pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=12
	344
	345	session optional pam_keyinit.so revoke
	346	session required pam_limits.so
	347	session required pam_unix.so
	348	EOF
	349	chmod ugo-x /usr/sbin/authconfig
337	350
338	351	## (GEN000480: CAT II) (Previously â G015) The SA will ensure the logon delay between
…	…
368	381	## (GEN000600: CAT II) (Previously â G019) The IAO will ensure passwords include at
369	382	## least two alphabetic characters, one of which must be capitalized.
370		sed -i s/minlen\=8/minlen\=9/ /etc/pam.d/system-auth
371		sed -i "s/difok\=3/difok\=3 dcredit\=-2 ucredit\=-2 ocredit\=-2 lcredit\=-2/" /etc/pam.d/system-auth
372		# Running the authconfig tool WILL clobber these changes!
373		# Taking the executable permissions off of /usr/sbin/authconfig
374		chmod ugo-x /usr/sbin/authconfig
	383	# See GEN000460
375	384
376	385	## (GEN000700: CAT II) (Previously â G020) The SA will ensure passwords are
…	…
380	389	## (GEN000800: CAT II) (Previously â G606) The SA will ensure passwords will not be
381	390	## reused within the last ten changes.
382		sed -i "s/shadow/shadow remember\=10/" /etc/pam.d/system-auth
	391	# See GEN000460
383	392
384	393	## (GEN000920: CAT II) (Previously â G023) The SA will ensure the root account
…	…
396	405	## user to root.
397	406	# Configure sshd and login to consult pam_access.so
398		sed -i '/^account/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd
399		sed -i '/^account.*auth$/ a\account\t required\tpam_access.so' /etc/pam.d/login
400		# Configure pam_access to refuse direct logins for accounts not in users group
401		sed -i '/^# All other/d' /etc/security/access.conf
402		echo "# Restrict direct login to accounts in the users group" >> /etc/security/access.conf
	407	sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd
	408	sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/login
403	409	echo "-:ALL EXCEPT users :ALL" >> /etc/security/access.conf
404		~~# Add a User who is in the users group allowing access to the system~~
405	410	adduser -G users,wheel clipuser
406	411	echo "123)(*qweASD" \| passwd --stdin clipuser
407		~~# Cron was previously set to use /etc/security/access.conf, which did~~
408		~~# nothing by default. We don't want to block root from using cron.~~
409		~~# So, we create a blank config file and direct crond to use that instead.~~
410		~~touch /etc/security/access-cron.conf~~
411		~~chmod 644 /etc/security/access-cron.conf~~
412		~~sed -i 's/pam_access.so/pam_access.so\ accessfile=\/etc\/security\/access-cron.conf/' /etc/pam.d/crond~~
413	412
414	413	## (GEN001080: CAT III) (Previously â G229) The SA will ensure the root shell
…	…
656	655	## unauthorized access attempts to files (unsuccessful)
657	656	cat <<-EOF >> /etc/audit/audit.rules
658		-a exit,always -S open -F success!=0
	657	-a exit,always -S open -F success=0
659	658	-a exit,always -S mknod -F success=0
660	659	-a exit,always -S pipe -F success=0

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000460.sh

r115	r154
8	8	echo ' failed attempts per account'
9	9	echo '==================================================='
10		sed -i '/^auth.*pam_deny/ a\
11		auth\t required\t /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root' /etc/pam.d/system-auth
	10	cat <<-EOF > /etc/pam.d/system-auth
	11	#%PAM-1.0
	12	auth required pam_tally.so deny=3 onerr=fail unlock_time=900 quiet
12	13
13		sed -i '/^account.*pam_unix/ a\
14		account\t required\t /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset' /etc/pam.d/system-auth
	14	auth required pam_env.so
	15	auth required pam_unix.so nullok try_first_pass audit
	16
	17	account required pam_unix.so
	18	account required pam_tally.so
	19	password required pam_cracklib.so try_first_pass retry=3 minlen=12 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2
	20	password required pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=12
	21
	22	session optional pam_keyinit.so revoke
	23	session required pam_limits.so
	24	session required pam_unix.so
	25	EOF
	26
	27	# auth config overwrites these changes, make it non executable
	28	chmod ugo-x /usr/sbin/authconfig

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000600.sh

r115	r154
6	6	echo ' Patching GEN000600: Enforce more secure passwords.'
7	7	echo '==================================================='
8		sed -i s/minlen\=8/minlen\=9/ /etc/pam.d/system-auth
9		sed -i "s/difok\=3/difok\=3 dcredit\=-2 ucredit\=-2 ocredit\=-2 lcredit\=-2/" /etc/pam.d/system-auth
10
11		# Running the authconfig tool WILL clobber these changes!
12		# Taking the executable permissions off of /usr/sbin/authconfig
13
14		chmod ugo-x /usr/sbin/authconfig
	8	# See GEN000460

trunk/RHEL5.1/scripts/stig-fix/cat2/gen000800.sh

r115	r154
6	6	echo ' Patching GEN000800: Disallow duplication passwords.'
7	7	echo '==================================================='
8		sed -i "s/shadow/shadow remember\=10/" /etc/pam.d/system-auth
	8	# See GEN000460

trunk/RHEL5.1/scripts/stig-fix/cat2/gen001020.sh

r152	r154
8	8	echo ' via switch from user account.'
9	9	echo '==================================================='
10		# Configure sshd and login to consult pam_access.so
11		sed -i '/^account/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd
12		sed -i '/^account.*auth$/ a\account\t required\tpam_access.so' /etc/pam.d/login
13
14		# Configure pam_access to refuse direct logins for accounts not in users group
15		sed -i '/^# All other/d' /etc/security/access.conf
16		echo "# Restrict direct login to accounts in the "users" group
17		-:ALL EXCEPT users :ALL" >> /etc/security/access.conf
	10	sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/sshd
	11	sed -i '/^account.*auth$/ a\account\t\trequired\tpam_access.so' /etc/pam.d/login
	12	echo "-:ALL EXCEPT users :ALL" >> /etc/security/access.conf
18	13
19	14	# Add a User who is in the users group allowing access to the system
20	15	/usr/sbin/adduser -G users,wheel clipuser
21	16	echo "123)(*qweASD" \| passwd --stdin clipuser
22
23		~~# Cron was previously set to use /etc/security/access.conf, which did~~
24		~~# nothing by default. We don't want to block root from using cron.~~
25		~~# So, we create a blank config file and direct crond to use that instead.~~
26		~~touch /etc/security/access-cron.conf~~
27		~~chmod 644 /etc/security/access-cron.conf~~
28		~~sed -i 's/pam_access.so/pam_access.so\ accessfile=\/etc\/security\/access-cron.conf/' /etc/pam.d/crond~~
29
30

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.

r63	r154
4	4
5	5	account include system-auth
	6	account required pam_access.so
6	7
7	8	password include system-auth