skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.53-update_severity_fail_delay-PR_6040.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   c7
  2.   SOURCES
  3.   scap-security-guide-0.1.53-update_severity_fail_delay-PR_6040.patch
Blob History Raw
fe0dde 
From d907acba7aba3676001e0849a2608b95b14b1363 Mon Sep 17 00:00:00 2001
fe0dde 
From: Vojtech Polasek <vpolasek@redhat.com>
fe0dde 
Date: Thu, 3 Sep 2020 16:37:24 +0200
fe0dde 
Subject: [PATCH 1/2] update severity, fix ocil
fe0dde
fe0dde 
---
fe0dde 
 .../accounts-session/accounts_logon_fail_delay/rule.yml       | 4 ++--
fe0dde 
 1 file changed, 2 insertions(+), 2 deletions(-)
fe0dde
fe0dde 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
fe0dde 
index 2888cb365a..9a359b22c5 100644
fe0dde 
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
fe0dde 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
fe0dde 
@@ -11,7 +11,7 @@ rationale: |-
fe0dde 
     Increasing the time between a failed authentication attempt and re-prompting to
fe0dde 
     enter credentials helps to slow a single-threaded brute force attack.
fe0dde
fe0dde 
-severity: low
fe0dde 
+severity: medium
fe0dde
fe0dde 
 identifiers:
fe0dde 
     cce@rhel7: CCE-80352-8
fe0dde 
@@ -37,6 +37,6 @@ ocil: |-
fe0dde 
     
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
fe0dde 
     All output must show the value of <tt>FAIL_DELAY</tt> set as shown in the below:
fe0dde 
     
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
fe0dde 
-    fail_delay <sub idref="var_accounts_fail_delay" />
fe0dde 
+    FAIL_DELAY <sub idref="var_accounts_fail_delay" />
fe0dde
fe0dde 
 platform: login_defs
fe0dde
fe0dde 
From 633f4f12413d27467f63f0676887018c0d147024 Mon Sep 17 00:00:00 2001
fe0dde 
From: Vojtech Polasek <vpolasek@redhat.com>
fe0dde 
Date: Thu, 3 Sep 2020 16:38:19 +0200
fe0dde 
Subject: [PATCH 2/2] add tests
fe0dde
fe0dde 
---
fe0dde 
 .../accounts_logon_fail_delay/tests/correct.pass.sh       | 8 ++++++++
fe0dde 
 .../accounts_logon_fail_delay/tests/missing.fail.sh       | 6 ++++++
fe0dde 
 .../accounts_logon_fail_delay/tests/stricter.pass.sh      | 8 ++++++++
fe0dde 
 .../accounts_logon_fail_delay/tests/wrong.fail.sh         | 8 ++++++++
fe0dde 
 4 files changed, 30 insertions(+)
fe0dde 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh
fe0dde 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh
fe0dde 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh
fe0dde 
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh
fe0dde
fe0dde 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..147f350247
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh
fe0dde 
@@ -0,0 +1,8 @@
fe0dde 
+#!/bin/bash
fe0dde 
+# profiles = xccdf_org.ssgproject.content_profile_stig
fe0dde 
+
fe0dde 
+if grep -q 'FAIL_DELAY' /etc/login.defs; then
fe0dde 
+	sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 4/' /etc/login.defs
fe0dde 
+else
fe0dde 
+	echo 'FAIL_DELAY 4' >> /etc/login.defs
fe0dde 
+fi
fe0dde 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..c9d31494b4
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh
fe0dde 
@@ -0,0 +1,6 @@
fe0dde 
+#!/bin/bash
fe0dde 
+# profiles = xccdf_org.ssgproject.content_profile_stig
fe0dde 
+
fe0dde 
+if grep -q 'FAIL_DELAY' /etc/login.defs; then
fe0dde 
+	sed -i '/^.*FAIL_DELAY.*/d' /etc/login.defs
fe0dde 
+fi
fe0dde 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..6154484445
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh
fe0dde 
@@ -0,0 +1,8 @@
fe0dde 
+#!/bin/bash
fe0dde 
+# profiles = xccdf_org.ssgproject.content_profile_stig
fe0dde 
+
fe0dde 
+if grep -q 'FAIL_DELAY' /etc/login.defs; then
fe0dde 
+	sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 8/' /etc/login.defs
fe0dde 
+else
fe0dde 
+	echo 'FAIL_DELAY 8' >> /etc/login.defs
fe0dde 
+fi
fe0dde 
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..c1b0d600cb
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh
fe0dde 
@@ -0,0 +1,8 @@
fe0dde 
+#!/bin/bash
fe0dde 
+# profiles = xccdf_org.ssgproject.content_profile_stig
fe0dde 
+
fe0dde 
+if grep -q 'FAIL_DELAY' /etc/login.defs; then
fe0dde 
+	sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 1/' /etc/login.defs
fe0dde 
+else
fe0dde 
+	echo 'FAIL_DELAY 1' >> /etc/login.defs
fe0dde 
+fi

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation