skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Files

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   c7
  2.   SOURCES
  3.   scap-security-guide-0.1.53-update_severity_fail_delay-PR_6040.patch
Blob Blame History Raw 
From d907acba7aba3676001e0849a2608b95b14b1363 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 3 Sep 2020 16:37:24 +0200
Subject: [PATCH 1/2] update severity, fix ocil

---
 .../accounts-session/accounts_logon_fail_delay/rule.yml       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
index 2888cb365a..9a359b22c5 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
@@ -11,7 +11,7 @@ rationale: |-
     Increasing the time between a failed authentication attempt and re-prompting to
     enter credentials helps to slow a single-threaded brute force attack.
 
-severity: low
+severity: medium
 
 identifiers:
     cce@rhel7: CCE-80352-8
@@ -37,6 +37,6 @@ ocil: |-
     <pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs</pre>
     All output must show the value of <tt>FAIL_DELAY</tt> set as shown in the below:
     <pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs
-    fail_delay <sub idref="var_accounts_fail_delay" /></pre>
+    FAIL_DELAY <sub idref="var_accounts_fail_delay" /></pre>
 
 platform: login_defs

From 633f4f12413d27467f63f0676887018c0d147024 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 3 Sep 2020 16:38:19 +0200
Subject: [PATCH 2/2] add tests

---
 .../accounts_logon_fail_delay/tests/correct.pass.sh       | 8 ++++++++
 .../accounts_logon_fail_delay/tests/missing.fail.sh       | 6 ++++++
 .../accounts_logon_fail_delay/tests/stricter.pass.sh      | 8 ++++++++
 .../accounts_logon_fail_delay/tests/wrong.fail.sh         | 8 ++++++++
 4 files changed, 30 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh
new file mode 100644
index 0000000000..147f350247
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+if grep -q 'FAIL_DELAY' /etc/login.defs; then
+	sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 4/' /etc/login.defs
+else
+	echo 'FAIL_DELAY 4' >> /etc/login.defs
+fi
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh
new file mode 100644
index 0000000000..c9d31494b4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+if grep -q 'FAIL_DELAY' /etc/login.defs; then
+	sed -i '/^.*FAIL_DELAY.*/d' /etc/login.defs
+fi
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh
new file mode 100644
index 0000000000..6154484445
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+if grep -q 'FAIL_DELAY' /etc/login.defs; then
+	sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 8/' /etc/login.defs
+else
+	echo 'FAIL_DELAY 8' >> /etc/login.defs
+fi
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh
new file mode 100644
index 0000000000..c1b0d600cb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+if grep -q 'FAIL_DELAY' /etc/login.defs; then
+	sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 1/' /etc/login.defs
+else
+	echo 'FAIL_DELAY 1' >> /etc/login.defs
+fi

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation