From d907acba7aba3676001e0849a2608b95b14b1363 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 3 Sep 2020 16:37:24 +0200 Subject: [PATCH 1/2] update severity, fix ocil --- .../accounts-session/accounts_logon_fail_delay/rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml index 2888cb365a..9a359b22c5 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml @@ -11,7 +11,7 @@ rationale: |- Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. -severity: low +severity: medium identifiers: cce@rhel7: CCE-80352-8 @@ -37,6 +37,6 @@ ocil: |-
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
All output must show the value of FAIL_DELAY set as shown in the below:
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
-    fail_delay 
+ FAIL_DELAY platform: login_defs From 633f4f12413d27467f63f0676887018c0d147024 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 3 Sep 2020 16:38:19 +0200 Subject: [PATCH 2/2] add tests --- .../accounts_logon_fail_delay/tests/correct.pass.sh | 8 ++++++++ .../accounts_logon_fail_delay/tests/missing.fail.sh | 6 ++++++ .../accounts_logon_fail_delay/tests/stricter.pass.sh | 8 ++++++++ .../accounts_logon_fail_delay/tests/wrong.fail.sh | 8 ++++++++ 4 files changed, 30 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh new file mode 100644 index 0000000000..147f350247 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +if grep -q 'FAIL_DELAY' /etc/login.defs; then + sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 4/' /etc/login.defs +else + echo 'FAIL_DELAY 4' >> /etc/login.defs +fi diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh new file mode 100644 index 0000000000..c9d31494b4 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +if grep -q 'FAIL_DELAY' /etc/login.defs; then + sed -i '/^.*FAIL_DELAY.*/d' /etc/login.defs +fi diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh new file mode 100644 index 0000000000..6154484445 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +if grep -q 'FAIL_DELAY' /etc/login.defs; then + sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 8/' /etc/login.defs +else + echo 'FAIL_DELAY 8' >> /etc/login.defs +fi diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh new file mode 100644 index 0000000000..c1b0d600cb --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +if grep -q 'FAIL_DELAY' /etc/login.defs; then + sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 1/' /etc/login.defs +else + echo 'FAIL_DELAY 1' >> /etc/login.defs +fi