[prev in list] [next in list] [prev in thread] [next in thread]
List: scap-security-guide
Subject: [PATCH 3/4] Added <sub> sections to the deny_password_attempts rule for automatic substitution of co
From: wsantos () redhat ! com (Willy Santos)
Date: 2012-07-31 21:19:32
Message-ID: 1343769573-14578-4-git-send-email-wsantos () redhat ! com
[Download RAW message or body]
Signed-off-by: Willy Santos <wsantos at redhat.com>
---
RHEL6/input/system/accounts/pam.xml | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml \
b/RHEL6/input/system/accounts/pam.xml index 16f0bf3..da19749 100644
--- a/RHEL6/input/system/accounts/pam.xml
+++ b/RHEL6/input/system/accounts/pam.xml
@@ -316,10 +316,10 @@ auth required pam_deny.so</pre>
To enforce password
lockout, add the following to <tt>/etc/pam.d/system-auth</tt> and \
<tt>/etc/pam.d/password-auth</tt>. First, add the following just before the \
pam_unix.so auth line:
-<pre>auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900</pre>
+<pre>auth required pam_faillock.so preauth audit silent deny=<sub \
idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=900</pre> Second, \
add the following two lines just after the pam_unix.so auth line:
-<pre>auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
-auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900</pre>
+<pre>auth [default=die] pam_faillock.so authfail audit deny=<sub \
idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=900 +auth \
sufficient pam_faillock.so authsucc audit deny=<sub \
idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=900</pre> \
<ul><li>NOTE: The DoD requires accounts be locked out after 3 failed login attempts, \
accomplished by changing the value of the <tt>deny</tt> option to <i>3</i> in the \
example above.</li></ul>
--
1.7.7.6
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic