SCAP Workbench

Support for security such as Firewalls and securing linux
Post Reply
chicagokid01
Posts: 3
Joined: 2017/08/02 16:46:35

SCAP Workbench

Post by chicagokid01 » 2017/08/04 13:18:11

Hello new to this forum and new to Linux. I'm not sure if this is the right place for my question but figured I would start here.

I'm currently trying to setup a linux vm test lab to play with. I have a CENTOS 7 minimal install server, that I am trying to secure using SCAP workbench on another VM, and after I make the recommended changes SCAP workbench does not recognize them.

Example, I have followed the recommended security guidelines for password policy and edited the following files.

Set Password Retry Prompts Permitted Per-Session
Edited
/etc/pam.d/system-auth to show retry=3


Set Password Strength Minimum Digit Characters
Edited /etc/security/pwquality.conf
Uncommented dcredit = -1

Uncommented minlen = 8 and changed to 10

Uncommented ucredit = -1

Uncommented ocredit = -1

VM has been rebooted, I have verified that the PW Policy are in place by trying to change a password for a user account, but when I rerun SCAP Workbench I get the same results that the test failed.

Other changes I make SCAP Workbench does recognize so the results are inconsistent.

What am I missing?
If this is not the right forum then can some place me in the right direction.

Thank you

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SCAP Workbench

Post by TrevorH » 2017/08/04 15:25:45

/etc/pam.d/system-auth should be a symlink to /etc/pam.d/system-auth-ac - is it still or did your editor break the symlink?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

chicagokid01
Posts: 3
Joined: 2017/08/02 16:46:35

Re: SCAP Workbench

Post by chicagokid01 » 2017/08/04 17:24:10

Thanks for your reply, I ran the following commands on the files

ls -l /etc/pam.d/system-auth
-rw-r--r--. 1 root root 911 Aug 3 20:43 /etc/pam.d/system-auth

ls -l /etc/pam.d/system-auth-ac
-rw-r--r--. 1 root root 912 Aug 4 11:12 /etc/pam.d/system-auth-ac

so should I run ln -s /system-auth /system-auth-ac

or ln -s /system-auth-ac /system-auth

And why would editing system-auth in nano break the link?

Thanks again for your resonse

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SCAP Workbench

Post by TrevorH » 2017/08/04 17:26:16

Some editors are stupid and don't respect symlinks. When you save the file they save it as a file having removed the symlink. Apparently nano is one of those. This what it looks like here

Code: Select all

lrwxrwxrwx.   1 root root    14 Oct  9  2016 system-auth -> system-auth-ac
-rw-r--r--.   1 root root   974 Nov 26  2016 system-auth-ac
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

chicagokid01
Posts: 3
Joined: 2017/08/02 16:46:35

Re: SCAP Workbench

Post by chicagokid01 » 2017/08/04 19:04:52

Thanks for your help TrevorH

I recreated the links, rebooted the server but still no joy.

So anything else?

macattack2241
Posts: 6
Joined: 2017/08/18 15:56:54

Re: SCAP Workbench

Post by macattack2241 » 2017/08/18 18:07:07

If you've made the changes and test them, then it is most likely an issue with SCAP Workbench, maybe a bug? If using the latest version, try testing with an older version or vice versa depending on what version you're using. Good practice for making security changes to PAM modules is taking taking a backup, having an SSH session for testing changes, and an open console in case you break logins.

Post Reply