Hello new to this forum and new to Linux. I'm not sure if this is the right place for my question but figured I would start here.
I'm currently trying to setup a linux vm test lab to play with. I have a CENTOS 7 minimal install server, that I am trying to secure using SCAP workbench on another VM, and after I make the recommended changes SCAP workbench does not recognize them.
Example, I have followed the recommended security guidelines for password policy and edited the following files.
Set Password Retry Prompts Permitted Per-Session
Edited
/etc/pam.d/system-auth to show retry=3
Set Password Strength Minimum Digit Characters
Edited /etc/security/pwquality.conf
Uncommented dcredit = -1
Uncommented minlen = 8 and changed to 10
Uncommented ucredit = -1
Uncommented ocredit = -1
VM has been rebooted, I have verified that the PW Policy are in place by trying to change a password for a user account, but when I rerun SCAP Workbench I get the same results that the test failed.
Other changes I make SCAP Workbench does recognize so the results are inconsistent.
What am I missing?
If this is not the right forum then can some place me in the right direction.
Thank you
SCAP Workbench
Re: SCAP Workbench
/etc/pam.d/system-auth should be a symlink to /etc/pam.d/system-auth-ac - is it still or did your editor break the symlink?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 3
- Joined: 2017/08/02 16:46:35
Re: SCAP Workbench
Thanks for your reply, I ran the following commands on the files
ls -l /etc/pam.d/system-auth
-rw-r--r--. 1 root root 911 Aug 3 20:43 /etc/pam.d/system-auth
ls -l /etc/pam.d/system-auth-ac
-rw-r--r--. 1 root root 912 Aug 4 11:12 /etc/pam.d/system-auth-ac
so should I run ln -s /system-auth /system-auth-ac
or ln -s /system-auth-ac /system-auth
And why would editing system-auth in nano break the link?
Thanks again for your resonse
ls -l /etc/pam.d/system-auth
-rw-r--r--. 1 root root 911 Aug 3 20:43 /etc/pam.d/system-auth
ls -l /etc/pam.d/system-auth-ac
-rw-r--r--. 1 root root 912 Aug 4 11:12 /etc/pam.d/system-auth-ac
so should I run ln -s /system-auth /system-auth-ac
or ln -s /system-auth-ac /system-auth
And why would editing system-auth in nano break the link?
Thanks again for your resonse
Re: SCAP Workbench
Some editors are stupid and don't respect symlinks. When you save the file they save it as a file having removed the symlink. Apparently nano is one of those. This what it looks like here
Code: Select all
lrwxrwxrwx. 1 root root 14 Oct 9 2016 system-auth -> system-auth-ac
-rw-r--r--. 1 root root 974 Nov 26 2016 system-auth-ac
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 3
- Joined: 2017/08/02 16:46:35
Re: SCAP Workbench
Thanks for your help TrevorH
I recreated the links, rebooted the server but still no joy.
So anything else?
I recreated the links, rebooted the server but still no joy.
So anything else?
-
- Posts: 6
- Joined: 2017/08/18 15:56:54
Re: SCAP Workbench
If you've made the changes and test them, then it is most likely an issue with SCAP Workbench, maybe a bug? If using the latest version, try testing with an older version or vice versa depending on what version you're using. Good practice for making security changes to PAM modules is taking taking a backup, having an SSH session for testing changes, and an open console in case you break logins.