Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Check Configuration of password remember#157

Open
m41kc0d3 wants to merge 3 commits into
dev-sec:master from
m41kc0d3:reuse-previous-passwords
Open

Check Configuration of password remember #157
m41kc0d3 wants to merge 3 commits into
dev-sec:master from
m41kc0d3:reuse-previous-passwords

Conversation

@m41kc0d3

@m41kc0d3 m41kc0d3 commented Jul 21, 2021

Copy link
Copy Markdown

and set default to 60

see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46
Public Telekom Security - Requirements 

and set default to 60
see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
@m41kc0d3 m41kc0d3 force-pushed the reuse-previous-passwords branch from deddf31 to 109d01a Compare July 21, 2021 12:33

@chris-rock chris-rock left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @m41kc0d3 I added some comments and happy to discuss how we proceed?

Comment thread controls/os_spec.rb Outdated
it { should exist }
it { should be_owned_by 'root' }
its('group') { should eq 'root' }
its(:content) { should match /^password requisite pam_pwhistory.so remember=60 use_authtok$/ }

@chris-rock chris-rock Jul 21, 2021

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This collects 60 passwords. I suggest to go with the CIS default of 5 and make this the default argument for this policy. You can than override the policy with 60 for your needs.

What do you think if we also split this into multiple pieces as CIS DIL 5.3 is doing?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I set the default back to 5

Comment thread controls/os_spec.rb

control 'os-14' do
impact 1.0
title 'Check pam config - RedHat specific'

@chris-rock chris-rock Jul 21, 2021

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All controls that we are adding to the base line need to be applicable and tested on all major linux distributions.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @chris-rock,
in dev-sec/ansible-collection-hardening there is currently no configuration of this for other distributions and I am not the Debian master that can create them. So I only change some code in dev-sec/ansible-collection-hardening and create the missing test in this repo.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our code for PAM configuration on any non-RHEL based distribution is severely lacking.
I would propose to open an issue for this and going on with only RHEL support here.

m41kc0d3 added 2 commits July 22, 2021 09:36 
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chris-rock chris-rock chris-rock left review comments

@schurzi schurzi schurzi left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AltStyle によって変換されたページ (->オリジナル) /