Security Documentation Error

Posted on

Was writing some security-enforcement CM modules for my environment. Was consulting RedHat's SCAP security guide to use as my reference. I got to implementing the section on pam_faillock and discovered that it didn't seem to be working. The system log would show that it was setting the lock action:

Dec  3 12:50:53 ip-172-31-2-104 sshd[8647]: pam_faillock(sshd:auth): Consecutive login failures for user testuser account temporarily locked
Dec  3 12:50:55 ip-172-31-2-104 sshd[8647]: Failed password for testuser from 208.48.166.129 port 54925 ssh2
Dec  3 12:50:55 ip-172-31-2-104 sshd[8650]: Connection closed by 208.48.166.129
Dec  3 12:50:55 ip-172-31-2-104 sshd[8647]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.48.166.129  user=testuser

However, if I reconnected to the system and used the same userid and correct credentials, it would let me in. So, started googling around and found a solution document concerning the issue.

In looking at the SCAP guide, they pulled the content from the STIGs for EL6 - the same bug is there. Also looks like the documentation-bug is in the scap-security-guide-0.1.18-3.el6.noarch RPM. I'd open a case to get the SCAP guides fixed, but my current account doesn't seem to have that ability associated with it, any more.

thomas.jones2@dodiis.mil's picture

Responses