Set maximum login attempts

src/freedombone-tests

@@ -397,9 +397,9 @@ function test_stig {
     ################
 
     ##RHEL-06-000061
-    ##The system must disable accounts after three consecutive unsuccessful logon attempts.
+    ##The system must disable accounts after ten consecutive unsuccessful logon attempts.
 
-    bash $STIG_TESTS_DIR/check-password.sh /etc/pam.d/common-auth pam_tally deny gt 3 > /dev/null 2>&1 &
+    bash $STIG_TESTS_DIR/check-password.sh /etc/pam.d/common-auth pam_tally deny gt 10 > /dev/null 2>&1 &
 
     stig_spinner $!
     output "V-38573" $? ${SETLANG}

src/freedombone-utils-setup

@@ -377,6 +377,16 @@ function set_shadow_permissions {
     chmod 0000 /etc/gshadow
 }
 
+function set_max_login_tries {
+    max_tries=$1
+
+    if ! grep ' deny=' /etc/pam.d/common-auth; then
+        sed -i "/pam_deny.so/a auth    required    pam_tally2.so    onerr=fail unlock_time=1800 deny=$max_tries" /etc/pam.d/common-auth
+    else
+        sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-auth
+    fi
+}
+
 function setup_firewall {
     function_check create_completion_file
     create_completion_file
@@ -401,6 +411,9 @@ function setup_utils {
     read_config_param "PROJECT_REPO"
     write_config_param "PROJECT_REPO" "$PROJECT_REPO"
 
+    function_check set_max_login_tries
+    set_max_login_tries 10
+
     function_check set_shadow_permissions
     set_shadow_permissions
 

tests/output.sh

@@ -482,7 +482,7 @@ time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/
               fi
               ;;
     V-38573)  if [ "$3" = "en" ]; then
-                  log_msg $2 'The system must disable accounts after three consecutive unsuccessful logon attempts.'
+                  log_msg $2 'The system must disable accounts after ten consecutive unsuccessful logon attempts.'
               else
                   log_msg $2 "系统必须在连续3次失败的登录尝试后禁用帐号。"
               fi