Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 232993 - FIPS 200: audit rejection based on number of sessions, origin and time
Summary: FIPS 200: audit rejection based on number of sessions, origin and time
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact:
Depends On:
Blocks: 232995
TreeView+ depends on / blocked
Reported: 2007-03-19 19:53 UTC by Chris Runge
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: RHSA-2007-0555
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2007-11-07 15:40:24 UTC
Target Upstream Version:

Attachments (Terms of Use)
Proposed patch (deleted)
2007-03-27 21:08 UTC, Tomas Mraz
no flags Details | Diff
Proposed patch which adds also pam_time and pam_access support (deleted)
2007-04-02 08:46 UTC, Tomas Mraz
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0555 normal SHIPPED_LIVE Moderate: pam security, bug fix, and enhancement update 2007-11-07 16:22:23 UTC

Description Chris Runge 2007-03-19 19:53:38 UTC
Requirement for FIPS 200

NIST 800-53
The information system limits the number of concurrent sessions for any user to
[Assignment: organization-defined number of sessions].


According to sgrubb:

"Just checked with pam maintainer and he feels that pam_limits covers this one. 
I think we should have the rejection tied to the audit system. So, we are 
closer than I thought. It should work so that we can check that item off, but 
we can make it better."

Comment 1 Tomas Mraz 2007-03-27 21:08:18 UTC
Created attachment 151083 [details]
Proposed  patch

Patch to audit login denial due to maximum number of concurrent sessions.

Comment 2 Tomas Mraz 2007-03-30 14:48:20 UTC
We are also missing auditing in pam_access for rejection based on login origin
and in pam_time for rejection based on time.

Comment 3 Tomas Mraz 2007-04-02 08:46:36 UTC
Created attachment 151407 [details]
Proposed  patch which adds also pam_time and pam_access support

Comment 9 errata-xmlrpc 2007-11-07 15:40:24 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.