Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 232993 - FIPS 200: audit rejection based on number of sessions, origin and time
FIPS 200: audit rejection based on number of sessions, origin and time
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
: FutureFeature
Depends On:
Blocks: 202601 232995
  Show dependency treegraph
Reported: 2007-03-19 15:53 EDT by Chris Runge
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHSA-2007-0555
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 10:40:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch (2.66 KB, patch)
2007-03-27 17:08 EDT, Tomas Mraz
no flags Details | Diff
Proposed patch which adds also pam_time and pam_access support (15.95 KB, patch)
2007-04-02 04:46 EDT, Tomas Mraz
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0555 normal SHIPPED_LIVE Moderate: pam security, bug fix, and enhancement update 2007-11-07 11:22:23 EST

  None (edit)
Description Chris Runge 2007-03-19 15:53:38 EDT
Requirement for FIPS 200

NIST 800-53
The information system limits the number of concurrent sessions for any user to
[Assignment: organization-defined number of sessions].


According to sgrubb:

"Just checked with pam maintainer and he feels that pam_limits covers this one. 
I think we should have the rejection tied to the audit system. So, we are 
closer than I thought. It should work so that we can check that item off, but 
we can make it better."
Comment 1 Tomas Mraz 2007-03-27 17:08:18 EDT
Created attachment 151083 [details]
Proposed  patch

Patch to audit login denial due to maximum number of concurrent sessions.
Comment 2 Tomas Mraz 2007-03-30 10:48:20 EDT
We are also missing auditing in pam_access for rejection based on login origin
and in pam_time for rejection based on time.
Comment 3 Tomas Mraz 2007-04-02 04:46:36 EDT
Created attachment 151407 [details]
Proposed  patch which adds also pam_time and pam_access support
Comment 9 errata-xmlrpc 2007-11-07 10:40:24 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.