Guide to the Secure Configuration of Webmin

with profile Common Profile for Webmin system administration tool

This guide presents a catalog of security-relevant configuration settings for Webmin. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Webmin, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Title	Common Profile for Webmin system administration tool
Profile ID	xccdf_org.ssgproject.content_profile_common

Revision History

Current version: 0.1.35

draft (as of 2017-08-29)

UserAdmin Module Required Settings

Checklist

contains 28 rules

Required User Account Settings [ref]group

To support a secured and compliant configuration, a number of user account settings need to be modified from there default configuration.

contains 3 rules

Use PAM for Unix authentication. [ref]rule

Webmin must use the OS-provided Password Authentication Module for validating passwords.

Rationale:

Severity: medium

Identifiers: CCE-

References: SA-2(b), 612

Remediation Shell script: (show)

if [ "$(grep -c '^no_pam=' /etc/webmin/miniserv.conf)" = "0" ]; then
	echo "no_pam=0" >> /etc/webmin/miniserv.conf
else
	sed -i "s/^no_pam=.*/no_pam=0/" /etc/webmin/miniserv.conf
fi

Use passwd for changing passwords. [ref]rule

Webmin must use passwd for password changes so that password requirements configured in the operating system are enforced on new password selections.

Rationale:

Severity: medium

Identifiers: CCE-

References: SA-2(b), 612

Remediation Shell script: (show)

if [ "$(grep -c '^passwd_cmd=' /etc/webmin/config)" = "0" ]; then
	echo "passwd_cmd=/usr/bin/passwd" >> /etc/webmin/config
else
	sed -i "s/^passwd_cmd=.*/passwd_cmd=\/usr\/bin\/passwd/" /etc/webmin/config
fi

Enable the ability for a user to change an expired password. [ref]rule

Webmin must enable a user to change their password when it has expired.

Rationale:

Severity: medium

Identifiers: CCE-

References: SA-2(b), 612

Remediation Shell script: (show)

if [ "$(grep -c '^passwd_mode=' /etc/webmin/miniserv.conf)" = "0" ]; then
	echo "passwd_mode=2" >> /etc/webmin/miniserv.conf
else
	sed -i "s/^passwd_mode=.*/passwd_mode=2/" /etc/webmin/miniserv.conf
fi

Session Security [ref]group

To support secured access to webmin.

contains 6 rules

Display approved login banner prior to login. [ref]rule

Display approved login banner prior to login.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)


var_webmin_sessions_login_banner_text="You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details."

if [ "$(grep -c '^loginbanner=' /etc/webmin/config)" = "0" ]; then
	echo loginbanner=/etc/webmin/login_banner >> /etc/webmin/config
else
	sed -i 's/^loginbanner=.*/loginbanner=\/etc\/webmin\/login_banner/' /etc/webmin/config
fi
echo $var_webmin_sessions_login_banner_text | sed -e 's/\[\\s\\n\][+|*]/ /g' -e 's/\&amp;/\&/g' -e 's/\\//g' -e 's/ - /\n- /g' >/etc/webmin/login_banner
echo "<a href='LOGINURL'>Click here to login</a>" >> /etc/webmin/login_banner

Configure approved webmin port. [ref]rule

Configure approved webmin port.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)


var_webmin_sessions_port="15000"

if [ "$(grep -c '^port=' /etc/webmin/miniserv.conf)" = "0" ]; then
	echo port=$var_webmin_sessions_port >> /etc/webmin/miniserv.conf
else
	sed -i "s/^port=.*/port=$var_webmin_sessions_port/" /etc/webmin/miniserv.conf
fi
if [ "$(grep -c '^listen=' /etc/webmin/miniserv.conf)" = "0" ]; then
	echo listen=$var_webmin_sessions_port >> /etc/webmin/miniserv.conf
else
	sed -i "s/^listen=.*/listen=$var_webmin_sessions_port/" /etc/webmin/miniserv.conf
fi

Prevent the ability for a user to save their login credentials for future access. [ref]rule

Prevent the ability for a user to save their login credentials for future access.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c '^noremember=' /etc/webmin/config)" = "0" ]; then
	echo "noremember=1" >> /etc/webmin/config
else
	sed -i "s/^noremember=.*/noremember=1/" /etc/webmin/config
fi

Use approved ciphers for encryption. [ref]rule

Use approved ciphers for encryption.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c no_ssl3 /usr/libexec/webmin/miniserv.pl)" = "0" ]; then
	if [ "$(grep -c '^ssl_cipher_list=' /etc/webmin/miniserv.conf)" = "0" ]; then
		echo 'ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:+TLSv1.2:+TLSv1:!MD5:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM' >> /etc/webmin/miniserv.conf
	else
		sed -i 's/^ssl_cipher_list=.*/ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:+TLSv1.2:+TLSv1:!MD5:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM/' /etc/webmin/miniserv.conf
	fi
else
	if [ "$(grep -c '^ssl_cipher_list=' /etc/webmin/miniserv.conf)" = "0" ]; then
		echo 'ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:+TLSv1.2:+TLSv1:!MD5:!SSLv2:SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM' >> /etc/webmin/miniserv.conf
	else
		sed -i 's/^ssl_cipher_list=.*/ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:+TLSv1.2:+TLSv1:!MD5:!SSLv2:SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM/' /etc/webmin/miniserv.conf
	fi
	if [ "$(grep -c '^no_ssl2=' /etc/webmin/miniserv.conf)" = "0" ]; then
		echo 'no_ssl2=1' >> /etc/webmin/miniserv.conf
	else
		sed -i 's/^no_ssl2=.*/no_ssl2=1/' /etc/webmin/miniserv.conf
	fi
	if [ "$(grep -c '^no_ssl3=' /etc/webmin/miniserv.conf)" = "0" ]; then
		echo 'no_ssl3=1' >> /etc/webmin/miniserv.conf
	else
		sed -i 's/^no_ssl3=.*/no_ssl3=1/' /etc/webmin/miniserv.conf
	fi
fi
if [ "$(grep -c '^ssl_honorcipherorder=' /etc/webmin/miniserv.conf)" = "0" ]; then
	echo 'ssl_honorcipherorder=1' >> /etc/webmin/miniserv.conf
else
	sed -i 's/^ssl_honorcipherorder=.*/ssl_honorcipherorder=1/' /etc/webmin/miniserv.conf
fi

Encryption is enabled and enforced. [ref]rule

Encryption is enabled and enforced.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c '^ssl=' /etc/webmin/miniserv.conf)" = "0" ]; then
	echo "ssl=1" >> /etc/webmin/miniserv.conf
else
	sed -i "s/^ssl=.*/ssl=1/" /etc/webmin/miniserv.conf
fi
if [ "$(grep -c '^ssl_redirect=' /etc/webmin/miniserv.conf)" = "0" ]; then
	echo "ssl_redirect=1" >> /etc/webmin/miniserv.conf
else
	sed -i "s/^ssl_redirect=.*/ssl_redirect=1/" /etc/webmin/miniserv.conf
fi

Sessions are closed after idling a specified number of minutes. [ref]rule

Sessions are closed after idling a specified number of minutes.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)


var_webmin_sessions_timeout="15"

if [ "$(grep -c '^logouttime=' /etc/webmin/miniserv.conf)" = "0" ]; then
	echo logouttime=$var_webmin_sessions_timeout >> /etc/webmin/miniserv.conf
else
	sed -i "s/^logouttime=.*/logouttime=$var_webmin_sessions_timeout/" /etc/webmin/miniserv.conf
fi

Required log file configurations [ref]group

To support accountability of access to the system, required log file configurations must be applied.

contains 6 rules

Log actions performed by users. [ref]rule

Log actions performed by users.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c '^log=' /etc/webmin/config)" = "0" ]; then
	echo "log=1" >> /etc/webmin/config
else
	sed -i "s/^log=.*/log=1/" /etc/webmin/config
fi

Logs must not be accessible to unauthorized users. [ref]rule

Logs must not be accessible to unauthorized users.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c '^logperms=' /etc/webmin/config)" = "0" ]; then
	echo "logperms=640" >> /etc/webmin/config
else
	sed -i "s/^logperms=.*/logperms=640/" /etc/webmin/config
fi

Prevent users from covering their trail. [ref]rule

Prevent users from covering their trail.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c '^logclear=' /etc/webmin/config)" = "0" ]; then
	echo "logclear=0" >> /etc/webmin/config
else
	sed -i "s/^logclear=.*/logclear=0/" /etc/webmin/config
fi

Log access attempts to the webmin. [ref]rule

Log access attempts to the webmin.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c '^log=' /etc/webmin/miniserv.conf)" = "0" ]; then
	echo "log=1" >> /etc/webmin/miniserv.conf
else
	sed -i "s/^log=.*/log=1/" /etc/webmin/miniserv.conf
fi

Logs must not be accessible to unauthorized users. [ref]rule

Logs must not be accessible to unauthorized users.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c '^logperms=' /etc/webmin/miniserv.conf)" = "0" ]; then
	echo "logperms=640" >> /etc/webmin/miniserv.conf
else
	sed -i "s/^logperms=.*/logperms=640/" /etc/webmin/miniserv.conf
fi

Prevent users from covering their trail. [ref]rule

Prevent users from covering their trail.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c '^logclear=' /etc/webmin/miniserv.conf)" = "0" ]; then
	echo "logclear=0" >> /etc/webmin/miniserv.conf
else
	sed -i "s/^logclear=.*/logclear=0/" /etc/webmin/miniserv.conf
fi

Required patches [ref]group

To support combating known weaknesses, the webmin application must be up to date.

contains 1 rule

The Webmin application installed on the system is updated. [ref]rule

The Webmin application installed on the system is updated.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Webmin Modules [ref]group

The following sections contain information on security-relevant choices for configuring Webmin modules in an IA compliant manner.

contains 12 rules

UserAdmin Module Required Settings [ref]group

To support a secured and compliant configuration, a number of user account settings need to be modified from there default configuration.

contains 12 rules

Configure new accounts to create their home directory with a default permission setting of 750. [ref]rule

New users created through the UserAdmin Webmin module must have the default permissions of 750 applied to their home directory when created.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c '^homedir_perms=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo "homedir_perms=0750" >> /etc/webmin/useradmin/config
else
	sed -i "s/^homedir_perms=.*/homedir_perms=0750/" /etc/webmin/useradmin/config
fi

Configure new accounts to lock out after a number of days of no activity. [ref]rule

New users created through the UserAdmin Webmin module must include required account expiration criteria.

Rationale:

Severity: medium

Identifiers: CCE-

References: AC-2(2), AC-2(3), 16, 17, 795

Remediation Shell script: (show)


var_webmin_module_useradmin_accounts_inactive="35"

if [ "$(grep -c '^default_inactive=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo default_inactive=$var_webmin_module_useradmin_accounts_inactive >> /etc/webmin/useradmin/config
else
	sed -i "s/^default_inactive=.*/default_inactive=$var_webmin_module_useradmin_accounts_inactive/" /etc/webmin/useradmin/config
fi

Configure new accounts to expire their password after a maximum number days. [ref]rule

New users created through the UserAdmin Webmin module must include required maximum password life criteria.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f), IA-5(g), IA-5(1)(d), 180, 199

Remediation Shell script: (show)


var_webmin_module_useradmin_accounts_max="60"

if [ "$(grep -c '^default_max=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo default_max=$var_webmin_module_useradmin_accounts_max >> /etc/webmin/useradmin/config
else
	sed -i "s/^default_max=.*/default_max=$var_webmin_module_useradmin_accounts_max/" /etc/webmin/useradmin/config
fi

Configure new accounts to prevent changing passwords more than once per the minimum number of days defined. [ref]rule

New users created through the UserAdmin Webmin module must include required minimum password life criteria.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f), IA-5(1)(d), 198

Remediation Shell script: (show)


var_webmin_module_useradmin_accounts_min="1"

if [ "$(grep -c '^default_min=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo default_min=$var_webmin_module_useradmin_accounts_min >> /etc/webmin/useradmin/config
else
	sed -i "s/^default_min=.*/default_min=$var_webmin_module_useradmin_accounts_min/" /etc/webmin/useradmin/config
fi

Configure new accounts to warn the user about their password expiring. [ref]rule

New users created through the UserAdmin Webmin module must include required account password expiration warning criteria.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)


var_webmin_module_useradmin_accounts_warn="7"

if [ "$(grep -c '^default_warn=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo default_warn=$var_webmin_module_useradmin_accounts_warn >> /etc/webmin/useradmin/config
else
	sed -i "s/^default_warn=.*/default_warn=$var_webmin_module_useradmin_accounts_warn/" /etc/webmin/useradmin/config
fi

Configure the UserAdmin Webmin module to store passwords created using a specified hashing algorithm. [ref]rule

Passwords generated through the UserAdmin Webmin module must be stored using the specified hashing algorithm.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)


var_webmin_module_useradmin_accounts_password_hash="4"

if [ "$(grep -c '^md5=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo md5=$var_webmin_module_useradmin_accounts_password_hash >> /etc/webmin/useradmin/config
else
	sed -i "s/^md5=.*/md5=$var_webmin_module_useradmin_accounts_password_hash/" /etc/webmin/useradmin/config
fi

Configure the UserAdmin Webmin module to require a minimum number of characters in passwords defined. [ref]rule

Passwords created through the UserAdmin Webmin module must include the minimum defined number of characters in the password.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f), IA-5(1)(a), 205

Remediation Shell script: (show)


var_webmin_module_useradmin_accounts_min_length="14"

if [ "$(grep -c '^passwd_min=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo passwd_min=$var_webmin_module_useradmin_accounts_min_length >> /etc/webmin/useradmin/config
else
	sed -i "s/^passwd_min=.*/passwd_min=$var_webmin_module_useradmin_accounts_min_length/" /etc/webmin/useradmin/config
fi

Configure the UserAdmin Webmin module to require at least 1 upper-case character, 1 lower-case character, 1 numeric character, and 1 special character. [ref]rule

Passwords created through the UserAdmin Webmin module must include at least 1 upper-case character, 1 lower-case character, 1 numeric character, and 1 special character.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f), IA-5(1)(a), 205

Remediation Shell script: (show)

if [ "$(grep -c '^passwd_re=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo "passwd_re=^.*(?=.*[a-z])(?=.*[A-Z])(?=.*[\d])(?=.*[\W]).*$" >> /etc/webmin/useradmin/config
else
	sed -i "s/^passwd_re=.*/passwd_re=^.*(?=.*[a-z])(?=.*[A-Z])(?=.*[\\\\d])(?=.*[\\\\W]).*$/" /etc/webmin/useradmin/config
fi

Configure the UserAdmin Webmin module to require passwords to not include dictionary words. [ref]rule

Passwords created through the UserAdmin Webmin module must not include dictionary words.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f), IA-5(1)(a), 205

Remediation Shell script: (show)

if [ "$(grep -c '^passwd_dict=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo "passwd_dict=1" >> /etc/webmin/useradmin/config
else
	sed -i "s/^passwd_dict=.*/passwd_dict=1/" /etc/webmin/useradmin/config
fi

Configure the UserAdmin Webmin module to require passwords to be different from the previously configured password. [ref]rule

Passwords created through the UserAdmin Webmin module must not be the same as the previous password used.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f), IA-5(1)(a), 205

Remediation Shell script: (show)

if [ "$(grep -c '^passwd_same=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo "passwd_same=1" >> /etc/webmin/useradmin/config
else
	sed -i "s/^passwd_same=.*/passwd_same=1/" /etc/webmin/useradmin/config
fi

Configure the UserAdmin Webmin module to mask the password characters entered with stars. [ref]rule

The UserAdmin Webmin module must not display the characters entered for the password in clear text.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c '^passwd_stars=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo "passwd_stars=1" >> /etc/webmin/useradmin/config
else
	sed -i "s/^passwd_stars=.*/passwd_stars=1/" /etc/webmin/useradmin/config
fi

Configure the UserAdmin Webmin module to display last login information for all users. [ref]rule

User last login information must be displayed to support detecting unauthorized access.

Rationale:

Severity: medium

Identifiers: CCE-

References: IA-5(f)

Remediation Shell script: (show)

if [ "$(grep -c '^last_show=' /etc/webmin/useradmin/config)" = "0" ]; then
	echo "last_show=1" >> /etc/webmin/useradmin/config
else
	sed -i "s/^last_show=.*/last_show=1/" /etc/webmin/useradmin/config
fi

Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.