hardened-centos7-kickstart
hardened-centos7-kickstart copied to clipboard
fcaviggia
Unable to access OS after a period of time
We are using an ISO with the hardened CentOS7 on several VMs in our JWICS lab. They were installed with the Workstation configuration to enable access to GNOME. There are no issues when the VMs are actively being used. However, we've experienced odd behavior after not using a VM for a few days. The VM appears to be frozen, no mouse or keyboard actions work. Then, after restarting the guest, the OS boots but to a black screen and not the GNOME login screen. There appears to be an image covering the login screen. We thought the user could have been locked out, but when booting into troubleshooting, the user is not locked out (via grep'ing /etc/shadow). We changed the root and admin passwords, but were still unable to get to the GNOME login. This has happened on several occasions on different VMs. We even had a snapshot and a template, but when either restoring the snapshot or creating a new VM from the template, the same behavior was seen. Is there some sort of lock-out mechanism at play in this hardened OS? Stopping and re-starting the VM does nothing. The only option has been to reinstall. Any guidance will be very much appreciated. We're looking to deploy a system of record with this OS and need to have confidence that it will operate properly. I haven't seen any documentation that could possibly explain our issue.
The accounts expire after 30 days of not logging in check the /etc/pam.d/* configuration - faillock can also lock the system. I've had to tailor that setting for a number of JWICS systems. It's probably easier to reach me on there these days - look me up in the directory. There are also some settings with the usbgaurd stuff.
Thanks, Frank. I'll be on base tomorrow, so I'll reach out on the high side. I'm hoping I can recover my existing VM since I've done a bunch of configuration and deployment on it. Will that be possible?
Yes, you have to boot with the DVD and unlock the account, if your AO allows for longer timelines feel free to adjust the timeouts to longer - I've found with covid-19 extending timeouts for accounts to be needed.
Sounds good, Frank. Does the behavior I described (no login screen, black screen) sound familiar and likely mean an expired account? I'll hit you up on JWICS tomorrow. Appreciate your time.
Hmm. That sounds more like a graphics card/xwindows issue - you might do an ALT-{F1-F7} to see if there are text-based login screens.
So I've verified that the admin and root accounts are not locked and passwords have not expired. Actually both accounts are set to never expire (chage -l). The Alt-Fx had no effect at the black screen. I'm going to see if I can boot to the command line and reinstall GNOME.
Hey sorry, I lost track of this - I've pretty much had non-stop meetings. My red phone is 850-1898 if you'd like to call there later this week (off for Veteran's Day tomorrow).
LOL...OPSEC....Guys - I can look at your repos, glean who your customers are, probably who you work for, AND know that you work on TS material.
