Bug 1357019
Summary: | remediation script for 'Enable Smart Card Login' invalidates other remediations | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Marek Haicman <mhaicman> |
Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.3 | CC: | dapospis, jlieskov, mhaicman, mpreisle, pvrabec |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | scap-security-guide-0.1.33-1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 12:23:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marek Haicman
2016-07-15 13:38:08 UTC
Proposed upstream patch: https://github.com/OpenSCAP/scap-security-guide/pull/1388 Verified that "Enable Smart Card Login" remediation no longer breaks other fixes in version scap-security-guide-0.1.30-3.el7.noarch. [0 root@qeos-101 content]# oscap xccdf eval --profile test --report rep.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml|grep -A3 -i 'Set Deny For Failed Password Attempts\|Enable Smart Card Login' Title Set Deny For Failed Password Attempts Rule accounts_passwords_pam_faillock_deny Ident CCE-27350-8 Result fail -- Title Enable Smart Card Login Rule smartcard_auth Ident CCE-80207-4 Result fail -- Title Set Deny For Failed Password Attempts Rule accounts_passwords_pam_faillock_deny Ident CCE-27350-8 Result fixed -- Title Enable Smart Card Login Rule smartcard_auth Ident CCE-80207-4 Result fixed [0 root@qeos-101 content]# oscap xccdf eval --profile test --report rep.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml|grep -A3 -i 'Set Deny For Failed Password Attempts\|Enable Smart Card Login' Title Set Deny For Failed Password Attempts Rule accounts_passwords_pam_faillock_deny Ident CCE-27350-8 Result pass -- Title Enable Smart Card Login Rule smartcard_auth Ident CCE-80207-4 Result pass Hello iankko, I have noticed, that remediation script creates duplicates in the /etc/pam.d/system-auth file in some cases. Can you check if it is worth fixing? Remediation of /etc/pam.d/system-auth with this auth section [malformation being result of my verification attempts]: auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth required pam_faillock.so preauth silent deny=3 auth sufficient pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail deny=3 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so results in: auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug auth required pam_faillock.so preauth silent deny=3 auth sufficient pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail deny=3 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so (In reply to Marek Haicman from comment #7) Hi Marek, thank you for checking. > Hello iankko, > I have noticed, that remediation script creates duplicates in the > /etc/pam.d/system-auth file in some cases. Can you check if it is worth > fixing? > > Remediation of /etc/pam.d/system-auth with this auth section [malformation > being result of my verification attempts]: > > auth required pam_env.so > auth [success=1 default=ignore] pam_succeed_if.so service notin > login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid Trying to identify, what got removed from the original file -- the following line was deleted: auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug right? > auth required pam_faillock.so preauth silent deny=3 > auth sufficient pam_unix.so try_first_pass > auth [default=die] pam_faillock.so authfail deny=3 > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth required pam_deny.so > > results in: > > auth required pam_env.so > auth [success=1 default=ignore] pam_succeed_if.so service notin > login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid > auth [success=done authinfo_unavail=ignore ignore=ignore default=die] > pam_pkcs11.so nodebug > auth [success=1 default=ignore] pam_succeed_if.so service notin > login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid > auth [success=done authinfo_unavail=ignore ignore=ignore default=die] > pam_pkcs11.so nodebug Adding the same row two times under certain condition certainly isn't nice. On the other hand SSG content shouldn't be considered /etc/pam.d/system-auth file syntax checker. If the /etc/pam.d/system-auth is initially configured in wrong way, SSG can't be relied upon to fix the configuration. > auth required pam_faillock.so preauth silent deny=3 > auth sufficient pam_unix.so try_first_pass > auth [default=die] pam_faillock.so authfail deny=3 > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth required pam_deny.so As for the answer if this is worthy fixing, I need to investigate further. Will let you know. After some more thinking about the issue, what I don't like specifically is that we do append line [1] auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug after line [2] auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid even in case line [2] has already been there. And there is a problem with the approach as the line [2] feels pretty generic, and could actually be present in some deliberate configuration to skip some line [3] for these services. And by appending another [1], we effectively break the logic, as the [3] won't be skipped anymore. So my suggestion is to just add [2] [1] right after pam_env.so line, and leave it that way. @Dalibor, hi, can you check if the logic makes sense? Patch improving remediation addressing concerns raised: https://github.com/OpenSCAP/scap-security-guide/pull/1967 Verifying fix on version scap-security-guide-0.1.33-4.el7.noarch NEW: contents of the /etc/pam.d/system-auth-ac after remediation of mangled file <snip> # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=3 unlock_time=1800 <snip> OLD: contents of the /etc/pam.d/system-auth-ac after remediation of mangled file <snip> auth required pam_env.so auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug auth required pam_faillock.so preauth silent deny=3 unlock_time=1800 <snip> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2064 |