Bug 1357019

Summary: remediation script for 'Enable Smart Card Login' invalidates other remediations
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: dapospis, jlieskov, mhaicman, mpreisle, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.33-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 12:23:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2016-07-15 13:38:08 UTC 
Description of problem:
Some of the rules, for example 'Set Deny For Failed Password Attempts' needs to alter configs that may be recreated by authconfig. (again as an example /etc/pam.d/password-auth )

Rule 'Enable Smart Card Login' executes authconfig, thus invalidating other changes.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.30-1.el7

How reproducible:
reliably

Steps to Reproduce:
# prepare failure of 'Set Deny For Failed Password Attempts' rule
1. sed -i '/faillock/d' /etc/pam.d/password-auth 
# prepare failure of 
2. mv /etc/pam_pkcs11/pam_pkcs11.conf /etc/pam_pkcs11/pam_pkcs11.conf.bak
3. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss  --report rep.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml|grep -A3 -i 'Set Deny For Failed Password Attempts'
4. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss  --report rep.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml|grep -A3 -i 'Set Deny For Failed Password Attempts'

Actual results:
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fail
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  fail
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
--
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fixed
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  fixed

==============
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fail
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  pass

Expected results:
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fail
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  fail
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
--
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fixed
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  fixed

==============
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  pass
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  pass

Additional info:
If Smart Card remediation works, it is sufficient to run whole command again to remediate successfully.
Comment 4 Jan Lieskovsky 2016-08-10 13:54:38 UTC 
Proposed upstream patch:
  https://github.com/OpenSCAP/scap-security-guide/pull/1388
Comment 6 Marek Haicman 2016-08-12 12:34:55 UTC 
Verified that "Enable Smart Card Login" remediation no longer breaks other fixes in version scap-security-guide-0.1.30-3.el7.noarch.

[0 root@qeos-101 content]# oscap xccdf eval --profile test  --report rep.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml|grep -A3 -i 'Set Deny For Failed Password Attempts\|Enable Smart Card Login'

Title   Set Deny For Failed Password Attempts
Rule    accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fail
--
Title   Enable Smart Card Login
Rule    smartcard_auth
Ident   CCE-80207-4
Result  fail
--
Title   Set Deny For Failed Password Attempts
Rule    accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fixed
--
Title   Enable Smart Card Login
Rule    smartcard_auth
Ident   CCE-80207-4
Result  fixed

[0 root@qeos-101 content]# oscap xccdf eval --profile test  --report rep.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml|grep -A3 -i 'Set Deny For Failed Password Attempts\|Enable Smart Card Login'
Title   Set Deny For Failed Password Attempts
Rule    accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  pass
--
Title   Enable Smart Card Login
Rule    smartcard_auth
Ident   CCE-80207-4
Result  pass
Comment 7 Marek Haicman 2016-08-12 12:47:53 UTC 
Hello iankko,
I have noticed, that remediation script creates duplicates in the /etc/pam.d/system-auth file in some cases. Can you check if it is worth fixing?

Remediation of /etc/pam.d/system-auth with this auth section [malformation being result of my verification attempts]:

auth        required      pam_env.so
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        required      pam_faillock.so preauth silent deny=3
auth        sufficient    pam_unix.so  try_first_pass
auth        [default=die] pam_faillock.so authfail deny=3
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

results in:

auth        required      pam_env.so
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        required      pam_faillock.so preauth silent deny=3
auth        sufficient    pam_unix.so  try_first_pass
auth        [default=die] pam_faillock.so authfail deny=3
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so
Comment 8 Jan Lieskovsky 2016-08-12 13:07:47 UTC 
(In reply to Marek Haicman from comment #7)

Hi Marek,

  thank you for checking.

> Hello iankko,
> I have noticed, that remediation script creates duplicates in the
> /etc/pam.d/system-auth file in some cases. Can you check if it is worth
> fixing?
> 
> Remediation of /etc/pam.d/system-auth with this auth section [malformation
> being result of my verification attempts]:
> 
> auth        required      pam_env.so
> auth        [success=1 default=ignore] pam_succeed_if.so service notin
> login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid

Trying to identify, what got removed from the original file -- the following line was deleted:
  auth        [success=done authinfo_unavail=ignore ignore=ignore default=die]
  pam_pkcs11.so nodebug

right?


> auth        required      pam_faillock.so preauth silent deny=3
> auth        sufficient    pam_unix.so  try_first_pass
> auth        [default=die] pam_faillock.so authfail deny=3
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        required      pam_deny.so
> 
> results in:
> 
> auth        required      pam_env.so
> auth        [success=1 default=ignore] pam_succeed_if.so service notin
> login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
> auth        [success=done authinfo_unavail=ignore ignore=ignore default=die]
> pam_pkcs11.so nodebug
> auth        [success=1 default=ignore] pam_succeed_if.so service notin
> login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
> auth        [success=done authinfo_unavail=ignore ignore=ignore default=die]
> pam_pkcs11.so nodebug

Adding the same row two times under certain condition certainly isn't nice. On the other hand SSG content shouldn't be considered /etc/pam.d/system-auth file syntax checker. If the /etc/pam.d/system-auth is initially configured in wrong way, SSG can't be relied upon to fix the configuration.

> auth        required      pam_faillock.so preauth silent deny=3
> auth        sufficient    pam_unix.so  try_first_pass
> auth        [default=die] pam_faillock.so authfail deny=3
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        required      pam_deny.so

As for the answer if this is worthy fixing, I need to investigate further.
Will let you know.
Comment 9 Marek Haicman 2016-08-18 10:20:34 UTC 
After some more thinking about the issue, what I don't like specifically is that we do append line [1]

auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug

after line [2]

auth        [success=1 default=ignore] pam_succeed_if.so service notin  login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid

even in case line [2] has already been there. And there is a problem with the approach as the line [2] feels pretty generic, and could actually be present in some deliberate configuration to skip some line [3] for these services. And by appending another [1], we effectively break the logic, as the [3] won't be skipped anymore.


So my suggestion is to just add 
[2]
[1]
right after pam_env.so line, and leave it that way.

@Dalibor, hi, can you check if the logic makes sense?
Comment 11 Watson Yuuma Sato 2017-04-28 12:19:53 UTC 
Patch improving remediation addressing concerns raised: https://github.com/OpenSCAP/scap-security-guide/pull/1967
Comment 13 Marek Haicman 2017-06-14 13:22:35 UTC 
Verifying fix on version scap-security-guide-0.1.33-4.el7.noarch

NEW:
contents of the /etc/pam.d/system-auth-ac after remediation of mangled file
<snip>
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth silent deny=3 unlock_time=1800
<snip>

OLD:
contents of the /etc/pam.d/system-auth-ac after remediation of mangled file
<snip>
auth        required      pam_env.so
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        required      pam_faillock.so preauth silent deny=3 unlock_time=1800
<snip>
Comment 14 errata-xmlrpc 2017-08-01 12:23:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064