Bug 1661709

Summary: typo in remediation script for id="xccdf_org.ssgproject.content_rule_display_login_attempts"
Product: Red Hat Enterprise Linux 7 Reporter: Thorsten Scherf <tscherf>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED ERRATA QA Contact: Jan Černý <jcerny>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6CC: jcerny, jomurphy, mhaicman, openscap-maint
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.43-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:04:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thorsten Scherf 2018-12-22 13:12:27 UTC 
Description of problem:
The rule ' <Rule id="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="false" severity="low">' contains a faulty remediation script:

"""   
<fix id="display_login_attempts" system="urn:xccdf:fix:script:sh">       sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin
fi

echo "session     [default=1]   pam_lastlog.so nowtmp showfailed" &gt;&gt; /etc/pam.d/postlogin
echo "session     optional      pam_lastlog.so silent noupdate showfailed" &gt;&gt; /etc/pam.d/postlogin
</fix>
"""

It should read like this instead:

<fix id="display_login_attempts" system="urn:xccdf:fix:script:sh">
if ! `grep -q ^[^#].*pam_succeed_if.*showfailed /etc/pam.d/postlogin` ; then
  if ! grep `^session.*pam_succeed_if.so /etc/pam.d/postlogin` ; then
    echo "session     [default=1]   pam_lastlog.so nowtmp showfailed" &gt;&gt; /etc/pam.d/postlogin
    echo "session     optional      pam_lastlog.so silent noupdate showfailed" &gt;&gt; /etc/pam.d/postlogin
  else
    sed -i '/^session.*pam_succeed_if.so/a session\t    optional\t  pam_lastlog.so silent noupdate showfailed' /etc/pam.d/postlogin
    sed -i '/^session.*pam_succeed_if.so/a session\t    [default=1]\t  pam_lastlog.so nowtmp showfailed' /etc/pam.d/postlogin
  fi
</fix>


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.40-12.el7.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Watson Yuuma Sato 2019-01-02 13:58:28 UTC 
Hello, 

The the mentioned fix script was updated to be simpler in https://github.com/ComplianceAsCode/content/pull/2745.

The issue though, is that the new fix script was being corrupted by an infrastructure bug, fixed in commit: https://github.com/ComplianceAsCode/content/pull/3217/commits/98930e7ae9a4c45089918016bbc9340f6cd6683b
Comment 4 Jan Černý 2019-03-07 08:52:39 UTC 
Granting devel ack because it's fixed by rebase to 0.1.43.
Comment 9 errata-xmlrpc 2019-08-06 13:04:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2198