Bug 1956972

Summary: [RHEL8/SCAP/RFE] Align SCAP pam_faillock with recommendation of pam_faillock manpage to use failock.conf
Product: Red Hat Enterprise Linux 8 Reporter: Rajesh Dulhani <rdulhani>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.3CC: ekolesni, ggasparb, mhaicman, wsato
Target Milestone: betaKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rajesh Dulhani 2021-05-04 19:09:43 UTC
Description of problem:

The SCAP check for faillock checks for 'silent' and deny'  in the pam file
/etc/pam.d/system-auth	[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]

This is against the recommendation in the man page of pam_faillock:
       Configuring options on the module command line is not recommend. The /etc/security/faillock.conf should be used instead.

Version-Release number of selected component (if applicable):

Header of the HTML output of the scap report:
Evaluation target	li-lc-2624
Benchmark URL	/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version	0.1.50
Profile ID	xccdf_org.ssgproject.content_profile_ospp
Started at	2021-04-12T16:57:29+00:00
Finished at	2021-04-12T16:57:30+00:00
Performed by	vrempet-admin@hiltiq.com
Test system	cpe:/a:redhat:openscap:1.3.3

Additional info ( Customer Comments )

If there is a good reason to divert from the recommendation on the pam_faillock developers to use faillock.conf then this has to be written in the SCAP rationale

Comment 1 Jan Černý 2021-05-05 11:12:55 UTC
It looks like a valid issue for me because the RHEL 8.2 release notes https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/rhel-8-2-0-release#enhancement_security say that  pam_faillock can now read settings from faillock.conf configuration file, so I guess that the SCAP rules should check this file as well. Switching to correct component to investigate further.