Bug 2153547

Summary: SCAP rule accounts_password_pam_unix_remember fails to remediate on RHEL 8.8
Product: Red Hat Enterprise Linux 8 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: scap-security-guideAssignee: Marcus Burghardt <maburgha>
Status: CLOSED ERRATA QA Contact: Jiri Jaburek <jjaburek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: ggasparb, jjaburek, jpazdziora, maburgha, matyc, mhaicman, mlysonek, vpolasek, wsato
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.66-1.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 08:39:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2022-12-14 18:17:21 UTC 
Description of problem:

On latest RHEL 8.8. compose (RHEL-8.8.0-20221214.2), the rule accounts_password_pam_unix_remember no longer remediates, in the ospp profile.

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.63-4.el8.noarch
authselect-1.2.6-1.el8.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
2. authselect select minimal --force
3. oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Actual results:

WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title
	Limit Password Reuse
Rule
	xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
Ident
	CCE-80666-1
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
Result
	fail


--- Starting Remediation ---

Title
	Limit Password Reuse
Rule
	xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
Ident
	CCE-80666-1
Result
	error

Expected results:

WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title
	Limit Password Reuse
Rule
	xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
Ident
	CCE-80666-1
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2 file which is referenced from XCCDF content
Result
	fail


--- Starting Remediation ---

Title
	Limit Password Reuse
Rule
	xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
Ident
	CCE-80666-1
Result
	fixed

Additional info:

I see things work on RHEL 8.7 GA with the same version of scap-security-guide, and authselect-1.2.5-1.el8.x86_64.
Comment 2 Jan Pazdziora (Red Hat) 2022-12-14 18:19:28 UTC 
Checking some things on the machine after the remediation was done, on RHEL 8.7 I see

# grep remember /etc/authselect/custom/hardening/system-auth
password     requisite    pam_pwhistory.so remember=5 

and on RHEL 8.8

# grep remember /etc/authselect/custom/hardening/system-auth
password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"} remember=5
Comment 6 Marcus Burghardt 2023-01-04 16:46:23 UTC 
The fix is already merged in Upstream:
https://github.com/ComplianceAsCode/content/pull/9994
Comment 7 Marcus Burghardt 2023-01-10 09:29:02 UTC 
An additional patch was necessary after the rule updates. These are the two Upstream PRs which fix this BZ:
- https://github.com/ComplianceAsCode/content/pull/9994
- https://github.com/ComplianceAsCode/content/pull/10021
Comment 20 errata-xmlrpc 2023-05-16 08:39:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2869