Bug 2192832

Summary: Incorrect PAM configuration after remediation
Product: Red Hat Enterprise Linux 9 Reporter: Marko Myllynen <myllynen>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: ekolesni, ggasparb, jcerny, juschind, matyc, mhaicman, mlysonek, mmarhefk, openscap-maint, vpolasek
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2023-05-03 08:48:22 UTC 
Description of problem:
When applying CIS Level 2 - Server security profile during RHEL 9.1 installation the password encryption algorithm is configured twice and it's unclear which one would be used:

password sufficient pam_unix.so yescrypt shadow use_authtok sha512

This should obviously read (when sha512 is wanted):

password sufficient pam_unix.so sha512 shadow use_authtok

Version-Release number of selected component (if applicable):
RHEL 9.1
Comment 1 Marko Myllynen 2023-05-04 07:16:46 UTC 
Sorry, I got confused with my test systems. The issue is real but comes up only after oscap remediation.

RHEL 9.1 default installation:

password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow

RHEL 9.1 CIS Level 2 Server installation:

password    sufficient    pam_unix.so yescrypt shadow nullok use_authtok

After remediating with oscap(8) using the "cis" profile shown below.

RHEL 9.1 default installation + oscap/cis remediation:

password    sufficient    pam_unix.so sha512 shadow nullok use_authtok

RHEL 9.1 CIS Level 2 Server installation + oscap/cis remediation:

password    sufficient    pam_unix.so yescrypt shadow nullok use_authtok sha512

For both authselect reports the same:

# authselect current -r ; authselect check ;
custom/hardening with-faillock
Current configuration is valid.

And for the latter both sha512/yescrypt are present in the authselect template unconditionally.

Thanks.
Comment 5 RHEL Program Management 2023-08-17 14:26:27 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.