Bug 2192832
| Summary: | Incorrect PAM configuration after remediation | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Marko Myllynen <myllynen> |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
| Status: | NEW --- | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.1 | CC: | ekolesni, ggasparb, jcerny, juschind, matyc, mhaicman, mlysonek, mmarhefk, openscap-maint, vpolasek |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Marko Myllynen
2023-05-03 08:48:22 UTC
Sorry, I got confused with my test systems. The issue is real but comes up only after oscap remediation. RHEL 9.1 default installation: password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow RHEL 9.1 CIS Level 2 Server installation: password sufficient pam_unix.so yescrypt shadow nullok use_authtok After remediating with oscap(8) using the "cis" profile shown below. RHEL 9.1 default installation + oscap/cis remediation: password sufficient pam_unix.so sha512 shadow nullok use_authtok RHEL 9.1 CIS Level 2 Server installation + oscap/cis remediation: password sufficient pam_unix.so yescrypt shadow nullok use_authtok sha512 For both authselect reports the same: # authselect current -r ; authselect check ; custom/hardening with-faillock Current configuration is valid. And for the latter both sha512/yescrypt are present in the authselect template unconditionally. Thanks. Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. |