Bug 2207527

Summary: variable faillock directory does not seem to affect any rules
Product: Red Hat Enterprise Linux 9 Reporter: Julia Schindler <juschind>
Component: scap-workbenchAssignee: Matěj Týč <matyc>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: mhaicman, mmarhefk, myllynen, wsato
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Julia Schindler 2023-05-16 07:55:54 UTC 
Description of problem:

The rule xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock sets up the audit rule "-w /var/log/faillock -p wa -k logins". The variable xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir has the description "The directory where the user files with the failure records are kept", and defaults to /var/log/faillock. Changing the variable value to "/var/run/faillock" does not change the outcome of the aforementioned rule.

In scap-workbench, even when selecting all rules in a customization window based on CIS RHEL9 Benchmark for Level2 - Server, the "Affects Rules" section of the variable xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir shows "This value doesn't seem to be affecting any rules!".

How reproducible: always

Steps to Reproduce:

1. Open RHEL9 profile in SCAP Workbench
2. Select Customize CIS RHEL9 Benchmark Level2 - Server
3. Adjust value of xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir
4.a Inspect "Affects rules" in xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir
4.b run "oscap xccdf eval --remediate with customized profile based on CIS L2 server profile" and inspect audit rules

Actual results:
Adjusting the value of xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir does not have an effect.
After the remediation with oscap a `grep -r faillock /etc/audit` shows the rule "-w /var/log/faillock -p wa -k logins", but not "-w /var/run/faillock -p wa -k logins".

Expected results:
Adjusting the value of xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir does have an effect.
After the remediation with oscap a `grep -r faillock /etc/audit` shows the rule "-w /var/run/faillock -p wa -k logins".
Comment 1 Matěj Týč 2023-06-01 09:50:53 UTC 
This BZ doesn't have a customer case, is that on purpose?

The XCCDF value var_accounts_passwords_pam_faillock_dir is indeed not used in the rule, it is used in the accounts_passwords_pam_faillock_dir rule.
As a result, the behavior is not a bug in Workbench, but a bug/feature request of the content.

The "Affects Rules" window is indicative only, and its contents are indeed misleading - that would be a bug in Workbench.
We will decide what to do with the Workbench side of this bug depending on whether there is a customer involved in the issue, as it is a relatively mild severity problem.
Comment 2 Marko Myllynen 2023-06-02 06:44:11 UTC 
We were able to workaround this at customer and also concluded this is low-prio issue not worth a customer case but still worth bringing to your attention.

Let us know if you'd like us to create a separate low-prio workbench BZ.

Thanks.
Comment 3 Matěj Týč 2023-06-12 13:38:57 UTC 
Great, could you please summarize what was the problem in the context of my earlier answer? IOW, is the main problem left the misleading message of the Workbench regarding the "Affects Rules"?
Comment 4 Julia Schindler 2023-06-12 16:42:48 UTC 
Regarding your earlier answer, while I indeed was misled by the message of the Workbench regarding the "Affects Rules" (thinking that it should affect the rule xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock), my main problem was that it seems not to be possible to adjust the faillock directory in the audit rule "-w /var/log/faillock -p wa -k logins" set up by content_rule_audit_rules_login_events_faillock.
In man pam_faillock(8) and /etc/security/faillock.conf, the default directory where the user files with the failure records are kept is specified to be /var/run/faillock. This is also the directory mentioned in the CIS RHEL 9 Benchmark document (point 4.1.3.12). It would be helpful if the audit rule for monitoring the faillock directory could be adjusted accordingly. Moreover, if someone for example sets content_value_var_accounts_passwords_pam_faillock_dir to /var/log/my_faillock, it would also be helpful if the audit rule would be adjustable to reflect the configured directory for pam_faillock. Otherwise the wrong directory is monitored potentially.