Bug 2209073

Summary: Please explain if "accounts_passwords_pam_faillock_interval" should apply to RHEL8.2+ or not
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: ON_QA --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.7CC: ggasparb, jcerny, jjaburek, matyc, mhaicman, mlysonek, vpolasek, wsato
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el8 Doc Type: Bug Fix
Doc Text:
.Faillock settings clarification in STIG profile Mapping of rule `accounts_passwords_pam_faillock_interval` has been clarified in the STIG profile. The rule now covers both RHEL-08-020012 and RHEL-08-020013.The reason for this change is that the rule `accounts_passwords_pam_faillock_interval` checks for `faillock` configuration in all of these three files: `/etc/pam.d/password-auth`, `/etc/pam.d/system-auth` and `/etc/security/faillock.conf`. The STIG ID RHEL-08-020012 checks just `/etc/pam.d/password-auth` and `/etc/pam.d/system-auth`. The STIG ID RHEL-08-020013 checks only `/etc/security/faillock.conf`. Therefore, the rule `accounts_passwords_pam_faillock_interval` covers both these STIG IDs.
 Story Points: ---
Clone Of:
: 2228465 2228466 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2228465, 2228466    

Description Renaud Métrich 2023-05-22 13:47:20 UTC 
Description of problem:

Reading the rule description, from STIG official webpage https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2022-12-06/finding/V-230334:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Note: This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The above text seems to infer that the rule "accounts_passwords_pam_faillock_interval" should not apply to RHEL8.2 and later.

But scanning for STIG on a 8.6 or later system shows the rule executes.

Please tell us if it's a rule bug or if it's more the checks listed to confirm compliance that do not apply to RHEL8.2 or later:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ sudo grep pam_faillock.so /etc/pam.d/password-auth

auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0
auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
account required pam_faillock.so

If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock.so" module, or is missing from this line, this is a finding.

$ sudo grep pam_faillock.so /etc/pam.d/system-auth
...
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Version-Release number of selected component (if applicable):

scap-security-guide

How reproducible:

Always
Comment 1 Vojtech Polasek 2023-05-25 07:45:49 UTC 
Hello Renaud,
this rule is a bit special - it actually covers also this STIG item:
https://stigaview.com/products/rhel8/v1r9/RHEL-08-020013/
It decides what to do based on presence of Authselect, so it works for all RHEL 8 systems.
I think we should include the STIGID I have posted above into the rule reference so that it does not confuse people. Would this solve the issue?
Best regards,
Vojta
Comment 2 Renaud Métrich 2023-05-25 08:55:02 UTC 
Hello,

thanks for the information, you may indeed add the stigid, I think it's more the STIG text in the rule that is confusing.
Comment 4 Vojtech Polasek 2023-07-18 08:03:21 UTC 
Fixed upstream: https://github.com/ComplianceAsCode/content/pull/10846