1357019 – remediation script for 'Enable Smart Card Login' invalidates other remediations

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1357019 - remediation script for 'Enable Smart Card Login' invalidates other remediations

Summary: remediation script for 'Enable Smart Card Login' invalidates other remediations

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Watson Yuuma Sato
QA Contact:	Marek Haicman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-15 13:38 UTC by Marek Haicman
Modified:	2017-08-01 12:23 UTC (History)
CC List:	5 users (show)
Fixed In Version:	scap-security-guide-0.1.33-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 12:23:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2064	0	normal	SHIPPED_LIVE	scap-security-guide bug fix and enhancement update	2017-08-01 16:05:50 UTC

Description Marek Haicman 2016-07-15 13:38:08 UTC

Description of problem:
Some of the rules, for example 'Set Deny For Failed Password Attempts' needs to alter configs that may be recreated by authconfig. (again as an example /etc/pam.d/password-auth )

Rule 'Enable Smart Card Login' executes authconfig, thus invalidating other changes.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.30-1.el7

How reproducible:
reliably

Steps to Reproduce:
# prepare failure of 'Set Deny For Failed Password Attempts' rule
1. sed -i '/faillock/d' /etc/pam.d/password-auth 
# prepare failure of 
2. mv /etc/pam_pkcs11/pam_pkcs11.conf /etc/pam_pkcs11/pam_pkcs11.conf.bak
3. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss  --report rep.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml|grep -A3 -i 'Set Deny For Failed Password Attempts'
4. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss  --report rep.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml|grep -A3 -i 'Set Deny For Failed Password Attempts'

Actual results:
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fail
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  fail
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
--
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fixed
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  fixed

==============
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fail
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  pass

Expected results:
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fail
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  fail
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
--
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fixed
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  fixed

==============
WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content
Title   Set Deny For Failed Password Attempts
Rule    xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  pass
--
Title   Enable Smart Card Login
Rule    xccdf_org.ssgproject.content_rule_smartcard_auth
Ident   CCE-80207-4
Result  pass

Additional info:
If Smart Card remediation works, it is sufficient to run whole command again to remediate successfully.

Comment 4 Jan Lieskovsky 2016-08-10 13:54:38 UTC

Proposed upstream patch:
  https://github.com/OpenSCAP/scap-security-guide/pull/1388

Comment 6 Marek Haicman 2016-08-12 12:34:55 UTC

Verified that "Enable Smart Card Login" remediation no longer breaks other fixes in version scap-security-guide-0.1.30-3.el7.noarch.

[0 root@qeos-101 content]# oscap xccdf eval --profile test  --report rep.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml|grep -A3 -i 'Set Deny For Failed Password Attempts\|Enable Smart Card Login'

Title   Set Deny For Failed Password Attempts
Rule    accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fail
--
Title   Enable Smart Card Login
Rule    smartcard_auth
Ident   CCE-80207-4
Result  fail
--
Title   Set Deny For Failed Password Attempts
Rule    accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  fixed
--
Title   Enable Smart Card Login
Rule    smartcard_auth
Ident   CCE-80207-4
Result  fixed

[0 root@qeos-101 content]# oscap xccdf eval --profile test  --report rep.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml|grep -A3 -i 'Set Deny For Failed Password Attempts\|Enable Smart Card Login'
Title   Set Deny For Failed Password Attempts
Rule    accounts_passwords_pam_faillock_deny
Ident   CCE-27350-8
Result  pass
--
Title   Enable Smart Card Login
Rule    smartcard_auth
Ident   CCE-80207-4
Result  pass

Comment 7 Marek Haicman 2016-08-12 12:47:53 UTC

Hello iankko,
I have noticed, that remediation script creates duplicates in the /etc/pam.d/system-auth file in some cases. Can you check if it is worth fixing?

Remediation of /etc/pam.d/system-auth with this auth section [malformation being result of my verification attempts]:

auth        required      pam_env.so
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        required      pam_faillock.so preauth silent deny=3
auth        sufficient    pam_unix.so  try_first_pass
auth        [default=die] pam_faillock.so authfail deny=3
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

results in:

auth        required      pam_env.so
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        required      pam_faillock.so preauth silent deny=3
auth        sufficient    pam_unix.so  try_first_pass
auth        [default=die] pam_faillock.so authfail deny=3
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

Comment 8 Jan Lieskovsky 2016-08-12 13:07:47 UTC

(In reply to Marek Haicman from comment #7)

Hi Marek,

  thank you for checking.

> Hello iankko,
> I have noticed, that remediation script creates duplicates in the
> /etc/pam.d/system-auth file in some cases. Can you check if it is worth
> fixing?
> 
> Remediation of /etc/pam.d/system-auth with this auth section [malformation
> being result of my verification attempts]:
> 
> auth        required      pam_env.so
> auth        [success=1 default=ignore] pam_succeed_if.so service notin
> login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid

Trying to identify, what got removed from the original file -- the following line was deleted:
  auth        [success=done authinfo_unavail=ignore ignore=ignore default=die]
  pam_pkcs11.so nodebug

right?


> auth        required      pam_faillock.so preauth silent deny=3
> auth        sufficient    pam_unix.so  try_first_pass
> auth        [default=die] pam_faillock.so authfail deny=3
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        required      pam_deny.so
> 
> results in:
> 
> auth        required      pam_env.so
> auth        [success=1 default=ignore] pam_succeed_if.so service notin
> login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
> auth        [success=done authinfo_unavail=ignore ignore=ignore default=die]
> pam_pkcs11.so nodebug
> auth        [success=1 default=ignore] pam_succeed_if.so service notin
> login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
> auth        [success=done authinfo_unavail=ignore ignore=ignore default=die]
> pam_pkcs11.so nodebug

Adding the same row two times under certain condition certainly isn't nice. On the other hand SSG content shouldn't be considered /etc/pam.d/system-auth file syntax checker. If the /etc/pam.d/system-auth is initially configured in wrong way, SSG can't be relied upon to fix the configuration.

> auth        required      pam_faillock.so preauth silent deny=3
> auth        sufficient    pam_unix.so  try_first_pass
> auth        [default=die] pam_faillock.so authfail deny=3
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        required      pam_deny.so

As for the answer if this is worthy fixing, I need to investigate further.
Will let you know.

Comment 9 Marek Haicman 2016-08-18 10:20:34 UTC

After some more thinking about the issue, what I don't like specifically is that we do append line [1]

auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug

after line [2]

auth        [success=1 default=ignore] pam_succeed_if.so service notin  login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid

even in case line [2] has already been there. And there is a problem with the approach as the line [2] feels pretty generic, and could actually be present in some deliberate configuration to skip some line [3] for these services. And by appending another [1], we effectively break the logic, as the [3] won't be skipped anymore.


So my suggestion is to just add 
[2]
[1]
right after pam_env.so line, and leave it that way.

@Dalibor, hi, can you check if the logic makes sense?

Comment 11 Watson Yuuma Sato 2017-04-28 12:19:53 UTC

Patch improving remediation addressing concerns raised: https://github.com/OpenSCAP/scap-security-guide/pull/1967

Comment 13 Marek Haicman 2017-06-14 13:22:35 UTC

Verifying fix on version scap-security-guide-0.1.33-4.el7.noarch

NEW:
contents of the /etc/pam.d/system-auth-ac after remediation of mangled file
<snip>
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth silent deny=3 unlock_time=1800
<snip>

OLD:
contents of the /etc/pam.d/system-auth-ac after remediation of mangled file
<snip>
auth        required      pam_env.so
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth        required      pam_faillock.so preauth silent deny=3 unlock_time=1800
<snip>

Comment 14 errata-xmlrpc 2017-08-01 12:23:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064

Note You need to log in before you can comment on or make changes to this bug.