1661709 – typo in remediation script for id="xccdf_org.ssgproject.content_rule_display_login_attempts"

Bug 1661709 - typo in remediation script for id="xccdf_org.ssgproject.content_rule_display_login_attempts"

Summary: typo in remediation script for id="xccdf_org.ssgproject.content_rule_display_...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Watson Yuuma Sato
QA Contact:	Jan Černý
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-22 13:12 UTC by Thorsten Scherf
Modified:	2020-01-08 12:59 UTC (History)
CC List:	4 users (show)
Fixed In Version:	scap-security-guide-0.1.43-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 13:04:20 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2198	0	None	None	None	2019-08-06 13:04:32 UTC

Description Thorsten Scherf 2018-12-22 13:12:27 UTC

Description of problem:
The rule ' <Rule id="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="false" severity="low">' contains a faulty remediation script:

"""   
<fix id="display_login_attempts" system="urn:xccdf:fix:script:sh">       sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin
fi

echo "session     [default=1]   pam_lastlog.so nowtmp showfailed" &gt;&gt; /etc/pam.d/postlogin
echo "session     optional      pam_lastlog.so silent noupdate showfailed" &gt;&gt; /etc/pam.d/postlogin
</fix>
"""

It should read like this instead:

<fix id="display_login_attempts" system="urn:xccdf:fix:script:sh">
if ! `grep -q ^[^#].*pam_succeed_if.*showfailed /etc/pam.d/postlogin` ; then
  if ! grep `^session.*pam_succeed_if.so /etc/pam.d/postlogin` ; then
    echo "session     [default=1]   pam_lastlog.so nowtmp showfailed" &gt;&gt; /etc/pam.d/postlogin
    echo "session     optional      pam_lastlog.so silent noupdate showfailed" &gt;&gt; /etc/pam.d/postlogin
  else
    sed -i '/^session.*pam_succeed_if.so/a session\t    optional\t  pam_lastlog.so silent noupdate showfailed' /etc/pam.d/postlogin
    sed -i '/^session.*pam_succeed_if.so/a session\t    [default=1]\t  pam_lastlog.so nowtmp showfailed' /etc/pam.d/postlogin
  fi
</fix>


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.40-12.el7.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Watson Yuuma Sato 2019-01-02 13:58:28 UTC

Hello, 

The the mentioned fix script was updated to be simpler in https://github.com/ComplianceAsCode/content/pull/2745.

The issue though, is that the new fix script was being corrupted by an infrastructure bug, fixed in commit: https://github.com/ComplianceAsCode/content/pull/3217/commits/98930e7ae9a4c45089918016bbc9340f6cd6683b

Comment 4 Jan Černý 2019-03-07 08:52:39 UTC

Granting devel ack because it's fixed by rebase to 0.1.43.

Comment 9 errata-xmlrpc 2019-08-06 13:04:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2198

Note You need to log in before you can comment on or make changes to this bug.