Bug 1661709 - typo in remediation script for id="xccdf_org.ssgproject.content_rule_display_login_attempts"
Summary: typo in remediation script for id="xccdf_org.ssgproject.content_rule_display_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: Jan Černý
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-22 13:12 UTC by Thorsten Scherf
Modified: 2020-01-08 12:59 UTC (History)
4 users (show)

Fixed In Version: scap-security-guide-0.1.43-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 13:04:20 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2198 None None None 2019-08-06 13:04:32 UTC

Description Thorsten Scherf 2018-12-22 13:12:27 UTC
Description of problem:
The rule ' <Rule id="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="false" severity="low">' contains a faulty remediation script:

"""   
<fix id="display_login_attempts" system="urn:xccdf:fix:script:sh">       sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin
fi

echo "session     [default=1]   pam_lastlog.so nowtmp showfailed" &gt;&gt; /etc/pam.d/postlogin
echo "session     optional      pam_lastlog.so silent noupdate showfailed" &gt;&gt; /etc/pam.d/postlogin
</fix>
"""

It should read like this instead:

<fix id="display_login_attempts" system="urn:xccdf:fix:script:sh">
if ! `grep -q ^[^#].*pam_succeed_if.*showfailed /etc/pam.d/postlogin` ; then
  if ! grep `^session.*pam_succeed_if.so /etc/pam.d/postlogin` ; then
    echo "session     [default=1]   pam_lastlog.so nowtmp showfailed" &gt;&gt; /etc/pam.d/postlogin
    echo "session     optional      pam_lastlog.so silent noupdate showfailed" &gt;&gt; /etc/pam.d/postlogin
  else
    sed -i '/^session.*pam_succeed_if.so/a session\t    optional\t  pam_lastlog.so silent noupdate showfailed' /etc/pam.d/postlogin
    sed -i '/^session.*pam_succeed_if.so/a session\t    [default=1]\t  pam_lastlog.so nowtmp showfailed' /etc/pam.d/postlogin
  fi
</fix>


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.40-12.el7.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Watson Yuuma Sato 2019-01-02 13:58:28 UTC
Hello, 

The the mentioned fix script was updated to be simpler in https://github.com/ComplianceAsCode/content/pull/2745.

The issue though, is that the new fix script was being corrupted by an infrastructure bug, fixed in commit: https://github.com/ComplianceAsCode/content/pull/3217/commits/98930e7ae9a4c45089918016bbc9340f6cd6683b

Comment 4 Jan Černý 2019-03-07 08:52:39 UTC
Granting devel ack because it's fixed by rebase to 0.1.43.

Comment 9 errata-xmlrpc 2019-08-06 13:04:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2198


Note You need to log in before you can comment on or make changes to this bug.