Description of problem:
The SCAP check for faillock checks for 'silent' and deny' in the pam file
This is against the recommendation in the man page of pam_faillock:
Configuring options on the module command line is not recommend. The /etc/security/faillock.conf should be used instead.
Version-Release number of selected component (if applicable):
Header of the HTML output of the scap report:
Evaluation target li-lc-2624
Benchmark URL /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Benchmark ID xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version 0.1.50
Profile ID xccdf_org.ssgproject.content_profile_ospp
Started at 2021-04-12T16:57:29+00:00
Finished at 2021-04-12T16:57:30+00:00
Performed by email@example.com
Test system cpe:/a:redhat:openscap:1.3.3
Additional info ( Customer Comments )
If there is a good reason to divert from the recommendation on the pam_faillock developers to use faillock.conf then this has to be written in the SCAP rationale
It looks like a valid issue for me because the RHEL 8.2 release notes https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/rhel-8-2-0-release#enhancement_security say that pam_faillock can now read settings from faillock.conf configuration file, so I guess that the SCAP rules should check this file as well. Switching to correct component to investigate further.
Fix merged in Upstream:
*** Bug 2069177 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.