Bug 1956972 - [RHEL8/SCAP/RFE] Align SCAP pam_faillock with recommendation of pam_faillock manpage to use failock.conf
Summary: [RHEL8/SCAP/RFE] Align SCAP pam_faillock with recommendation of pam_faillock ...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.3
Hardware: x86_64
OS: Linux
Target Milestone: beta
: ---
Assignee: Marcus Burghardt
QA Contact: Milan Lysonek
Khushbu Borole
: 2069177 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2021-05-04 19:09 UTC by Rajesh Dulhani
Modified: 2022-05-10 14:42 UTC (History)
10 users (show)

Fixed In Version: scap-security-guide-0.1.60-1.el8
Doc Type: Enhancement
Doc Text:
.SSG now supports the `/etc/security/faillock.conf` file This enhancement adds support for the `/etc/security/faillock.conf` file in SCAP Security Guide (SSG). With this update, SSG can assess and remediate the `/etc/security/faillock.conf` file for definition of `pam_faillock` settings. The `authselect` tool is also used to enable the `pam_faillock` module while ensuring the integrity of `pam` files. As a result, the assessment and remediation of the `pam_faillock` module is aligned with the latest versions and best practices.
Clone Of:
Last Closed: 2022-05-10 14:14:34 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:1900 0 None None None 2022-05-10 14:14:44 UTC

Description Rajesh Dulhani 2021-05-04 19:09:43 UTC
Description of problem:

The SCAP check for faillock checks for 'silent' and deny'  in the pam file
/etc/pam.d/system-auth	[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]

This is against the recommendation in the man page of pam_faillock:
       Configuring options on the module command line is not recommend. The /etc/security/faillock.conf should be used instead.

Version-Release number of selected component (if applicable):

Header of the HTML output of the scap report:
Evaluation target	li-lc-2624
Benchmark URL	/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version	0.1.50
Profile ID	xccdf_org.ssgproject.content_profile_ospp
Started at	2021-04-12T16:57:29+00:00
Finished at	2021-04-12T16:57:30+00:00
Performed by	vrempet-admin@hiltiq.com
Test system	cpe:/a:redhat:openscap:1.3.3

Additional info ( Customer Comments )

If there is a good reason to divert from the recommendation on the pam_faillock developers to use faillock.conf then this has to be written in the SCAP rationale

Comment 1 Jan Černý 2021-05-05 11:12:55 UTC
It looks like a valid issue for me because the RHEL 8.2 release notes https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/rhel-8-2-0-release#enhancement_security say that  pam_faillock can now read settings from faillock.conf configuration file, so I guess that the SCAP rules should check this file as well. Switching to correct component to investigate further.

Comment 6 Marcus Burghardt 2021-12-14 08:34:43 UTC
Fix merged in Upstream:

Comment 22 Marcus Burghardt 2022-04-04 17:00:07 UTC
*** Bug 2069177 has been marked as a duplicate of this bug. ***

Comment 24 errata-xmlrpc 2022-05-10 14:14:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.