Hide Forgot
Description of problem: The SCAP check for faillock checks for 'silent' and deny' in the pam file ------ /etc/pam.d/system-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] ------ This is against the recommendation in the man page of pam_faillock: ------ NOTES Configuring options on the module command line is not recommend. The /etc/security/faillock.conf should be used instead. ------ Version-Release number of selected component (if applicable): Header of the HTML output of the scap report: ------ Evaluation target li-lc-2624 Benchmark URL /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml Benchmark ID xccdf_org.ssgproject.content_benchmark_RHEL-8 Benchmark version 0.1.50 Profile ID xccdf_org.ssgproject.content_profile_ospp Started at 2021-04-12T16:57:29+00:00 Finished at 2021-04-12T16:57:30+00:00 Performed by vrempet-admin@hiltiq.com Test system cpe:/a:redhat:openscap:1.3.3 ------ Additional info ( Customer Comments ) If there is a good reason to divert from the recommendation on the pam_faillock developers to use faillock.conf then this has to be written in the SCAP rationale
It looks like a valid issue for me because the RHEL 8.2 release notes https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/rhel-8-2-0-release#enhancement_security say that pam_faillock can now read settings from faillock.conf configuration file, so I guess that the SCAP rules should check this file as well. Switching to correct component to investigate further.