Bug 1956972 - [RHEL8/SCAP/RFE] Align SCAP pam_faillock with recommendation of pam_faillock manpage to use failock.conf
Summary: [RHEL8/SCAP/RFE] Align SCAP pam_faillock with recommendation of pam_faillock ...
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.3
Hardware: x86_64
OS: Linux
Target Milestone: beta
: ---
Assignee: Vojtech Polasek
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2021-05-04 19:09 UTC by Rajesh Dulhani
Modified: 2021-05-06 14:13 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Rajesh Dulhani 2021-05-04 19:09:43 UTC
Description of problem:

The SCAP check for faillock checks for 'silent' and deny'  in the pam file
/etc/pam.d/system-auth	[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]

This is against the recommendation in the man page of pam_faillock:
       Configuring options on the module command line is not recommend. The /etc/security/faillock.conf should be used instead.

Version-Release number of selected component (if applicable):

Header of the HTML output of the scap report:
Evaluation target	li-lc-2624
Benchmark URL	/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version	0.1.50
Profile ID	xccdf_org.ssgproject.content_profile_ospp
Started at	2021-04-12T16:57:29+00:00
Finished at	2021-04-12T16:57:30+00:00
Performed by	vrempet-admin@hiltiq.com
Test system	cpe:/a:redhat:openscap:1.3.3

Additional info ( Customer Comments )

If there is a good reason to divert from the recommendation on the pam_faillock developers to use faillock.conf then this has to be written in the SCAP rationale

Comment 1 Jan Černý 2021-05-05 11:12:55 UTC
It looks like a valid issue for me because the RHEL 8.2 release notes https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/rhel-8-2-0-release#enhancement_security say that  pam_faillock can now read settings from faillock.conf configuration file, so I guess that the SCAP rules should check this file as well. Switching to correct component to investigate further.

Note You need to log in before you can comment on or make changes to this bug.