Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2207527

Summary: variable faillock directory does not seem to affect any rules
Product: Red Hat Enterprise Linux 9 Reporter: Julia Schindler <juschind>
Component: scap-workbenchAssignee: Matěj Týč <matyc>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: mhaicman, mmarhefk, myllynen, wsato
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-30 15:56:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Julia Schindler 2023-05-16 07:55:54 UTC 
Description of problem:

The rule xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock sets up the audit rule "-w /var/log/faillock -p wa -k logins". The variable xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir has the description "The directory where the user files with the failure records are kept", and defaults to /var/log/faillock. Changing the variable value to "/var/run/faillock" does not change the outcome of the aforementioned rule.

In scap-workbench, even when selecting all rules in a customization window based on CIS RHEL9 Benchmark for Level2 - Server, the "Affects Rules" section of the variable xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir shows "This value doesn't seem to be affecting any rules!".

How reproducible: always

Steps to Reproduce:

1. Open RHEL9 profile in SCAP Workbench
2. Select Customize CIS RHEL9 Benchmark Level2 - Server
3. Adjust value of xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir
4.a Inspect "Affects rules" in xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir
4.b run "oscap xccdf eval --remediate with customized profile based on CIS L2 server profile" and inspect audit rules

Actual results:
Adjusting the value of xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir does not have an effect.
After the remediation with oscap a `grep -r faillock /etc/audit` shows the rule "-w /var/log/faillock -p wa -k logins", but not "-w /var/run/faillock -p wa -k logins".

Expected results:
Adjusting the value of xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir does have an effect.
After the remediation with oscap a `grep -r faillock /etc/audit` shows the rule "-w /var/run/faillock -p wa -k logins".
Comment 1 Matěj Týč 2023-06-01 09:50:53 UTC 
This BZ doesn't have a customer case, is that on purpose?

The XCCDF value var_accounts_passwords_pam_faillock_dir is indeed not used in the rule, it is used in the accounts_passwords_pam_faillock_dir rule.
As a result, the behavior is not a bug in Workbench, but a bug/feature request of the content.

The "Affects Rules" window is indicative only, and its contents are indeed misleading - that would be a bug in Workbench.
We will decide what to do with the Workbench side of this bug depending on whether there is a customer involved in the issue, as it is a relatively mild severity problem.
Comment 2 Marko Myllynen 2023-06-02 06:44:11 UTC 
We were able to workaround this at customer and also concluded this is low-prio issue not worth a customer case but still worth bringing to your attention.

Let us know if you'd like us to create a separate low-prio workbench BZ.

Thanks.
Comment 3 Matěj Týč 2023-06-12 13:38:57 UTC 
Great, could you please summarize what was the problem in the context of my earlier answer? IOW, is the main problem left the misleading message of the Workbench regarding the "Affects Rules"?
Comment 4 Julia Schindler 2023-06-12 16:42:48 UTC 
Regarding your earlier answer, while I indeed was misled by the message of the Workbench regarding the "Affects Rules" (thinking that it should affect the rule xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock), my main problem was that it seems not to be possible to adjust the faillock directory in the audit rule "-w /var/log/faillock -p wa -k logins" set up by content_rule_audit_rules_login_events_faillock.
In man pam_faillock(8) and /etc/security/faillock.conf, the default directory where the user files with the failure records are kept is specified to be /var/run/faillock. This is also the directory mentioned in the CIS RHEL 9 Benchmark document (point 4.1.3.12). It would be helpful if the audit rule for monitoring the faillock directory could be adjusted accordingly. Moreover, if someone for example sets content_value_var_accounts_passwords_pam_faillock_dir to /var/log/my_faillock, it would also be helpful if the audit rule would be adjustable to reflect the configured directory for pam_faillock. Otherwise the wrong directory is monitored potentially.
Comment 5 RHEL Program Management 2023-08-30 14:00:27 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 6 RHEL Program Management 2023-08-30 15:56:45 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues.

Users watching this BZ may not be automatically added to the Jira ticket.  Be sure to add yourself to the Watchers field in the Jira issue if you desire to continue following this issue.