Bug 2209073 - Please explain if "accounts_passwords_pam_faillock_interval" should apply to RHEL8.2+ or not
Summary: Please explain if "accounts_passwords_pam_faillock_interval" should apply to ...
Keywords:
Status: ON_QA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.7
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Vojtech Polasek
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 2228465 2228466
TreeView+ depends on / blocked
 
Reported: 2023-05-22 13:47 UTC by Renaud Métrich
Modified: 2023-08-17 20:20 UTC (History)
8 users (show)

Fixed In Version: scap-security-guide-0.1.69-1.el8
Doc Type: Bug Fix
Doc Text:
.Faillock settings clarification in STIG profile Mapping of rule `accounts_passwords_pam_faillock_interval` has been clarified in the STIG profile. The rule now covers both RHEL-08-020012 and RHEL-08-020013.The reason for this change is that the rule `accounts_passwords_pam_faillock_interval` checks for `faillock` configuration in all of these three files: `/etc/pam.d/password-auth`, `/etc/pam.d/system-auth` and `/etc/security/faillock.conf`. The STIG ID RHEL-08-020012 checks just `/etc/pam.d/password-auth` and `/etc/pam.d/system-auth`. The STIG ID RHEL-08-020013 checks only `/etc/security/faillock.conf`. Therefore, the rule `accounts_passwords_pam_faillock_interval` covers both these STIG IDs.
Clone Of:
: 2228465 2228466 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-157851 0 None None None 2023-05-22 13:49:16 UTC

Description Renaud Métrich 2023-05-22 13:47:20 UTC 
Description of problem:

Reading the rule description, from STIG official webpage https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2022-12-06/finding/V-230334:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Note: This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The above text seems to infer that the rule "accounts_passwords_pam_faillock_interval" should not apply to RHEL8.2 and later.

But scanning for STIG on a 8.6 or later system shows the rule executes.

Please tell us if it's a rule bug or if it's more the checks listed to confirm compliance that do not apply to RHEL8.2 or later:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ sudo grep pam_faillock.so /etc/pam.d/password-auth

auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0
auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
account required pam_faillock.so

If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock.so" module, or is missing from this line, this is a finding.

$ sudo grep pam_faillock.so /etc/pam.d/system-auth
...
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Version-Release number of selected component (if applicable):

scap-security-guide

How reproducible:

Always
Comment 1 Vojtech Polasek 2023-05-25 07:45:49 UTC 
Hello Renaud,
this rule is a bit special - it actually covers also this STIG item:
https://stigaview.com/products/rhel8/v1r9/RHEL-08-020013/
It decides what to do based on presence of Authselect, so it works for all RHEL 8 systems.
I think we should include the STIGID I have posted above into the rule reference so that it does not confuse people. Would this solve the issue?
Best regards,
Vojta
Comment 2 Renaud Métrich 2023-05-25 08:55:02 UTC 
Hello,

thanks for the information, you may indeed add the stigid, I think it's more the STIG text in the rule that is confusing.
Comment 4 Vojtech Polasek 2023-07-18 08:03:21 UTC 
Fixed upstream: https://github.com/ComplianceAsCode/content/pull/10846
Note You need to log in before you can comment on or make changes to this bug.