-
Notifications
You must be signed in to change notification settings - Fork 694
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some PAM rules pass
during remediation, but then they fail
during final scan
#9132
Comments
@yuumasato @marcusburghardt Thoughts on the |
So I did a test on fresh RHEL9 install. I installed without any hardening. |
Thanks for the analysis on this @mildas and @vojtapolasek. With the problem clear I could analyse possible solutions and found a possible easy fix here. Basically the remediation should not select a profile if one is already in use. I can send a fix for this tomorrow. |
@marcusburghardt I don't think it will help. Not selecting a profile if one is already in use should be prevented via https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/accounts/enable_authselect/bash/shared.sh#L8 Those fails were caught on clean machine where no authselect profile has been selected. |
Correct @mildas. This morning I reviewed the idea with a fresh head and a new testing VM. I saw it is not so easy as I thought. : (. So, in a system without an active
When an
For this reason, the So, the issue is related to the
So, the
Consequently, the This would be tricky to fix and sincerely, I don't think this is a real issue. So, one option would be to recommend the |
There is no easy fix - must be fixed on scanner side. |
Should we close it here and open a new issue in OpenSCAP? |
Closing, reported an issue in openscap - OpenSCAP/openscap#1880 |
Description of problem:
During hardened kickstart installation,
set_password_hashing_algorithm_passwordauth
,set_password_hashing_algorithm_systemauth
, andaccounts_password_pam_retry
PAM rules pass.After installation when scanning, the rules fail because expected object has not been found.
For example:
set_password_hashing_algorithm_passwordauth - final scan
check /etc/pam.d/password-auth for correct settings oval:ssg-test_pam_unix_passwordauth_sha512:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_unix_passwordauth_sha512:obj:1 of type textfilecontent54_object
But during the installation, everything was fine:
set_password_hashing_algorithm_passwordauth - during remediaiton phase
check /etc/pam.d/password-auth for correct settings oval:ssg-test_pam_unix_passwordauth_sha512:tst:1 true
Following items have been found on the system:
SCAP Security Guide Version:
11974e4
Operating System Version:
RHEL 9
Steps to Reproduce:
Actual Results:
PAM rules fail
Expected Results:
PAM rules pass
Additional Information/Debugging Steps:
It might be related to how openscap remediates:
enable_authselect
fails and rules listed above passenable_authselect
is remediated and thus overwrites all existing PAM configuration. The passed rules are not remediated even though their configuration might have been broken by theauthselect select
The text was updated successfully, but these errors were encountered: