a question of rule accounts_passwords_pam_faillock_deny

[StevenYGui]

Share the context

in the oval/shared.xml of rule accounts_passwords_pam_faillock_deny

Description of problem:

there is a criterion: test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account and it check the file of /etc/pam.d/system-auth with regex: ^[\s]account[\s]+(required|[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).])[\s]+pam_faillock.so[\s\S]^[\s]account[\s]+(required|[(?=.?\bsuccess=ok\b)(?=.?\bnew_authtok_reqd=ok\b)(?=.?\bignore=ignore\b)(?=.?\bdefault=bad\b).*])[\s]+pam_unix.so

it means it should written as below: account required pam_faillock.so account required pam_unix.so

but as the pam's parameters define: required ([success=ok new_authtok_reqd=ok ignore=ignore default=bad]) When the module reports failure, the user gets denied after all other lines in the type-section are checked. The reason that even when the user is denied access all other lines are checked has to do with system reponse. By checking all other lines a possible attacked has no clue which module created the denial state, and thus makes it harder for the attacker to create an alternative attack method.

SO, I think if I write it as below is also OK: account required pam_unix.so account required pam_faillock.so

Proposed change:

add an OR criterion, and move pam_unix.so to the front.

Is my thought correct? Looking forward to your feedback.

References: