content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Rule accounts_password_pam_retry fails after kickstart installation

Open jan-cerny opened this issue 1 year ago • 0 comments

Description of problem:

Rule accounts_password_pam_retry fails after kickstart installation of RHEL 9.4 with STIG profile and various other profiles.

SCAP Security Guide Version:

current upstream master branch as of 2024-08-07 as of HEAD https://github.com/ComplianceAsCode/content/commit/42c82069d1b0a632560f6b11f6ecb08f7f6d2743

Operating System Version:

RHEL 9.4

Steps to Reproduce:

  1. build rhel9
  2. generate kickstart using oscap xccdf generate fix --fix-type kickstart (using openscap-1.4.0)
  3. use the generated kickstart for operating system installation of RHEL 9.4
  4. on the installed machine run oscap xccdf eval --profile stig --results-arf arf.xml /usr/share/xml/scap/ssg-rhel9-ds.xml.

Actual Results:

accounts_password_pam_retry: fail

Expected Results:

accounts_password_pam_retry: pass

Additional Information/Debugging Steps:

The rule passes in the scan in the anaconda post installation phase. That means the remediation isn't executed. However, then rule fails in the after installation scan. It can be that other rule is in conflict with that.

The remediation for a different rule xccdf_org.ssgproject.content_rule_enable_authselect produces this string into the report:

[error] File [/etc/pam.d/system-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/password-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/fingerprint-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/smartcard-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/postlogin] exists but it needs to be overwritten!
[error] File [/etc/nsswitch.conf] exists but it needs to be overwritten!
[error] File that needs to be overwritten was found
[error] Refusing to activate profile unless this file is removed or overwrite is requested.

Some unexpected changes to the configuration were detected.
Use --force parameter if you want to overwrite these changes.
Backup stored at /var/lib/authselect/backups/2024-08-07-08-55-13.BluUNV
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

I think this message is suspicious because some of the files that need to be "overwritten" are those that are checked by rule accounts_password_pam_retry.

jan-cerny avatar Aug 07 '24 12:08 jan-cerny