Rule pam_faillock wrongly used for standard scan profile in SLE15

[phibid]

Description of problem:

Rule xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny is used when scanning a SLE15 server with standard profile, which is not correct as pam_faillock module does not exist on SLE 15, pam_tally2 does. As an example, Set Deny For Failed Password Attempts use pam_faillock.

Don't have this issue with CIS scan, in which xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2 is correctly used.

SCAP Security Guide Version:

0.1.57

Operating System Version:

Suse Linux Enterprise server 15

Steps to Reproduce:

1. Scan a SLE15 server with or without remediation with standard profile
2. Check the result and see that pam_faillock is mentionned/used

Actual Results:

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny is mentioned/used to remediate for example Set Deny For Failed Password Attempts

Expected Results:

xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2 should be used

[phibid]

In fact, the static guide is wrong too: http://static.open-scap.org/ssg-guides/ssg-sle15-guide-standard.html

[marcusburghardt]

@anivan-suse @teacup-on-rockingchair FYI

[teacup-on-rockingchair]

@anivan-suse @teacup-on-rockingchair FYI

Thanks @marcusburghardt. I opened an issue #9115 that will try to handle ASAP

[marcusburghardt]

Hi @teacup-on-rockingchair , do you have plans to work on it soon? The #9104 is blocked by this issue.

[teacup-on-rockingchair]

Hi @teacup-on-rockingchair , do you have plans to work on it soon? The #9104 is blocked by this issue.

Hi, my plans are to close this by the end of the month, hopefully next week.

[marcusburghardt]

This would be great. : ) Thanks

[marcusburghardt]

Based on the @teacup-on-rockingchair comment on #9115 , the pam_faillock.so PAM module is now supported out of box on SLE15.

Based on that, I am closing this issue.