From 276d4b923a989d98680d364a56fbc901a1c21778 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <jlieskov@redhat.com>
Date: Thu, 11 Jun 2015 12:18:22 +0200
Subject: [PATCH 1/2] [BugFix] [RHEL/7] [Fedora] Update XCCDF prose for
 "display_login_attempts" rule for RHEL-7 and Fedora products to provide
 correct recommendation wrt to pam_lastlog settings on these products

Fixes issue reported in:
  https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006449.html
---
 Fedora/input/system/accounts/pam.xml | 9 ++++++---
 RHEL/7/input/system/accounts/pam.xml | 9 ++++++---
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/Fedora/input/system/accounts/pam.xml b/Fedora/input/system/accounts/pam.xml
index 3ca7a372b81..b78c91d9c22 100644
--- a/Fedora/input/system/accounts/pam.xml
+++ b/Fedora/input/system/accounts/pam.xml
@@ -58,13 +58,16 @@ frequently.</description>
 <Rule id="display_login_attempts">
 <title>Set Last Logon/Access Notification</title>
 <description>To configure the system to notify users of last logon/access
-using <tt>pam_lastlog</tt>, add the following line immediately after <tt>session  required  pam_limits.so</tt>:
-<pre>session       required     pam_lastlog.so showfailed</pre>
+using <tt>pam_lastlog</tt>, add or correct the <tt>pam_lastlog</tt> settings in
+<tt>/etc/pam.d/postlogin</tt> to read as follows:
+<pre>session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session     [default=1]   pam_lastlog.so nowtmp showfailed
+session     optional      pam_lastlog.so silent noupdate showfailed</pre>
 </description>
 <ocil clause="that is not the case">
 To ensure that last logon/access notification is configured correctly, run
 the following command:
-<pre>$ grep pam_lastlog.so /etc/pam.d/system-auth</pre>
+<pre>$ grep pam_lastlog.so /etc/pam.d/postlogin</pre>
 The output should show output <tt>showfailed</tt>.
 </ocil>
 <rationale>
diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml
index 9e54a00af4e..ab660afa8b3 100644
--- a/RHEL/7/input/system/accounts/pam.xml
+++ b/RHEL/7/input/system/accounts/pam.xml
@@ -59,13 +59,16 @@ frequently.</description>
 <Rule id="display_login_attempts">
 <title>Set Last Logon/Access Notification</title>
 <description>To configure the system to notify users of last logon/access
-using <tt>pam_lastlog</tt>, add the following line immediately after <tt>session  required  pam_limits.so</tt>:
-<pre>session       required     pam_lastlog.so showfailed</pre>
+using <tt>pam_lastlog</tt>, add or correct the <tt>pam_lastlog</tt> settings in
+<tt>/etc/pam.d/postlogin</tt> to read as follows:
+<pre>session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session     [default=1]   pam_lastlog.so nowtmp showfailed
+session     optional      pam_lastlog.so silent noupdate showfailed</pre>
 </description>
 <ocil clause="that is not the case">
 To ensure that last logon/access notification is configured correctly, run
 the following command:
-<pre>$ grep pam_lastlog.so /etc/pam.d/system-auth</pre>
+<pre>$ grep pam_lastlog.so /etc/pam.d/postlogin</pre>
 The output should show output <tt>showfailed</tt>.
 </ocil>
 <rationale>

From 28c5758bb5e7a89f669fbf46260d0f80c77c0950 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <jlieskov@redhat.com>
Date: Thu, 11 Jun 2015 14:26:28 +0200
Subject: [PATCH 2/2] [Enhancement] [RHEL/7] [Fedora] Add /shared version of
 'display_login_attempts' OVAL check for RHEL-7 and Fedora products

Testing report:
---------------
Verified manually on both products the proposed OVAL works fine
(=> added test attestations for RHEL-7 && Fedora 20)
---
 Fedora/input/profiles/common.xml       |  1 +
 Fedora/input/system/accounts/pam.xml   |  2 +-
 RHEL/7/input/profiles/pci-dss.xml      |  2 +-
 shared/oval/display_login_attempts.xml | 31 ++++++++++++++++++++++++++
 4 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 shared/oval/display_login_attempts.xml

diff --git a/Fedora/input/profiles/common.xml b/Fedora/input/profiles/common.xml
index 61c7575ea44..c7f5bf3319f 100644
--- a/Fedora/input/profiles/common.xml
+++ b/Fedora/input/profiles/common.xml
@@ -28,6 +28,7 @@
     <!-- <select idref="root_path_default" selected="true"/> -->
     <!-- Verify Proper Storage and Existence of Password Hashes section rules -->
     <select idref="no_empty_passwords" selected="true"/>
+    <select idref="display_login_attempts" selected="true"/>
     <select idref="no_hashes_outside_shadow" selected="true"/>
     <!-- <select idref="gid_passwd_group_same" selected="true"/> -->
     <select idref="no_netrc_files" selected="true"/>
diff --git a/Fedora/input/system/accounts/pam.xml b/Fedora/input/system/accounts/pam.xml
index b78c91d9c22..00f0a6a0b1f 100644
--- a/Fedora/input/system/accounts/pam.xml
+++ b/Fedora/input/system/accounts/pam.xml
@@ -77,7 +77,7 @@ of unsuccessful attempts that were made to login to their account
 allows the user to determine if any unauthorized activity has occurred
 and gives them an opportunity to notify administrators.
 </rationale>
-<!--oval id="display_login_attempts" /-->
+<oval id="display_login_attempts" />
 <ref disa="53" />
 </Rule>
 
diff --git a/RHEL/7/input/profiles/pci-dss.xml b/RHEL/7/input/profiles/pci-dss.xml
index bc1d986eec7..d896ff899f7 100644
--- a/RHEL/7/input/profiles/pci-dss.xml
+++ b/RHEL/7/input/profiles/pci-dss.xml
@@ -73,7 +73,7 @@
 <!-- <select idref="gid_passwd_group_same" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
 <select idref="accounts_password_all_shadowed" selected="true"/>
 <select idref="no_empty_passwords" selected="true"/>
-<!-- <select idref="display_login_attempts" selected="true"/> reason: needs to be ported to RHEL-7 -->
+<select idref="display_login_attempts" selected="true"/>
 <select idref="account_disable_post_pw_expiration" selected="true"/>
 <select idref="accounts_passwords_pam_faillock_deny" selected="true"/>
 <select idref="accounts_passwords_pam_faillock_unlock_time" selected="true"/>
diff --git a/shared/oval/display_login_attempts.xml b/shared/oval/display_login_attempts.xml
new file mode 100644
index 00000000000..fe64a49218b
--- /dev/null
+++ b/shared/oval/display_login_attempts.xml
@@ -0,0 +1,31 @@
+<def-group>
+  <definition class="compliance" id="display_login_attempts" version="1">
+    <metadata>
+      <title>Set Last Login/Access Notification</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+        <platform>multi_platform_fedora</platform>
+      </affected>
+      <description>Configure the system to notify users of last login/access using pam_lastlog.</description>
+      <reference source="JL" ref_id="RHEL7_20150611" ref_url="test_attestation" />
+      <reference source="JL" ref_id="FEDORA20_20150611" ref_url="test_attestation" />
+    </metadata>
+    <criteria>
+      <criterion comment="Conditions for pam_lastlog are satisfied" test_ref="test_display_login_attempts" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" comment="Check the pam_lastlog configuration of /etc/pam.d/postlogin" id="test_display_login_attempts" version="1">
+    <ind:object object_ref="obj_display_login_attempts" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_display_login_attempts" version="1">
+    <!-- Read whole /etc/pam.d/postlogin as single line so we can verify form
+         of both pam_lastlog.so rows and their order -->
+    <ind:behaviors singleline="true" />
+    <ind:filepath>/etc/pam.d/postlogin</ind:filepath>
+    <ind:pattern operation="pattern match">[\n][\s]*session[\s]+\[default=1\][\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*\n[\s]*session[\s]+optional[\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*[\n]</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>