Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule accounts_password_pam_retry fails after kickstart installation #12277

Closed
jan-cerny opened this issue Aug 7, 2024 · 1 comment · Fixed by #13144
Closed

Rule accounts_password_pam_retry fails after kickstart installation #12277

jan-cerny opened this issue Aug 7, 2024 · 1 comment · Fixed by #13144
Assignees
@jan-cerny
Labels
productization-issue Issue found in upstream stabilization process. RHEL Red Hat Enterprise Linux product related. triaged

Comments

@jan-cerny
Copy link
Collaborator

Description of problem:

Rule accounts_password_pam_retry fails after kickstart installation of RHEL 9.4 with STIG profile and various other profiles.

SCAP Security Guide Version:

current upstream master branch as of 2024-08-07 as of HEAD 42c8206

Operating System Version:

RHEL 9.4

Steps to Reproduce:

  1. build rhel9
  2. generate kickstart using oscap xccdf generate fix --fix-type kickstart (using openscap-1.4.0)
  3. use the generated kickstart for operating system installation of RHEL 9.4
  4. on the installed machine run oscap xccdf eval --profile stig --results-arf arf.xml /usr/share/xml/scap/ssg-rhel9-ds.xml.

Actual Results:

accounts_password_pam_retry: fail

Expected Results:

accounts_password_pam_retry: pass

Additional Information/Debugging Steps:

The rule passes in the scan in the anaconda post installation phase. That means the remediation isn't executed. However, then rule fails in the after installation scan. It can be that other rule is in conflict with that.

The remediation for a different rule xccdf_org.ssgproject.content_rule_enable_authselect produces this string into the report:

[error] File [/etc/pam.d/system-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/password-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/fingerprint-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/smartcard-auth] exists but it needs to be overwritten!
[error] File [/etc/pam.d/postlogin] exists but it needs to be overwritten!
[error] File [/etc/nsswitch.conf] exists but it needs to be overwritten!
[error] File that needs to be overwritten was found
[error] Refusing to activate profile unless this file is removed or overwrite is requested.

Some unexpected changes to the configuration were detected.
Use --force parameter if you want to overwrite these changes.
Backup stored at /var/lib/authselect/backups/2024-08-07-08-55-13.BluUNV
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

I think this message is suspicious because some of the files that need to be "overwritten" are those that are checked by rule accounts_password_pam_retry.
@comps comps added the RHEL Red Hat Enterprise Linux product related. label Oct 17, 2024
@Mab879 Mab879 added productization-issue Issue found in upstream stabilization process. triaged labels Feb 13, 2025
@jan-cerny jan-cerny self-assigned this Mar 5, 2025
@jan-cerny jan-cerny mentioned this issue Mar 5, 2025
Merged
@jan-cerny
Copy link
Collaborator Author

/packit build

@Mab879 Mab879 closed this as completed in cd0138d Mar 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jan-cerny jan-cerny

Labels
productization-issue Issue found in upstream stabilization process. RHEL Red Hat Enterprise Linux product related. triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix accounts_password_pam_retry jan-cerny/scap-security-guide
3 participants
@Mab879 @comps @jan-cerny