RHEL-08-020025 and RHEL-08-020026 - The "preauth" line is NOT listed before pam_unix.so #148
Labels
bug
Something isn't working
Comments
georgenalen
added a commit
that referenced
this issue
Dec 12, 2022
Signed-off-by: George Nalen <georgen@mindpointgroup.com>
Merged
|
Thanks addressing this issue. I saw the update to RHEL-08-020025, but did not see the change for RHEL-08-020026 (password-auth) in the pull requests. (I might be missing it somewhere, but wanted to check.) |
|
Addressed in release 2.7.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue: The pam_faillock.so module is present in the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files, but the "preauth" line is NOT listed before pam_unix.so, this is a finding.
Vul ID: V-244533 Rule ID: SV-244533r743848_rule STIG ID: RHEL-08-020025
Vul ID: V-244534 Rule ID: SV-244534r743851_rule STIG ID: RHEL-08-020026
Solution: Move the "auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0" to the second line right below "auth required pam_env.so".
This can probably be achieved by changing RHEL-08-020025 and RHEL-08-020026 in fix-cat2.yml from insertafter: '^auth' to insertafter: '^auth\s+required\s+pam_env.so'. For some reason i had to use sed to delete the entry, then add it back into the file.
example:
Delete command: sed -i -r '/^auth\s+required\s+pam_faillock.so\s+preauth/d' /etc/authselect/password-auth
Insert command: sed -i -r '/^auth\s+required\s+pam_env.so.*/a auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0' /etc/authselect/password-auth
The text was updated successfully, but these errors were encountered: