Rule accounts_password_pam_retry fails

[jan-cerny]

Description of problem:

I perform a manual install of a RHEL 8.9 or 9.3 VM with the STIG profile with the latest upstream content. After first boot I perform a scan, but the rule xccdf_org.ssgproject.content_rule_accounts_password_pam_retry fails unexpectedly,

See the HTML report and ARF in the attachment:
stig.zip

This problem has been discovered by the Profile remediation in Anaconda downstream test.

SCAP Security Guide Version:

current upstream master branch as of 2023-05-29 as of HEAD 47955e5

Operating System Version:

RHEL 8.9, RHEL 9.3

Steps to Reproduce:

1. Install RHEL 8.9 or 9.3 virtual machine, minimal installation, from ISO, manually, using graphical anaconda installation, with the STIG profile from a ssg-rhel8-ds.xml or ssg-rhel9-ds.xml served via HTTP server.
2. after first boot, copy ssg-rhel8-ds.xml (ssg-rhel9-ds.xml) to the VM and run sudo oscap xccdf eval --report stig_final.html --results-arf stig_final.xml --profile stig ./ssg-rhel8-ds.xml (./ssg-rhel9-ds.xml)

Actual Results:

rule xccdf_org.ssgproject.content_rule_accounts_password_pam_retry fails

Expected Results:

rule xccdf_org.ssgproject.content_rule_accounts_password_pam_retry passes

Additional Information/Debugging Steps:

no

[jan-cerny]

I have extended the description. Originally, this ticket was about RHEL 9 but I have found that the same problem occurs also on RHEL 8.

[marcusburghardt]

I just finished some tests where I tried to reproduce this issue.
In a minimal installation, the retry option is configured out-of-box in PAM files:

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

So the check pass and the remediation for the accounts_password_pam_retry rule is not executed.

However, other PAM related rules does not pass and need to be remediated.
All PAM related remediation are already aligned to authselect. So, an authselect profile is selected and PAM files are linked to an authselect profile, which already uses newer approaches to configure PAM modules.
For example, in case of pam_pwquality.so, the module options should be configured in the /etc/security/pwquality.conf file instead of PAM files directly.

In other installations different than minimal, authselect is used by default and the initial check does not pass for accounts_password_pam_retry rule since the retry option is not enabled by default in /etc/security/pwquality.conf file. It triggers the remediation and everything is fine.

This is an specific and "known" case for minimal installation. In this case, executing another round of check and remediation right after the installation is already enough to properly remediate the system and allow the accounts_password_pam_retry rule to pass.

I don't think this is a productization issue and we currently don't have a solution for this. This was already reported in this issue: OpenSCAP/openscap#1880

@jan-cerny and @mildas , do you agree to close this issue?

[jan-cerny]

@marcusburghardt Thanks for the great investigation. I can see that this is the type of problem where we need run scan and remediation twice. I agree with closing.

[mildas]

@marcusburghardt Thanks, for investigation. I also agree with closing.