pam_unix.so remember flag in section 5.5.3 and 5.5.4

[nrg-fv]

Describe the Issue
Sections 5.5.3 and 5.5.4 modify lines in /etc/pam.d/system-auth and /etc/pam.d/password-auth for pam_unix.so module and add remember flag at the end of the line

replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel8cis_pam_faillock.remember }}'

Remember flag shouldn't be used with pam_unix.so module as it causes issues with saving new passwords according to its man page.

remember=n
The last n passwords for each user are saved in /etc/security/opasswd in order to force password
change history and keep the user from alternating between the same password too frequently. The MD5
password hash algorithm is used for storing the old passwords. Instead of this option the
pam_pwhistory module should be used.

When remember option is added it causes the following behavior if we also use forced password change for a user.

User tries to log into the server and after providing it's password is immediately asked to change it but after providing the new password we are getting a message "Authentication token manipulation error", the user is unable to log in to the server and its password is not being changed. I did a test without forcing the user password to expire and changing its password with passwd also doesn't work.

This is part of audit.log when this happens:

type=USER_AUTH msg=audit(1666610376.404:290): pid=2074 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="test_user" exe="/usr/bin/login" hostname=localhost.localdomain addr=? terminal=tty1 res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1666610376.407:291): pid=2074 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="test_user" exe="/usr/bin/login" hostname=localhost.localdomain addr=? terminal=tty1 res=failed'UID="root" AUID="unset"
type=USER_CHAUTHTOK msg=audit(1666610404.127:292): pid=2074 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:chauthtok grantors=? acct="test_user" exe="/usr/bin/login" hostname=localhost.localdomain addr=? terminal=tty1 res=failed'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1666610411.621:293): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1666610411.622:294): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1666610411.622:295): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1666610411.624:296): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=getty@tty1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

and messages log

Oct 24 09:00:33 localhost login[10226]: pam_unix(login:account): expired password for user test_user (root enforced)
Oct 24 09:00:33 localhost login[10226]: pam_pwhistory(login:chauthtok): pam_pwhistory: unknown option: local_users_only
Oct 24 09:01:12 localhost login[10226]: pam_pwhistory(login:chauthtok): pam_pwhistory: unknown option: local_users_only
Oct 24 09:01:12 localhost login[10226]: pam_unix(login:chauthtok): can't open /etc/security/opasswd file to check old passwords
Oct 24 09:01:12 localhost login[10226]: pam_unix(login:chauthtok): new password not acceptable
Oct 24 09:01:15 localhost login[10226]: Authentication token manipulation error

Please note "pam_pwhistory: unknown option: local_users_only" this flag is also set in 5.5.3 and should be reviewed.

Environment (please complete the following information):

• Ansible Version: 2.12.2
• Host Python Version: 3.6.8
• Ansible Server Python Version: 3.8.12
• Using branch: main

Possible Solution
As per Red Hat's recommendation remember flag should only be used with the pam_pwhistory module and not pam_unix.so, there is apparently a known issue with this and SELinux and there is no solution with pam_unix.

[georgenalen]

@nrg-fv,
This is a great find and thanks a ton for the supporting documentation on why it's an issue. I think this is an oversight on the CIS benchmarks themselves and the work you posted here will be great to use for a reason we aren't following the CIS benchmark on this task. We will get this one addressed quickly. Thanks again for raising it!

-George

[georgenalen]

@nrg-fv,
I'm working to have something updated for a release by mid-week this week and this will make it into that release. Thanks again for pointing that out. I checked the online man page for pam_unix.so and it doesn't have the note about only using remember with pam_pwhistory. Where did you find that man page? If it's online I would like to have that link in the comments.

-George

[nrg-fv]

@georgenalen
I also couldn't find this online but it's included in man page for pam_unix(8) module in RHEL 8 and this is where I got it from.