Hi Nathaniel, If you truly believe that this is an issue then I suggest you to create a new issue under: [0] which is the project to track issues on scap-security-guide.

And if it's possible try to add more information on which version you are using and which rule you are checking.

I believe the rule you checking is part of [1], please try to identify which one is it.

There people can start collaborating on identifying exactly what's the issue and start working on it.

Regards.

[0] https://github.com/ComplianceAsCode/content/issues/new

[1] https://github.com/ComplianceAsCode/content/tree/master/linux_os/guide/system/accounts/accounts-pam

On Fri, Oct 11, 2019 at 10:53 PM Wallwork, Nathaniel <nwallwo@sandia.gov> wrote:

The PAM stack is modified, adding lines for pam_faillock.so.

The line with authfail line is inserted “after pam_unix.so”. When there are alternative authentication methods (ex: pam_krb5.so or pam_sssd.so), this breaks them.

It would be better to add this line “before pam_deny.so” instead. This would still have the desired effect, without breaking alternative authentication methods.

What’s the best path to get this change made?

Thanks.

_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org