I'm sorry if this is the wrong venue for this question, but I thought it was worth a shot. I was recently using scap-workbench on RHEL7 to secure the system. After applying fix for CCE-27291-4 (add 'session required pam_lastlog.so showfailed') to /etc/pam.d/system-auth, scap-workbench immediately begins throwing an error when attempting to scan the system: "ERROR: pkexec.c:142:pam_conversation_function code should not be reached"
Any thoughts? I assume the issue is generally with PAM and extends beyond scap-workbench. However, since that is the only evidence I've seen of an issue I thought I'd start with the SCAP group.
Thanks,
-Les Kimmel
Hello Lesley,
thank you for your report.
----- Original Message -----
From: "Lesley Kimmel" ljkimmel99@hotmail.com To: scap-security-guide@lists.fedorahosted.org Sent: Wednesday, June 10, 2015 2:33:32 PM Subject: RHEL7 Scap-workbench issue
I'm sorry if this is the wrong venue for this question, but I thought it was worth a shot. I was recently using scap-workbench on RHEL7 to secure the system. After applying fix for CCE-27291-4 (add 'session required pam_lastlog.so showfailed') to /etc/pam.d/system-auth, scap-workbench immediately begins throwing an error when attempting to scan the system: "ERROR: pkexec.c:142:pam_conversation_function code should not be reached"
I can reproduce the issue you are experiencing. That error / warning message is a result of invalid PAM /etc/pam.d/system-auth configuration. Have checked the recommendation with PAM developers and the conclusion being that on RHEL-7 and Fedora systems the setting shouldn't be applied into /etc/pam.d/system-auth file, but rather against / into /etc/pam.d/postlogin PAM file.
I will submit a PR changing the OVAL check && XCCDF recommendation for RHEL-7 and Fedora products (so future SSG versions aren't prone to this bug).
Thank you again for your report!
Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
Any thoughts? I assume the issue is generally with PAM and extends beyond scap-workbench. However, since that is the only evidence I've seen of an issue I thought I'd start with the SCAP group.
Thanks,
-Les Kimmel
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
----- Original Message -----
From: "Jan Lieskovsky" jlieskov@redhat.com To: "Lesley Kimmel" ljkimmel99@hotmail.com Cc: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Thursday, June 11, 2015 10:41:19 AM Subject: Re: RHEL7 Scap-workbench issue
Hello Lesley,
thank you for your report.
----- Original Message -----
From: "Lesley Kimmel" ljkimmel99@hotmail.com To: scap-security-guide@lists.fedorahosted.org Sent: Wednesday, June 10, 2015 2:33:32 PM Subject: RHEL7 Scap-workbench issue
I'm sorry if this is the wrong venue for this question, but I thought it was worth a shot. I was recently using scap-workbench on RHEL7 to secure the system. After applying fix for CCE-27291-4 (add 'session required pam_lastlog.so showfailed') to /etc/pam.d/system-auth, scap-workbench immediately begins throwing an error when attempting to scan the system: "ERROR: pkexec.c:142:pam_conversation_function code should not be reached"
I can reproduce the issue you are experiencing. That error / warning message is a result of invalid PAM /etc/pam.d/system-auth configuration. Have checked the recommendation with PAM developers and the conclusion being that on RHEL-7 and Fedora systems the setting shouldn't be applied into /etc/pam.d/system-auth file, but rather against / into /etc/pam.d/postlogin PAM file.
I will submit a PR changing the OVAL check && XCCDF recommendation for RHEL-7 and Fedora products (so future SSG versions aren't prone to this bug).
JFYI, the corresponding PR which should fix this issue is here: [1] https://github.com/OpenSCAP/scap-security-guide/pull/577
Review appreciated.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
Thank you again for your report!
Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
Any thoughts? I assume the issue is generally with PAM and extends beyond scap-workbench. However, since that is the only evidence I've seen of an issue I thought I'd start with the SCAP group.
Thanks,
-Les Kimmel
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
scap-security-guide@lists.fedorahosted.org
-
Jan Lieskovsky -
Lesley Kimmel