0.1.64 - RHEL AWS image - Sudo as `root` breaks

[jseiser]

Description of problem:

Running sudo as the root user, breaks w/this error when using the official Red Hat 8.6 AMI in AWS.

sudo: Account or password is expired, reset your password and try again
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: unable to change expired password: Authentication token manipulation error

I understand that running sudo as root is pointless, but there are a few places in our automation where a script may include it and now its all dying.

SCAP Security Guide Version:

Operating System Version:

Redhat 8.6

Steps to Reproduce:

1. Deploy Redhat 8.6 AMI in AWS
2. sudo su - root
3. sudo dnf update

Actual Results:

sudo: Account or password is expired, reset your password and try again sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper sudo: unable to change expired password: Authentication token manipulation error

Expected Results:

sudo works.

Additional Information/Debugging Steps:

This broke when re-creating AMI's from 0.1.63 to 0.1.64 so Im sure its related to some of these incoming PAM changes, but since the Red hat image ships with an already expired root PW ( expired in 2020 ) I was hoping for some guidance on which STIG i can disable, or possibly shim around.

Thanks.

[marcusburghardt]

It was not informed in the description which benchmark was used to hardening the system, but many benchmarks have requirements to enforce password expiration. Once these requirement is configured it is a task from the Admin to ensure the passwords are updated.

Maybe you can create a tailored file excluding rules which configure this requirement. These should be be relevant rules, depending on the benchmark you are using:

• accounts_maximum_age_login_defs
• accounts_password_set_max_life_existing