Open wdower opened 2 years ago
If you use match_pam_rule with all_with_X_args , on a module that is not actually defined in a rule, it will return a false positive true.
Ex.
$> inspec exec ~/work/simp/inspec-profile-disa_stig-el7 --controls=V-71945 -t ssh://vagrant@127.0.0.1:2222 -i .kitchen/kitchen-vagrant/vanilla-rhel-7/.vagrant/machines/default/virtualbox/private_key --sudo Profile: DISA RedHat Enterprise Linux 7 STIG - v1r4 (disa_stig-el7) Version: 0.2.0 Target: ssh://vagrant@127.0.0.1:2222 × V-71945: If three unsuccessful root logon attempts within 15 minutes occur the associated account must be locked. (2 failed) × PAM Config[/etc/pam.d/password-auth] lines is expected to include ["auth required pam_faillock.so even_deny_root", "auth sufficient pam_unix.so try_first_pass", "auth [default=die] pam_faillock.so even_deny_root"] expected "account required pam_unix.so\naccount sufficient pam_localuser.so\naccount sufficient pam_succeed_if...ession required pam_unix.so\nsession optional pam_keyinit.so revoke\nsession required pam_limits.so" to include ["auth required pam_faillock.so even_deny_root", "auth sufficient pam_unix.so try_first_pass", "auth [default=die] pam_faillock.so even_deny_root"] Diff: @@ -1,4 +1,18 @@ -auth required pam_faillock.so even_deny_root -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so even_deny_root +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account required pam_permit.so +auth required pam_deny.so +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 1000 quiet_success +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password required pam_deny.so +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_keyinit.so revoke +session required pam_limits.so ✔ PAM Config[/etc/pam.d/password-auth] lines is expected to include auth .* pam_faillock.so (preauth|authfail), all with args even_deny_root × PAM Config[/etc/pam.d/system-auth] lines is expected to include ["auth required pam_faillock.so even_deny_root", "auth sufficient pam_unix.so try_first_pass", "auth [default=die] pam_faillock.so even_deny_root"] expected "account required pam_unix.so\naccount sufficient pam_localuser.so\naccount sufficient pam_succeed_if...ession required pam_unix.so\nsession optional pam_keyinit.so revoke\nsession required pam_limits.so" to include ["auth required pam_faillock.so even_deny_root", "auth sufficient pam_unix.so try_first_pass", "auth [default=die] pam_faillock.so even_deny_root"] Diff: @@ -1,4 +1,18 @@ -auth required pam_faillock.so even_deny_root -auth sufficient pam_unix.so try_first_pass -auth [default=die] pam_faillock.so even_deny_root +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account required pam_permit.so +auth required pam_deny.so +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 1000 quiet_success +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password required pam_deny.so +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_keyinit.so revoke +session required pam_limits.so ✔ PAM Config[/etc/pam.d/system-auth] lines is expected to include auth .* pam_faillock.so (preauth|authfail), all with args even_deny_root Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 2 successful, 2 failures, 0 skipped
Note that the first check's fail diff shows that there is no PAM rule for the pam_faillock.so module, but the second check passes when it expects PAM lines "to include auth .* pam_faillock.so (preauth|authfail), all with args even_deny_root"
Tested using Vagrant's bento/centos-7 VM.
If you use match_pam_rule with all_with_X_args , on a module that is not actually defined in a rule, it will return a false positive true.
Ex.
Note that the first check's fail diff shows that there is no PAM rule for the pam_faillock.so module, but the second check passes when it expects PAM lines "to include auth .* pam_faillock.so (preauth|authfail), all with args even_deny_root"
Tested using Vagrant's bento/centos-7 VM.