content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Improve the description of display_login_attempts rule and respective remediation

Open marcusburghardt opened this issue 3 years ago • 0 comments

Description of problem:

The display_login_attempts is mentioning the following statement in its description:

And make sure that the silent option is not set for pam_lastlog module.
  • https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml#L17

This is probably inherited from STIG Requirement:

  • https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230381
  • https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230382

As it is described the most probable interpretation is that silent option should be removed in all pam_lastlog lines.

However, the intention of the requirement is to make the user aware of last access using its account and consequently giving him more information to notice any suspected access.

This could be achieved without removing the silent option from all lines. There are cases where the silent option is desired and safe to be kept while honoring the requirement goal. Removing it in all lines impact in user experience by creating avoidable noise.

SCAP Security Guide Version:

master

Operating System Version:

N/A

Steps to Reproduce:

  1. Apply the display_login_attempts remediation
  2. Login in the system and not that the last successful login information is duplicated.

Actual Results:

Last successful login information is duplicated.

Expected Results:

Last successful login information is not duplicated.

Additional Information/Debugging Steps:

This is the usual content of /etc/pam.d/postlogin file before the remediation:

session     optional                   pam_umask.so silent
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]                pam_lastlog.so nowtmp showfailed
session     optional                   pam_lastlog.so silent noupdate showfailed

This is the usual content of /etc/pam.d/postlogin file after the remediation:

session     required                  pam_lastlog.so showfailed
session     optional                   pam_umask.so silent
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]                pam_lastlog.so nowtmp showfailed
session     optional                   pam_lastlog.so noupdate showfailed

It means that failed logins will be shown in any case, but successful login will be shown twice. Removing the silent in this last line will only create noise by duplicating information to the user.

This would be the proper content of /etc/pam.d/postlogin file after the remediation:

session     required                  pam_lastlog.so showfailed
session     optional                   pam_umask.so silent
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]                pam_lastlog.so nowtmp showfailed
session     optional                   pam_lastlog.so silent noupdate showfailed

It means that failed logins will be shown in any case, but successful login won't be shown twice.

marcusburghardt avatar Jun 24 '22 15:06 marcusburghardt