----- Original Message ----- > From: "Jan Lieskovsky" <[email protected]> > To: "Lesley Kimmel" <[email protected]> > Cc: "SCAP Security Guide" <[email protected]> > Sent: Thursday, June 11, 2015 10:41:19 AM > Subject: Re: RHEL7 Scap-workbench issue > > Hello Lesley, > > thank you for your report. > > ----- Original Message ----- > > From: "Lesley Kimmel" <[email protected]> > > To: [email protected] > > Sent: Wednesday, June 10, 2015 2:33:32 PM > > Subject: RHEL7 Scap-workbench issue > > > > I'm sorry if this is the wrong venue for this question, but I thought it > > was > > worth a shot. I was recently using scap-workbench on RHEL7 to secure the > > system. After applying fix for CCE-27291-4 (add 'session required > > pam_lastlog.so showfailed') to /etc/pam.d/system-auth, scap-workbench > > immediately begins throwing an error when attempting to scan the system: > > "ERROR: pkexec.c:142:pam_conversation_function code should not be reached" > > I can reproduce the issue you are experiencing. That error / warning message > is a result of invalid PAM /etc/pam.d/system-auth configuration. Have checked > the recommendation with PAM developers and the conclusion being that on > RHEL-7 > and Fedora systems the setting shouldn't be applied into > /etc/pam.d/system-auth > file, but rather against / into /etc/pam.d/postlogin PAM file. > > I will submit a PR changing the OVAL check && XCCDF recommendation for RHEL-7 > and Fedora products (so future SSG versions aren't prone to this bug).
JFYI, the corresponding PR which should fix this issue is here: [1] https://github.com/OpenSCAP/scap-security-guide/pull/577 Review appreciated. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > Thank you again for your report! > > Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > > > Any thoughts? I assume the issue is generally with PAM and extends beyond > > scap-workbench. However, since that is the only evidence I've seen of an > > issue I thought I'd start with the SCAP group. > > > > Thanks, > > > > -Les Kimmel > > > > -- > > SCAP Security Guide mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > https://github.com/OpenSCAP/scap-security-guide/ > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
