Issue with DoD SCAP RHEL7 rule 200 Display login attempts
jrrayfield opened this issue · comments
The fi statement in the following part of the remediation script is unnecessary and causes the script to halt.
###############################################################################
BEGIN fix (200 / 243) for 'xccdf_org.ssgproject.content_rule_display_login_attempts'
###############################################################################
(>&2 echo "Remediating rule 200/243: 'xccdf_org.ssgproject.content_rule_display_login_attempts'")t
sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin
fi #This is the unnecessary statement.
echo "session [default=1] pam_lastlog.so nowtmp showfailed" >> /etc/pam.d/postlogin
echo "session optional pam_lastlog.so silent noupdate showfailed" >> /etc/pam.d/postlogin
END fix for 'xccdf_org.ssgproject.content_rule_display_login_attempts'
This was a known bug and it has been fixed (https://bugzilla.redhat.com/show_bug.cgi?id=1661709). By the bugzilla, the fix is supposed to land on RHEL7.7 which will be released soon. If you do want to wait and do fix the bash remediation on your own, just change to:
(>&2 echo "Remediating rule 200/243: 'xccdf_org.ssgproject.content_rule_display_login_attempts'")
if $(grep -q "^session.*pam_lastlog.so" /etc/pam.d/postlogin) ; then
sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin
fi
echo "session [default=1] pam_lastlog.so nowtmp showfailed" >> /etc/pam.d/postlogin
echo "session optional pam_lastlog.so silent noupdate showfailed" >> /etc/pam.d/postlogin
# END fix for 'xccdf_org.ssgproject.content_rule_display_login_attempts'
If you think this solution is not enough, please reopen the issue.