Hello Lesley, thank you for your report.
----- Original Message ----- > From: "Lesley Kimmel" <[email protected]> > To: [email protected] > Sent: Wednesday, June 10, 2015 2:33:32 PM > Subject: RHEL7 Scap-workbench issue > > I'm sorry if this is the wrong venue for this question, but I thought it was > worth a shot. I was recently using scap-workbench on RHEL7 to secure the > system. After applying fix for CCE-27291-4 (add 'session required > pam_lastlog.so showfailed') to /etc/pam.d/system-auth, scap-workbench > immediately begins throwing an error when attempting to scan the system: > "ERROR: pkexec.c:142:pam_conversation_function code should not be reached" I can reproduce the issue you are experiencing. That error / warning message is a result of invalid PAM /etc/pam.d/system-auth configuration. Have checked the recommendation with PAM developers and the conclusion being that on RHEL-7 and Fedora systems the setting shouldn't be applied into /etc/pam.d/system-auth file, but rather against / into /etc/pam.d/postlogin PAM file. I will submit a PR changing the OVAL check && XCCDF recommendation for RHEL-7 and Fedora products (so future SSG versions aren't prone to this bug). Thank you again for your report! Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > Any thoughts? I assume the issue is generally with PAM and extends beyond > scap-workbench. However, since that is the only evidence I've seen of an > issue I thought I'd start with the SCAP group. > > Thanks, > > -Les Kimmel > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
