Excellent. I appreciate the guidance. I’ve submitted this issue: https://github.com/ComplianceAsCode/content/issues/4925
Thanks. From: Gabriel Gaspar Becker <[email protected]> Sent: Monday, October 14, 2019 5:25 AM To: SCAP Security Guide <[email protected]> Subject: [EXTERNAL] Re: linux_os - pam_faillock.so - The authfail line is inserted too early in the PAM stack and this breaks alternative authentications (ex: krb5 or sssd) Hi Nathaniel, If you truly believe that this is an issue then I suggest you to create a new issue under: [0] which is the project to track issues on scap-security-guide. And if it's possible try to add more information on which version you are using and which rule you are checking. I believe the rule you checking is part of [1], please try to identify which one is it. There people can start collaborating on identifying exactly what's the issue and start working on it. Regards. [0] https://github.com/ComplianceAsCode/content/issues/new [1] https://github.com/ComplianceAsCode/content/tree/master/linux_os/guide/system/accounts/accounts-pam On Fri, Oct 11, 2019 at 10:53 PM Wallwork, Nathaniel <[email protected]<mailto:[email protected]>> wrote: The PAM stack is modified, adding lines for pam_faillock.so. The line with authfail line is inserted “after pam_unix.so”. When there are alternative authentication methods (ex: pam_krb5.so or pam_sssd.so), this breaks them. It would be better to add this line “before pam_deny.so” instead. This would still have the desired effect, without breaking alternative authentication methods. What’s the best path to get this change made? Thanks. _______________________________________________ scap-security-guide mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] -- Gabriel Gaspar Becker Software Engineer Red Hat <https://www.redhat.com> [Image removed by sender.]<https://red.ht/sig>
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
