Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dconf and select PAM rules freeze system during remediation #10507

Open
j-ode opened this issue Apr 27, 2023 · 0 comments
Open

Dconf and select PAM rules freeze system during remediation #10507

j-ode opened this issue Apr 27, 2023 · 0 comments
Labels
Fedora Fedora product related.

Comments

@j-ode
Copy link
Collaborator

j-ode commented Apr 27, 2023
edited
Loading

Description of problem:

When implementing a new Fedora profile in #10506, I originally included multiple dconf and pam rules, however during testing I noticed that during remediation using both oscap and scap-workbench, as well as just generating a shell remediation script and executing them, the whole GUI of the system would freeze. This happened consistently both in VM and on a fresh system with 16GB of RAM, and even when left running for over an hour, nothing would happen once the remediation reached these rules:

dconf_gnome_disable_user_list
dconf_gnome_screensaver_idle_delay
dconf_gnome_screensaver_lock_delay
dconf_gnome_screensaver_lock_enabled
dconf_gnome_screensaver_user_locks
dconf_gnome_session_idle_user_locks

accounts_password_pam_pwhistory_remember_password_auth
accounts_password_pam_pwhistory_remember_system_auth
accounts_password_pam_faillock_deny
accounts_password_pam_faillock_dir
(during execution of the bash remediations of the pam rules, “Current configuration is valid.” is written to terminal before the GUI freezes.)

The one exception was rule accounts_password_pam_faillock_unlock_time, which only froze the GUI for a couple of seconds, and then the system became responsive again.

It seems that apart from the GUI freezing, the system itself does not freeze. After killing power to the system and then running a scan, the remediations finished successfully.

SCAP Security Guide Version:

latest master, OpenSCAP 1.3.7

Operating System Version:

Fedora 37 VM with 4GB RAM, Fedora 38 fresh install on laptop with 16GB RAM

Steps to Reproduce:

  1. Use commit 9e399f5 of branch in PR Introduce Fedora and Firefox CaC profiles for common workstation users #10506
  2. Build the fedora product
  3. Try to scan and remediate a fresh fedora system using oscap/workbench with the cusp_fedora profile

Actual Results:

When remediation reaches any of the above mentioned rules, GUI freezes and system is unresponsive.

Expected Results:

Remediation finishes without GUI freezing.

Additional Information/Debugging Steps:
@marcusburghardt marcusburghardt added the Fedora Fedora product related. label Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Fedora Fedora product related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcusburghardt @j-ode