Description of problem:
The STIG bash remediation for rule display_login_attempts inserts pam_lastlog.so into /etc/pam.d/login. This module was removed from Linux-PAM upstream as part of the Y2038 transition and is not available on Ubuntu 24.04 (Noble). The successor pam_lastlog2 is part of util-linux >= 2.40, but Ubuntu 24.04 ships util-linux 2.39.3 which does not include it.
SCAP Security Guide Version:
v0.1.80
Operating System Version:
Ubuntu 24.04 LTS (Noble Numbat)
Steps to Reproduce:
- Build the Ubuntu 24.04 STIG remediation script:
./build_product ubuntu2404
- Apply the STIG bash remediation: sudo bash build/bash/ubuntu2404-script-stig.sh`
- Check
/etc/pam.d/login for pam_lastlog.so
- Attempt a console login (tty)
Actual Results:
The remediation inserts the following line into /etc/pam.d/login:
session required pam_lastlog.so showfailed
At login, PAM logs:
login[2449]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory
The module does not exist on the system:
$ find /usr/lib/ -name "pam_lastlog.so" 2>/dev/null
(no output)
Expected Results:
The remediation should detect that pam_lastlog.so is not available on Ubuntu 24.04 and either skip the remediation or use an alternative mechanism. Alternatively the rule should be marked as not applicable on platforms where the module has been removed.
Additional Information/Debugging Steps:
The affected rule source is located at:
linux_os/guide/system/accounts/accounts-pam/display_login_attempts/
In bash/shared.sh the Jinja2 condition "ubuntu" in product unconditionally selects pam_lastlog.so for all Ubuntu versions. A version-specific condition (similar to the existing sle16/slmicro6 branch for pam_lastlog2.so) would be needed.
Description of problem:
The STIG bash remediation for rule
display_login_attemptsinsertspam_lastlog.sointo/etc/pam.d/login. This module was removed from Linux-PAM upstream as part of the Y2038 transition and is not available on Ubuntu 24.04 (Noble). The successorpam_lastlog2is part ofutil-linux >= 2.40, but Ubuntu 24.04 shipsutil-linux 2.39.3which does not include it.SCAP Security Guide Version:
v0.1.80
Operating System Version:
Ubuntu 24.04 LTS (Noble Numbat)
Steps to Reproduce:
./build_product ubuntu2404/etc/pam.d/loginforpam_lastlog.soActual Results:
The remediation inserts the following line into /etc/pam.d/login:
At login, PAM logs:
The module does not exist on the system:
Expected Results:
The remediation should detect that
pam_lastlog.sois not available on Ubuntu 24.04 and either skip the remediation or use an alternative mechanism. Alternatively the rule should be marked as not applicable on platforms where the module has been removed.Additional Information/Debugging Steps:
The affected rule source is located at:
In
bash/shared.shthe Jinja2 condition"ubuntu" in productunconditionally selectspam_lastlog.sofor all Ubuntu versions. A version-specific condition (similar to the existingsle16/slmicro6branch forpam_lastlog2.so) would be needed.