pam_pwhistory rules are failing after cis_workstation_l2 hardening

[vojtapolasek]

Description of problem:

The following rules are failing after the system is hardened with cis_workstation_l2 profile. It happens no matter if Bash or Ansible is used to remediate.

SCAP Security Guide Version:

master as of af29431

Operating System Version:

RHEL9, RHEL8, RHEL7

Steps to Reproduce:

1. install a fresh VM
2. ./build_product rhel9
3. cd tests && ./ds_unselect_rules ../build/ssg-rhel9-ds.xml unselect_rules_list
4. python automatus.py profile your_qemu_connection domain_name --datastream /tmp/ssg-rhel9-ds.xml cis_workstation_l2

Actual Results:

Following rules are failing:
xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth - fail
xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth - fail

Expected Results:

Above mentioned rules are passing.

Additional Information/Debugging Steps:

Recent changes related to pam_pwhistory have been made in this PR:
#9994

[marcusburghardt]

The issue is related to the PAM control flag defined in var_password_pam_remember_control_flag variable.
For CIS and STIG it was defined as required. However, in newer versions of RHEL8 and RHEL9, where the authselect feature for pam_pwhistory (with-pwhistory) is available, the default control flag is requisite.
It was causing divergence between the remediation and the OVAL assessment in newer systems.

For RHEL7 the control flag should also be updated to requisite since it provides a better user experience without any technical impact.

More details in #10021 .

[marcusburghardt]

It was also proposed an updated in CIS RHEL7 Benchmark:

• https://workbench.cisecurity.org/benchmarks/5680/tickets/17251
• https://workbench.cisecurity.org/sections/583749/recommendations/2667210