|
 |
fe0dde |
From d6a5542e3a86fe7206546aff431ace2823091ae3 Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Wed, 9 Sep 2020 16:33:13 +0200
|
|
|
fe0dde |
Subject: [PATCH] Set a lower bound value for
|
|
|
fe0dde |
accounts_passwords_pam_faillock_deny check.
|
|
|
fe0dde |
|
|
|
fe0dde |
---
|
|
|
fe0dde |
.../oval/shared.xml | 36 ++++++++++++-------
|
|
|
fe0dde |
.../tests/pam_config_deny_zero | 26 ++++++++++++++
|
|
|
fe0dde |
.../tests/remediable_deny_zero.fail.sh | 6 ++++
|
|
|
fe0dde |
3 files changed, 55 insertions(+), 13 deletions(-)
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_config_deny_zero
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/remediable_deny_zero.fail.sh
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
|
|
|
fe0dde |
index db91fa97c6..8fdd7fb3d3 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
|
|
|
fe0dde |
@@ -45,9 +45,10 @@
|
|
|
fe0dde |
|
|
|
fe0dde |
|
|
|
fe0dde |
check="all" check_existence="all_exist"
|
|
|
fe0dde |
- comment="Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value" version="1">
|
|
|
fe0dde |
+ comment="Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value" version="2">
|
|
|
fe0dde |
<ind:object object_ref="object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth" />
|
|
|
fe0dde |
- <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
|
|
|
fe0dde |
</ind:textfilecontent54_test>
|
|
|
fe0dde |
|
|
|
fe0dde |
|
|
|
fe0dde |
@@ -78,9 +79,10 @@
|
|
|
fe0dde |
|
|
|
fe0dde |
|
|
|
fe0dde |
check="all" check_existence="all_exist"
|
|
|
fe0dde |
- comment="Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value" version="1">
|
|
|
fe0dde |
+ comment="Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value" version="2">
|
|
|
fe0dde |
<ind:object object_ref="object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth" />
|
|
|
fe0dde |
- <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
|
|
|
fe0dde |
</ind:textfilecontent54_test>
|
|
|
fe0dde |
|
|
|
fe0dde |
|
|
|
fe0dde |
@@ -113,17 +115,22 @@
|
|
|
fe0dde |
|
|
|
fe0dde |
comment="number of failed login attempts allowed" version="1" />
|
|
|
fe0dde |
|
|
|
fe0dde |
- <ind:textfilecontent54_state id="state_var_accounts_passwords_pam_faillock_deny_value" version="1">
|
|
|
fe0dde |
+ <ind:textfilecontent54_state id="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" version="1">
|
|
|
fe0dde |
<ind:subexpression datatype="int" operation="less than or equal" var_ref="var_accounts_passwords_pam_faillock_deny" />
|
|
|
fe0dde |
</ind:textfilecontent54_state>
|
|
|
fe0dde |
|
|
|
fe0dde |
+ <ind:textfilecontent54_state id="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" version="1">
|
|
|
fe0dde |
+ <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
|
|
|
fe0dde |
+ </ind:textfilecontent54_state>
|
|
|
fe0dde |
+
|
|
|
fe0dde |
|
|
|
fe0dde |
|
|
|
fe0dde |
|
|
|
fe0dde |
check="all" check_existence="all_exist"
|
|
|
fe0dde |
- comment="Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix." version="1">
|
|
|
fe0dde |
+ comment="Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix." version="2">
|
|
|
fe0dde |
<ind:object object_ref="object_accounts_passwords_pam_faillock_preauth_silent_system-auth" />
|
|
|
fe0dde |
- <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
|
|
|
fe0dde |
</ind:textfilecontent54_test>
|
|
|
fe0dde |
|
|
|
fe0dde |
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_preauth_silent_system-auth" version="1">
|
|
|
fe0dde |
@@ -138,9 +145,10 @@
|
|
|
fe0dde |
|
|
|
fe0dde |
|
|
|
fe0dde |
check="all" check_existence="all_exist"
|
|
|
fe0dde |
- comment="Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail" version="1">
|
|
|
fe0dde |
+ comment="Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail" version="2">
|
|
|
fe0dde |
<ind:object object_ref="object_accounts_passwords_pam_faillock_authfail_deny_system-auth" />
|
|
|
fe0dde |
- <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
|
|
|
fe0dde |
</ind:textfilecontent54_test>
|
|
|
fe0dde |
|
|
|
fe0dde |
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_authfail_deny_system-auth" version="1">
|
|
|
fe0dde |
@@ -170,9 +178,10 @@
|
|
|
fe0dde |
|
|
|
fe0dde |
|
|
|
fe0dde |
check="all" check_existence="all_exist"
|
|
|
fe0dde |
- comment="Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix" version="1">
|
|
|
fe0dde |
+ comment="Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix" version="2">
|
|
|
fe0dde |
<ind:object object_ref="object_accounts_passwords_pam_faillock_preauth_silent_password-auth" />
|
|
|
fe0dde |
- <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
|
|
|
fe0dde |
</ind:textfilecontent54_test>
|
|
|
fe0dde |
|
|
|
fe0dde |
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_preauth_silent_password-auth" version="1">
|
|
|
fe0dde |
@@ -187,9 +196,10 @@
|
|
|
fe0dde |
|
|
|
fe0dde |
|
|
|
fe0dde |
check="all" check_existence="all_exist"
|
|
|
fe0dde |
- comment="Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct." version="1">
|
|
|
fe0dde |
+ comment="Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct." version="2">
|
|
|
fe0dde |
<ind:object object_ref="object_accounts_passwords_pam_faillock_authfail_deny_password-auth" />
|
|
|
fe0dde |
- <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
|
|
|
fe0dde |
</ind:textfilecontent54_test>
|
|
|
fe0dde |
|
|
|
fe0dde |
<ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_authfail_deny_password-auth" version="1">
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_config_deny_zero b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_config_deny_zero
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..4f426dca55
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_config_deny_zero
|
|
|
fe0dde |
@@ -0,0 +1,26 @@
|
|
|
fe0dde |
+# This pam config is an example of a pam_faillock and pam_unix configured correctly
|
|
|
fe0dde |
+# without skipping any module
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+auth required pam_env.so
|
|
|
fe0dde |
+auth required pam_faildelay.so delay=2000000
|
|
|
fe0dde |
+auth required pam_faillock.so preauth silent deny=0 unlock_time=1200
|
|
|
fe0dde |
+auth sufficient pam_unix.so nullok try_first_pass
|
|
|
fe0dde |
+auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
|
|
fe0dde |
+auth [default=die] pam_faillock.so authfail deny=0 unlock_time=1200
|
|
|
fe0dde |
+auth required pam_deny.so
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+account required pam_faillock.so
|
|
|
fe0dde |
+account required pam_unix.so
|
|
|
fe0dde |
+account sufficient pam_localuser.so
|
|
|
fe0dde |
+account sufficient pam_succeed_if.so uid < 1000 quiet
|
|
|
fe0dde |
+account required pam_permit.so
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
|
|
|
fe0dde |
+password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
|
|
|
fe0dde |
+password required pam_deny.so
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+session optional pam_keyinit.so revoke
|
|
|
fe0dde |
+session required pam_limits.so
|
|
|
fe0dde |
+-session optional pam_systemd.so
|
|
|
fe0dde |
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
|
fe0dde |
+session required pam_unix.so
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/remediable_deny_zero.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/remediable_deny_zero.fail.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..b3f71fc16c
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/remediable_deny_zero.fail.sh
|
|
|
fe0dde |
@@ -0,0 +1,6 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+#
|
|
|
fe0dde |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+cp pam_config_deny_zero /etc/pam.d/system-auth
|
|
|
fe0dde |
+cp pam_config_deny_zero /etc/pam.d/password-auth
|