|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..b44c91cbf4a
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/ansible/shared.yml
|
|
|
12e95e |
@@ -0,0 +1,150 @@
|
|
|
12e95e |
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
|
|
|
12e95e |
+# reboot = false
|
|
|
12e95e |
+# strategy = configure
|
|
|
12e95e |
+# complexity = low
|
|
|
12e95e |
+# disruption = medium
|
|
|
12e95e |
+
|
|
|
12e95e |
+- name: Check for existing pam_pwquality.so entry
|
|
|
12e95e |
+ ansible.builtin.lineinfile:
|
|
|
12e95e |
+ path: "/etc/pam.d/password-auth"
|
|
|
12e95e |
+ create: no
|
|
|
12e95e |
+ regexp: '^password.*pam_pwquality.so.*'
|
|
|
12e95e |
+ state: absent
|
|
|
12e95e |
+ check_mode: true
|
|
|
12e95e |
+ changed_when: false
|
|
|
12e95e |
+ register: result_pam_pwquality_present
|
|
|
12e95e |
+
|
|
|
12e95e |
+- name: Check if system relies on authselect
|
|
|
12e95e |
+ ansible.builtin.stat:
|
|
|
12e95e |
+ path: /usr/bin/authselect
|
|
|
12e95e |
+ register: result_authselect_present
|
|
|
12e95e |
+
|
|
|
12e95e |
+- name: "Remediation where authselect tool is present"
|
|
|
12e95e |
+ block:
|
|
|
12e95e |
+ - name: Check the integrity of the current authselect profile
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect check
|
|
|
12e95e |
+ register: result_authselect_check_cmd
|
|
|
12e95e |
+ changed_when: false
|
|
|
12e95e |
+ ignore_errors: true
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Informative message based on the authselect integrity check result
|
|
|
12e95e |
+ ansible.builtin.assert:
|
|
|
12e95e |
+ that:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+ fail_msg:
|
|
|
12e95e |
+ - authselect integrity check failed. Remediation aborted!
|
|
|
12e95e |
+ - This remediation could not be applied because the authselect profile is not intact.
|
|
|
12e95e |
+ - It is not recommended to manually edit the PAM files when authselect is available.
|
|
|
12e95e |
+ - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
|
|
|
12e95e |
+ success_msg:
|
|
|
12e95e |
+ - authselect integrity check passed
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Get authselect current profile
|
|
|
12e95e |
+ ansible.builtin.shell:
|
|
|
12e95e |
+ cmd: authselect current -r | awk '{ print $1 }'
|
|
|
12e95e |
+ register: result_authselect_profile
|
|
|
12e95e |
+ changed_when: false
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Define the current authselect profile as a local fact
|
|
|
12e95e |
+ ansible.builtin.set_fact:
|
|
|
12e95e |
+ authselect_current_profile: "{{ result_authselect_profile.stdout }}"
|
|
|
12e95e |
+ authselect_custom_profile: "{{ result_authselect_profile.stdout }}"
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - result_authselect_profile.stdout is match("custom/")
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Define the new authselect custom profile as a local fact
|
|
|
12e95e |
+ ansible.builtin.set_fact:
|
|
|
12e95e |
+ authselect_current_profile: "{{ result_authselect_profile.stdout }}"
|
|
|
12e95e |
+ authselect_custom_profile: "custom/hardening"
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - result_authselect_profile.stdout is not match("custom/")
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Get authselect current features to also enable them in the custom profile
|
|
|
12e95e |
+ ansible.builtin.shell:
|
|
|
12e95e |
+ cmd: authselect current | tail -n+3 | awk '{ print $2 }'
|
|
|
12e95e |
+ register: result_authselect_features
|
|
|
12e95e |
+ changed_when: false
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - authselect_current_profile is not match("custom/")
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Check if any custom profile with the same name was already created in the past
|
|
|
12e95e |
+ ansible.builtin.stat:
|
|
|
12e95e |
+ path: /etc/authselect/{{ authselect_custom_profile }}
|
|
|
12e95e |
+ register: result_authselect_custom_profile_present
|
|
|
12e95e |
+ changed_when: false
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - authselect_current_profile is not match("custom/")
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Create a custom profile based on the current profile
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect create-profile hardening -b sssd
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+ - authselect_current_profile is not match("custom/")
|
|
|
12e95e |
+ - not result_authselect_custom_profile_present.stat.exists
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Ensure the desired configuration is present in the custom profile
|
|
|
12e95e |
+ ansible.builtin.lineinfile:
|
|
|
12e95e |
+ dest: "/etc/authselect/{{ authselect_custom_profile }}/password-auth"
|
|
|
12e95e |
+ insertbefore: ^password.*sufficient.*pam_unix.so.*
|
|
|
12e95e |
+ line: "password requisite pam_pwquality.so"
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - result_pam_pwquality_present.found == 0
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Ensure a backup of current authselect profile before selecting the custom profile
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect apply-changes -b --backup=before-pwquality-hardening.backup
|
|
|
12e95e |
+ register: result_authselect_backup
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - authselect_current_profile is not match("custom/")
|
|
|
12e95e |
+ - authselect_custom_profile is not match(authselect_current_profile)
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Ensure the custom profile is selected
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect select {{ authselect_custom_profile }} --force
|
|
|
12e95e |
+ register: result_pam_authselect_select_profile
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - authselect_current_profile is not match("custom/")
|
|
|
12e95e |
+ - authselect_custom_profile is not match(authselect_current_profile)
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Restore the authselect features in the custom profile
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect enable-feature {{ item }}
|
|
|
12e95e |
+ loop: "{{ result_authselect_features.stdout_lines }}"
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - result_authselect_features is not skipped
|
|
|
12e95e |
+ - result_pam_authselect_select_profile is not skipped
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Ensure the custom profile changes are applied
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect apply-changes -b --backup=after-pwquality-hardening.backup
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_present.stat.exists
|
|
|
12e95e |
+
|
|
|
12e95e |
+# For systems without authselect
|
|
|
12e95e |
+- name: "Remediation where authselect tool is not present and PAM files are directly edited"
|
|
|
12e95e |
+ block:
|
|
|
12e95e |
+ - name: Ensure the desired configuration is present in the custom profile
|
|
|
12e95e |
+ ansible.builtin.lineinfile:
|
|
|
12e95e |
+ dest: "/etc/pam.d/password-auth"
|
|
|
12e95e |
+ insertbefore: ^password.*sufficient.*pam_unix.so.*
|
|
|
12e95e |
+ line: "password requisite pam_pwquality.so"
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_pam_pwquality_present.found == 0
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - not result_authselect_present.stat.exists
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..d2fca2a79ca
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/bash/shared.sh
|
|
|
12e95e |
@@ -0,0 +1,41 @@
|
|
|
12e95e |
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
|
|
|
12e95e |
+
|
|
|
12e95e |
+PAM_FILE="password-auth"
|
|
|
12e95e |
+
|
|
|
12e95e |
+if [ -f /usr/bin/authselect ]; then
|
|
|
12e95e |
+ if authselect check; then
|
|
|
12e95e |
+ CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
|
|
|
12e95e |
+ # Standard profiles delivered with authselect should not be modified.
|
|
|
12e95e |
+ # If not already in use, a custom profile is created preserving the enabled features.
|
|
|
12e95e |
+ if [[ ! $CURRENT_PROFILE == custom/* ]]; then
|
|
|
12e95e |
+ ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
|
|
|
12e95e |
+ authselect create-profile hardening -b $CURRENT_PROFILE
|
|
|
12e95e |
+ CURRENT_PROFILE="custom/hardening"
|
|
|
12e95e |
+ # Ensure a backup before changing the profile
|
|
|
12e95e |
+ authselect apply-changes -b --backup=before-pwquality-hardening.backup
|
|
|
12e95e |
+ authselect select $CURRENT_PROFILE
|
|
|
12e95e |
+ for feature in $ENABLED_FEATURES; do
|
|
|
12e95e |
+ authselect enable-feature $feature;
|
|
|
12e95e |
+ done
|
|
|
12e95e |
+ fi
|
|
|
12e95e |
+ # Include the desired configuration in the custom profile
|
|
|
12e95e |
+ CUSTOM_FILE="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE"
|
|
|
12e95e |
+ # The line should be included on the top password section
|
|
|
12e95e |
+ if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_FILE) -eq 0 ]; then
|
|
|
12e95e |
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $CUSTOM_FILE
|
|
|
12e95e |
+ fi
|
|
|
12e95e |
+ authselect apply-changes -b --backup=after-pwquality-hardening.backup
|
|
|
12e95e |
+ else
|
|
|
12e95e |
+ echo "
|
|
|
12e95e |
+authselect integrity check failed. Remediation aborted!
|
|
|
12e95e |
+This remediation could not be applied because the authselect profile is not intact.
|
|
|
12e95e |
+It is not recommended to manually edit the PAM files when authselect is available.
|
|
|
12e95e |
+In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
|
|
|
12e95e |
+ false
|
|
|
12e95e |
+ fi
|
|
|
12e95e |
+else
|
|
|
12e95e |
+ FILE_PATH="/etc/pam.d/$PAM_FILE"
|
|
|
12e95e |
+ if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $FILE_PATH) -eq 0 ]; then
|
|
|
12e95e |
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $FILE_PATH
|
|
|
12e95e |
+ fi
|
|
|
12e95e |
+fi
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/oval/shared.xml
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..84f32456beb
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/oval/shared.xml
|
|
|
12e95e |
@@ -0,0 +1,21 @@
|
|
|
12e95e |
+<def-group>
|
|
|
12e95e |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
12e95e |
+ {{{ oval_metadata("The PAM module pam_pwquality is used in password-auth") }}}
|
|
|
12e95e |
+ <criteria comment="Condition for pam_pwquality in password-auth is satisfied">
|
|
|
12e95e |
+
|
|
|
12e95e |
+ test_ref="test_accounts_password_pam_pwquality_password_auth"/>
|
|
|
12e95e |
+ </criteria>
|
|
|
12e95e |
+ </definition>
|
|
|
12e95e |
+
|
|
|
12e95e |
+ <ind:textfilecontent54_object id="object_accounts_password_pam_pwquality_password_auth" version="1">
|
|
|
12e95e |
+ <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
|
|
|
12e95e |
+ <ind:pattern operation="pattern match">^password[\s]*requisite[\s]*pam_pwquality\.so</ind:pattern>
|
|
|
12e95e |
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
|
|
|
12e95e |
+ </ind:textfilecontent54_object>
|
|
|
12e95e |
+
|
|
|
12e95e |
+
|
|
|
12e95e |
+ id="test_accounts_password_pam_pwquality_password_auth"
|
|
|
12e95e |
+ comment="check the configuration of /etc/pam.d/password-auth">
|
|
|
12e95e |
+ <ind:object object_ref="object_accounts_password_pam_pwquality_password_auth"/>
|
|
|
12e95e |
+ </ind:textfilecontent54_test>
|
|
|
12e95e |
+</def-group>
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..6c7bb1ad7a0
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/rule.yml
|
|
|
12e95e |
@@ -0,0 +1,35 @@
|
|
|
12e95e |
+documentation_complete: true
|
|
|
12e95e |
+
|
|
|
12e95e |
+prodtype: fedora,rhel7,rhel8,rhel9,rhv4
|
|
|
12e95e |
+
|
|
|
12e95e |
+title: 'Ensure PAM password complexity module is enabled in password-auth'
|
|
|
12e95e |
+
|
|
|
12e95e |
+description: |-
|
|
|
12e95e |
+ To enable PAM password complexity in password-auth file:
|
|
|
12e95e |
+ Edit the <tt>password</tt> section in
|
|
|
12e95e |
+ <tt>/etc/pam.d/password-auth</tt> to show
|
|
|
12e95e |
+ <tt>password requisite pam_pwquality.so</tt>.
|
|
|
12e95e |
+
|
|
|
12e95e |
+rationale: |-
|
|
|
12e95e |
+ Enabling PAM password complexity permits to enforce strong passwords and consequently
|
|
|
12e95e |
+ makes the system less prone to dictionary attacks.
|
|
|
12e95e |
+
|
|
|
12e95e |
+severity: medium
|
|
|
12e95e |
+
|
|
|
12e95e |
+identifiers:
|
|
|
12e95e |
+ cce@rhel7: CCE-85876-1
|
|
|
12e95e |
+ cce@rhel8: CCE-85877-9
|
|
|
12e95e |
+ cce@rhel9: CCE-85878-7
|
|
|
12e95e |
+
|
|
|
12e95e |
+references:
|
|
|
12e95e |
+ stigid@rhel8: RHEL-08-020100
|
|
|
12e95e |
+
|
|
|
12e95e |
+ocil_clause: 'pam_pwquality.so is not enabled in password-auth'
|
|
|
12e95e |
+
|
|
|
12e95e |
+ocil: |-
|
|
|
12e95e |
+ To check if pam_pwhistory.so is enabled in password-auth, run the following command:
|
|
|
12e95e |
+ $ grep pam_pwquality /etc/pam.d/password-auth
|
|
|
12e95e |
+ The output should be similar to the following:
|
|
|
12e95e |
+ password requisite pam_pwquality.so
|
|
|
12e95e |
+
|
|
|
12e95e |
+platform: pam
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..3d696c36b76
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_commented_entry.fail.sh
|
|
|
12e95e |
@@ -0,0 +1,11 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# packages = authselect
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
|
|
12e95e |
+
|
|
|
12e95e |
+authselect create-profile hardening -b sssd
|
|
|
12e95e |
+CUSTOM_PROFILE="custom/hardening"
|
|
|
12e95e |
+authselect select $CUSTOM_PROFILE --force
|
|
|
12e95e |
+
|
|
|
12e95e |
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
|
|
|
12e95e |
+sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $CUSTOM_SYSTEM_AUTH
|
|
|
12e95e |
+authselect apply-changes -b
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..0435899262b
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_correct_entry.pass.sh
|
|
|
12e95e |
@@ -0,0 +1,13 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# packages = authselect
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
|
|
12e95e |
+
|
|
|
12e95e |
+authselect create-profile hardening -b sssd
|
|
|
12e95e |
+CUSTOM_PROFILE="custom/hardening"
|
|
|
12e95e |
+authselect select $CUSTOM_PROFILE --force
|
|
|
12e95e |
+
|
|
|
12e95e |
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
|
|
|
12e95e |
+if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_SYSTEM_AUTH) -eq 0 ]; then
|
|
|
12e95e |
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $CUSTOM_SYSTEM_AUTH
|
|
|
12e95e |
+fi
|
|
|
12e95e |
+authselect apply-changes -b
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..472616a51f6
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_missing_entry.fail.sh
|
|
|
12e95e |
@@ -0,0 +1,11 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# packages = authselect
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
|
|
12e95e |
+
|
|
|
12e95e |
+authselect create-profile hardening -b sssd
|
|
|
12e95e |
+CUSTOM_PROFILE="custom/hardening"
|
|
|
12e95e |
+authselect select $CUSTOM_PROFILE --force
|
|
|
12e95e |
+
|
|
|
12e95e |
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/password-auth"
|
|
|
12e95e |
+sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $CUSTOM_SYSTEM_AUTH
|
|
|
12e95e |
+authselect apply-changes -b
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..59f9d6f77c4
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/authselect_modified_pam.fail.sh
|
|
|
12e95e |
@@ -0,0 +1,9 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# packages = authselect
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
|
|
12e95e |
+# remediation = none
|
|
|
12e95e |
+
|
|
|
12e95e |
+SYSTEM_AUTH_FILE="/etc/pam.d/password-auth"
|
|
|
12e95e |
+
|
|
|
12e95e |
+# This modification will break the integrity checks done by authselect.
|
|
|
12e95e |
+sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $SYSTEM_AUTH_FILE
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..71f87b19045
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/correct_entry.pass.sh
|
|
|
12e95e |
@@ -0,0 +1,8 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# packages = pam
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
|
|
|
12e95e |
+
|
|
|
12e95e |
+config_file=/etc/pam.d/password-auth
|
|
|
12e95e |
+if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $config_file) -eq 0 ]; then
|
|
|
12e95e |
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $config_file
|
|
|
12e95e |
+fi
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..95b73b24d26
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_password_auth/tests/missing_entry.fail.sh
|
|
|
12e95e |
@@ -0,0 +1,7 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
|
|
|
12e95e |
+# packages = pam
|
|
|
12e95e |
+
|
|
|
12e95e |
+config_file=/etc/pam.d/password-auth
|
|
|
12e95e |
+
|
|
|
12e95e |
+sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $config_file
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..13cd20458ed
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/ansible/shared.yml
|
|
|
12e95e |
@@ -0,0 +1,150 @@
|
|
|
12e95e |
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
|
|
|
12e95e |
+# reboot = false
|
|
|
12e95e |
+# strategy = configure
|
|
|
12e95e |
+# complexity = low
|
|
|
12e95e |
+# disruption = medium
|
|
|
12e95e |
+
|
|
|
12e95e |
+- name: Check for existing pam_pwquality.so entry
|
|
|
12e95e |
+ ansible.builtin.lineinfile:
|
|
|
12e95e |
+ path: "/etc/pam.d/system-auth"
|
|
|
12e95e |
+ create: no
|
|
|
12e95e |
+ regexp: '^password.*pam_pwquality.so.*'
|
|
|
12e95e |
+ state: absent
|
|
|
12e95e |
+ check_mode: true
|
|
|
12e95e |
+ changed_when: false
|
|
|
12e95e |
+ register: result_pam_pwquality_present
|
|
|
12e95e |
+
|
|
|
12e95e |
+- name: Check if system relies on authselect
|
|
|
12e95e |
+ ansible.builtin.stat:
|
|
|
12e95e |
+ path: /usr/bin/authselect
|
|
|
12e95e |
+ register: result_authselect_present
|
|
|
12e95e |
+
|
|
|
12e95e |
+- name: "Remediation where authselect tool is present"
|
|
|
12e95e |
+ block:
|
|
|
12e95e |
+ - name: Check the integrity of the current authselect profile
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect check
|
|
|
12e95e |
+ register: result_authselect_check_cmd
|
|
|
12e95e |
+ changed_when: false
|
|
|
12e95e |
+ ignore_errors: true
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Informative message based on the authselect integrity check result
|
|
|
12e95e |
+ ansible.builtin.assert:
|
|
|
12e95e |
+ that:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+ fail_msg:
|
|
|
12e95e |
+ - authselect integrity check failed. Remediation aborted!
|
|
|
12e95e |
+ - This remediation could not be applied because the authselect profile is not intact.
|
|
|
12e95e |
+ - It is not recommended to manually edit the PAM files when authselect is available.
|
|
|
12e95e |
+ - In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended.
|
|
|
12e95e |
+ success_msg:
|
|
|
12e95e |
+ - authselect integrity check passed
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Get authselect current profile
|
|
|
12e95e |
+ ansible.builtin.shell:
|
|
|
12e95e |
+ cmd: authselect current -r | awk '{ print $1 }'
|
|
|
12e95e |
+ register: result_authselect_profile
|
|
|
12e95e |
+ changed_when: false
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Define the current authselect profile as a local fact
|
|
|
12e95e |
+ ansible.builtin.set_fact:
|
|
|
12e95e |
+ authselect_current_profile: "{{ result_authselect_profile.stdout }}"
|
|
|
12e95e |
+ authselect_custom_profile: "{{ result_authselect_profile.stdout }}"
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - result_authselect_profile.stdout is match("custom/")
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Define the new authselect custom profile as a local fact
|
|
|
12e95e |
+ ansible.builtin.set_fact:
|
|
|
12e95e |
+ authselect_current_profile: "{{ result_authselect_profile.stdout }}"
|
|
|
12e95e |
+ authselect_custom_profile: "custom/hardening"
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - result_authselect_profile.stdout is not match("custom/")
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Get authselect current features to also enable them in the custom profile
|
|
|
12e95e |
+ ansible.builtin.shell:
|
|
|
12e95e |
+ cmd: authselect current | tail -n+3 | awk '{ print $2 }'
|
|
|
12e95e |
+ register: result_authselect_features
|
|
|
12e95e |
+ changed_when: false
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - authselect_current_profile is not match("custom/")
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Check if any custom profile with the same name was already created in the past
|
|
|
12e95e |
+ ansible.builtin.stat:
|
|
|
12e95e |
+ path: /etc/authselect/{{ authselect_custom_profile }}
|
|
|
12e95e |
+ register: result_authselect_custom_profile_present
|
|
|
12e95e |
+ changed_when: false
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - authselect_current_profile is not match("custom/")
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Create a custom profile based on the current profile
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect create-profile hardening -b sssd
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+ - authselect_current_profile is not match("custom/")
|
|
|
12e95e |
+ - not result_authselect_custom_profile_present.stat.exists
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Ensure the desired configuration is present in the custom profile
|
|
|
12e95e |
+ ansible.builtin.lineinfile:
|
|
|
12e95e |
+ dest: "/etc/authselect/{{ authselect_custom_profile }}/system-auth"
|
|
|
12e95e |
+ insertbefore: ^password.*sufficient.*pam_unix.so.*
|
|
|
12e95e |
+ line: "password requisite pam_pwquality.so"
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - result_pam_pwquality_present.found == 0
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Ensure a backup of current authselect profile before selecting the custom profile
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect apply-changes -b --backup=before-pwquality-hardening.backup
|
|
|
12e95e |
+ register: result_authselect_backup
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - authselect_current_profile is not match("custom/")
|
|
|
12e95e |
+ - authselect_custom_profile is not match(authselect_current_profile)
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Ensure the custom profile is selected
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect select {{ authselect_custom_profile }} --force
|
|
|
12e95e |
+ register: result_pam_authselect_select_profile
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - authselect_current_profile is not match("custom/")
|
|
|
12e95e |
+ - authselect_custom_profile is not match(authselect_current_profile)
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Restore the authselect features in the custom profile
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect enable-feature {{ item }}
|
|
|
12e95e |
+ loop: "{{ result_authselect_features.stdout_lines }}"
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ - result_authselect_features is not skipped
|
|
|
12e95e |
+ - result_pam_authselect_select_profile is not skipped
|
|
|
12e95e |
+
|
|
|
12e95e |
+ - name: Ensure the custom profile changes are applied
|
|
|
12e95e |
+ ansible.builtin.command:
|
|
|
12e95e |
+ cmd: authselect apply-changes -b --backup=after-pwquality-hardening.backup
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_check_cmd is success
|
|
|
12e95e |
+ - result_authselect_profile is not skipped
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_authselect_present.stat.exists
|
|
|
12e95e |
+
|
|
|
12e95e |
+# For systems without authselect
|
|
|
12e95e |
+- name: "Remediation where authselect tool is not present and PAM files are directly edited"
|
|
|
12e95e |
+ block:
|
|
|
12e95e |
+ - name: Ensure the desired configuration is present in the custom profile
|
|
|
12e95e |
+ ansible.builtin.lineinfile:
|
|
|
12e95e |
+ dest: "/etc/pam.d/system-auth"
|
|
|
12e95e |
+ insertbefore: ^password.*sufficient.*pam_unix.so.*
|
|
|
12e95e |
+ line: "password requisite pam_pwquality.so"
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - result_pam_pwquality_present.found == 0
|
|
|
12e95e |
+ when:
|
|
|
12e95e |
+ - not result_authselect_present.stat.exists
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..9a7972a3f93
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/bash/shared.sh
|
|
|
12e95e |
@@ -0,0 +1,41 @@
|
|
|
12e95e |
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
|
|
|
12e95e |
+
|
|
|
12e95e |
+PAM_FILE="system-auth"
|
|
|
12e95e |
+
|
|
|
12e95e |
+if [ -f /usr/bin/authselect ]; then
|
|
|
12e95e |
+ if authselect check; then
|
|
|
12e95e |
+ CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
|
|
|
12e95e |
+ # Standard profiles delivered with authselect should not be modified.
|
|
|
12e95e |
+ # If not already in use, a custom profile is created preserving the enabled features.
|
|
|
12e95e |
+ if [[ ! $CURRENT_PROFILE == custom/* ]]; then
|
|
|
12e95e |
+ ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
|
|
|
12e95e |
+ authselect create-profile hardening -b $CURRENT_PROFILE
|
|
|
12e95e |
+ CURRENT_PROFILE="custom/hardening"
|
|
|
12e95e |
+ # Ensure a backup before changing the profile
|
|
|
12e95e |
+ authselect apply-changes -b --backup=before-pwquality-hardening.backup
|
|
|
12e95e |
+ authselect select $CURRENT_PROFILE
|
|
|
12e95e |
+ for feature in $ENABLED_FEATURES; do
|
|
|
12e95e |
+ authselect enable-feature $feature;
|
|
|
12e95e |
+ done
|
|
|
12e95e |
+ fi
|
|
|
12e95e |
+ # Include the desired configuration in the custom profile
|
|
|
12e95e |
+ CUSTOM_FILE="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE"
|
|
|
12e95e |
+ # The line should be included on the top password section
|
|
|
12e95e |
+ if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_FILE) -eq 0 ]; then
|
|
|
12e95e |
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $CUSTOM_FILE
|
|
|
12e95e |
+ fi
|
|
|
12e95e |
+ authselect apply-changes -b --backup=after-pwquality-hardening.backup
|
|
|
12e95e |
+ else
|
|
|
12e95e |
+ echo "
|
|
|
12e95e |
+authselect integrity check failed. Remediation aborted!
|
|
|
12e95e |
+This remediation could not be applied because the authselect profile is not intact.
|
|
|
12e95e |
+It is not recommended to manually edit the PAM files when authselect is available.
|
|
|
12e95e |
+In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
|
|
|
12e95e |
+ false
|
|
|
12e95e |
+ fi
|
|
|
12e95e |
+else
|
|
|
12e95e |
+ FILE_PATH="/etc/pam.d/$PAM_FILE"
|
|
|
12e95e |
+ if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $FILE_PATH) -eq 0 ]; then
|
|
|
12e95e |
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $FILE_PATH
|
|
|
12e95e |
+ fi
|
|
|
12e95e |
+fi
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/oval/shared.xml
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..f8d241f1ff2
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/oval/shared.xml
|
|
|
12e95e |
@@ -0,0 +1,21 @@
|
|
|
12e95e |
+<def-group>
|
|
|
12e95e |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
12e95e |
+ {{{ oval_metadata("The PAM module pam_pwquality is used in system-auth") }}}
|
|
|
12e95e |
+ <criteria comment="Condition for pam_pwquality in system-auth is satisfied">
|
|
|
12e95e |
+
|
|
|
12e95e |
+ test_ref="test_accounts_password_pam_pwquality_system_auth"/>
|
|
|
12e95e |
+ </criteria>
|
|
|
12e95e |
+ </definition>
|
|
|
12e95e |
+
|
|
|
12e95e |
+ <ind:textfilecontent54_object id="object_accounts_password_pam_pwquality_system_auth" version="1">
|
|
|
12e95e |
+ <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
|
|
|
12e95e |
+ <ind:pattern operation="pattern match">^password[\s]*requisite[\s]*pam_pwquality\.so</ind:pattern>
|
|
|
12e95e |
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
|
|
|
12e95e |
+ </ind:textfilecontent54_object>
|
|
|
12e95e |
+
|
|
|
12e95e |
+
|
|
|
12e95e |
+ id="test_accounts_password_pam_pwquality_system_auth"
|
|
|
12e95e |
+ comment="check the configuration of /etc/pam.d/system-auth">
|
|
|
12e95e |
+ <ind:object object_ref="object_accounts_password_pam_pwquality_system_auth"/>
|
|
|
12e95e |
+ </ind:textfilecontent54_test>
|
|
|
12e95e |
+</def-group>
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..ea42ff9b07a
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/rule.yml
|
|
|
12e95e |
@@ -0,0 +1,35 @@
|
|
|
12e95e |
+documentation_complete: true
|
|
|
12e95e |
+
|
|
|
12e95e |
+prodtype: fedora,rhel7,rhel8,rhel9,rhv4
|
|
|
12e95e |
+
|
|
|
12e95e |
+title: 'Ensure PAM password complexity module is enabled in system-auth'
|
|
|
12e95e |
+
|
|
|
12e95e |
+description: |-
|
|
|
12e95e |
+ To enable PAM password complexity in system-auth file:
|
|
|
12e95e |
+ Edit the <tt>password</tt> section in
|
|
|
12e95e |
+ <tt>/etc/pam.d/system-auth</tt> to show
|
|
|
12e95e |
+ <tt>password requisite pam_pwquality.so</tt>.
|
|
|
12e95e |
+
|
|
|
12e95e |
+rationale: |-
|
|
|
12e95e |
+ Enabling PAM password complexity permits to enforce strong passwords and consequently
|
|
|
12e95e |
+ makes the system less prone to dictionary attacks.
|
|
|
12e95e |
+
|
|
|
12e95e |
+severity: medium
|
|
|
12e95e |
+
|
|
|
12e95e |
+identifiers:
|
|
|
12e95e |
+ cce@rhel7: CCE-85874-6
|
|
|
12e95e |
+ cce@rhel8: CCE-85872-0
|
|
|
12e95e |
+ cce@rhel9: CCE-85873-8
|
|
|
12e95e |
+
|
|
|
12e95e |
+references:
|
|
|
12e95e |
+ stigid@rhel8: RHEL-08-020101
|
|
|
12e95e |
+
|
|
|
12e95e |
+ocil_clause: 'pam_pwquality.so is not enabled in system-auth'
|
|
|
12e95e |
+
|
|
|
12e95e |
+ocil: |-
|
|
|
12e95e |
+ To check if pam_pwhistory.so is enabled in system-auth, run the following command:
|
|
|
12e95e |
+ $ grep pam_pwquality /etc/pam.d/system-auth
|
|
|
12e95e |
+ The output should be similar to the following:
|
|
|
12e95e |
+ password requisite pam_pwquality.so
|
|
|
12e95e |
+
|
|
|
12e95e |
+platform: pam
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..849f16d0f93
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_commented_entry.fail.sh
|
|
|
12e95e |
@@ -0,0 +1,11 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# packages = authselect
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
|
|
12e95e |
+
|
|
|
12e95e |
+authselect create-profile hardening -b sssd
|
|
|
12e95e |
+CUSTOM_PROFILE="custom/hardening"
|
|
|
12e95e |
+authselect select $CUSTOM_PROFILE --force
|
|
|
12e95e |
+
|
|
|
12e95e |
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
|
|
|
12e95e |
+sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $CUSTOM_SYSTEM_AUTH
|
|
|
12e95e |
+authselect apply-changes -b
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..6a98c244980
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_correct_entry.pass.sh
|
|
|
12e95e |
@@ -0,0 +1,13 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# packages = authselect
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
|
|
12e95e |
+
|
|
|
12e95e |
+authselect create-profile hardening -b sssd
|
|
|
12e95e |
+CUSTOM_PROFILE="custom/hardening"
|
|
|
12e95e |
+authselect select $CUSTOM_PROFILE --force
|
|
|
12e95e |
+
|
|
|
12e95e |
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
|
|
|
12e95e |
+if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $CUSTOM_SYSTEM_AUTH) -eq 0 ]; then
|
|
|
12e95e |
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $CUSTOM_SYSTEM_AUTH
|
|
|
12e95e |
+fi
|
|
|
12e95e |
+authselect apply-changes -b
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..6786f6c13d7
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_missing_entry.fail.sh
|
|
|
12e95e |
@@ -0,0 +1,11 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# packages = authselect
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
|
|
12e95e |
+
|
|
|
12e95e |
+authselect create-profile hardening -b sssd
|
|
|
12e95e |
+CUSTOM_PROFILE="custom/hardening"
|
|
|
12e95e |
+authselect select $CUSTOM_PROFILE --force
|
|
|
12e95e |
+
|
|
|
12e95e |
+CUSTOM_SYSTEM_AUTH="/etc/authselect/$CUSTOM_PROFILE/system-auth"
|
|
|
12e95e |
+sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $CUSTOM_SYSTEM_AUTH
|
|
|
12e95e |
+authselect apply-changes -b
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..b3d9e5884f5
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/authselect_modified_pam.fail.sh
|
|
|
12e95e |
@@ -0,0 +1,9 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# packages = authselect
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
|
|
|
12e95e |
+# remediation = none
|
|
|
12e95e |
+
|
|
|
12e95e |
+SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
|
|
|
12e95e |
+
|
|
|
12e95e |
+# This modification will break the integrity checks done by authselect.
|
|
|
12e95e |
+sed -i --follow-symlinks -e '/^password\s*requisite\s*pam_pwquality\.so/ s/^#*/#/g' $SYSTEM_AUTH_FILE
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..71f87b19045
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/correct_entry.pass.sh
|
|
|
12e95e |
@@ -0,0 +1,8 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# packages = pam
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
|
|
|
12e95e |
+
|
|
|
12e95e |
+config_file=/etc/pam.d/password-auth
|
|
|
12e95e |
+if [ $(grep -c "^\s*password.*requisite.*pam_pwquality.so" $config_file) -eq 0 ]; then
|
|
|
12e95e |
+ sed -i --follow-symlinks '0,/^password.*/s/^password.*/password requisite pam_pwquality.so\n&/' $config_file
|
|
|
12e95e |
+fi
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh
|
|
|
12e95e |
new file mode 100644
|
|
|
12e95e |
index 00000000000..3c8f6f79fe9
|
|
|
12e95e |
--- /dev/null
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_system_auth/tests/missing_entry.fail.sh
|
|
|
12e95e |
@@ -0,0 +1,7 @@
|
|
|
12e95e |
+#!/bin/bash
|
|
|
12e95e |
+# platform = Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
|
|
|
12e95e |
+# packages = pam
|
|
|
12e95e |
+
|
|
|
12e95e |
+config_file=/etc/pam.d/system-auth
|
|
|
12e95e |
+
|
|
|
12e95e |
+sed -i --follow-symlinks '/^password\s*requisite\s*pam_pwquality\.so/d' $config_file
|
|
|
12e95e |
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
|
|
12e95e |
index eeb55a6ff5c..6b2219a3eab 100644
|
|
|
12e95e |
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
|
|
12e95e |
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
|
|
|
12e95e |
@@ -6,13 +6,16 @@ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts
|
|
|
12e95e |
|
|
|
12e95e |
description: |-
|
|
|
12e95e |
To configure the number of retry prompts that are permitted per-session:
|
|
|
12e95e |
+ {{% if product in ['rhel8', 'rhel9'] %}}
|
|
|
12e95e |
+ Edit the <tt>/etc/security/pwquality.conf</tt> to include
|
|
|
12e95e |
+ {{% else %}}
|
|
|
12e95e |
Edit the <tt>pam_pwquality.so</tt> statement in
|
|
|
12e95e |
{{% if 'ubuntu' not in product %}}
|
|
|
12e95e |
- <tt>/etc/pam.d/system-auth</tt> {{% if product in ['rhel8', 'rhel9'] %}} and
|
|
|
12e95e |
- <tt>/etc/pam.d/password-auth</tt> {{% endif %}} to show
|
|
|
12e95e |
+ <tt>/etc/pam.d/system-auth</tt> to show
|
|
|
12e95e |
{{% else %}}
|
|
|
12e95e |
<tt>/etc/pam.d/common-password</tt> to show
|
|
|
12e95e |
{{% endif %}}
|
|
|
12e95e |
+ {{% endif %}}
|
|
|
12e95e |
<tt>retry={{{xccdf_value("var_password_pam_retry") }}}</tt>, or a lower value if site
|
|
|
12e95e |
policy is more restrictive. The DoD requirement is a maximum of 3 prompts
|
|
|
12e95e |
per session.
|
|
|
12e95e |
@@ -48,17 +51,21 @@ references:
|
|
|
12e95e |
stigid@ol7: OL07-00-010119
|
|
|
12e95e |
stigid@ol8: OL08-00-020100
|
|
|
12e95e |
stigid@rhel7: RHEL-07-010119
|
|
|
12e95e |
- stigid@rhel8: RHEL-08-020100
|
|
|
12e95e |
+ stigid@rhel8: RHEL-08-020104
|
|
|
12e95e |
stigid@ubuntu2004: UBTU-20-010057
|
|
|
12e95e |
|
|
|
12e95e |
ocil_clause: 'it is not the required value'
|
|
|
12e95e |
|
|
|
12e95e |
ocil: |-
|
|
|
12e95e |
To check how many retry attempts are permitted on a per-session basis, run the following command:
|
|
|
12e95e |
+ {{% if product in ['rhel8', 'rhel9'] %}}
|
|
|
12e95e |
+ $ grep retry /etc/security/pwquality.conf
|
|
|
12e95e |
+ {{% else %}}
|
|
|
12e95e |
{{% if 'ubuntu' in product %}}
|
|
|
12e95e |
$ grep pam_pwquality /etc/pam.d/common-password
|
|
|
12e95e |
{{% else %}}
|
|
|
12e95e |
- $ grep pam_pwquality /etc/pam.d/system-auth {{% if product in ['rhel8', 'rhel9'] %}}/etc/pam.d/password-auth{{% endif %}}
|
|
|
12e95e |
+ $ grep pam_pwquality /etc/pam.d/system-auth
|
|
|
12e95e |
+ {{% endif %}}
|
|
|
12e95e |
{{% endif %}}
|
|
|
12e95e |
The <tt>retry</tt> parameter will indicate how many attempts are permitted.
|
|
|
12e95e |
The DoD required value is less than or equal to 3.
|
|
|
12e95e |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
12e95e |
index d92bc72971c..62fc512f05e 100644
|
|
|
12e95e |
--- a/products/rhel8/profiles/stig.profile
|
|
|
12e95e |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
12e95e |
@@ -523,6 +523,20 @@ selections:
|
|
|
12e95e |
- sssd_enable_certmap
|
|
|
12e95e |
|
|
|
12e95e |
# RHEL-08-020100
|
|
|
12e95e |
+ - accounts_password_pam_pwquality_password_auth
|
|
|
12e95e |
+
|
|
|
12e95e |
+ # RHEL-08-020101
|
|
|
12e95e |
+ - accounts_password_pam_pwquality_system_auth
|
|
|
12e95e |
+
|
|
|
12e95e |
+ # RHEL-08-020102
|
|
|
12e95e |
+ # This is only required for RHEL8 systems below version 8.4 where the
|
|
|
12e95e |
+ # retry parameter was not yet available on /etc/security/pwquality.conf.
|
|
|
12e95e |
+
|
|
|
12e95e |
+ # RHEL-08-020103
|
|
|
12e95e |
+ # This is only required for RHEL8 systems below version 8.4 where the
|
|
|
12e95e |
+ # retry parameter was not yet available on /etc/security/pwquality.conf.
|
|
|
12e95e |
+
|
|
|
12e95e |
+ # RHEL-08-020104
|
|
|
12e95e |
- accounts_password_pam_retry
|
|
|
12e95e |
|
|
|
12e95e |
# RHEL-08-020110
|
|
|
12e95e |
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
|
|
|
12e95e |
index 42c6d0e9aca..ad08a6d3410 100644
|
|
|
12e95e |
--- a/products/rhel9/profiles/stig.profile
|
|
|
12e95e |
+++ b/products/rhel9/profiles/stig.profile
|
|
|
12e95e |
@@ -524,6 +524,20 @@ selections:
|
|
|
12e95e |
- sssd_enable_certmap
|
|
|
12e95e |
|
|
|
12e95e |
# RHEL-08-020100
|
|
|
12e95e |
+ - accounts_password_pam_pwquality_password_auth
|
|
|
12e95e |
+
|
|
|
12e95e |
+ # RHEL-08-020101
|
|
|
12e95e |
+ - accounts_password_pam_pwquality_system_auth
|
|
|
12e95e |
+
|
|
|
12e95e |
+ # RHEL-08-020102
|
|
|
12e95e |
+ # This is only required for RHEL8 systems below version 8.4 where the
|
|
|
12e95e |
+ # retry parameter was not yet available on /etc/security/pwquality.conf.
|
|
|
12e95e |
+
|
|
|
12e95e |
+ # RHEL-08-020103
|
|
|
12e95e |
+ # This is only required for RHEL8 systems below version 8.4 where the
|
|
|
12e95e |
+ # retry parameter was not yet available on /etc/security/pwquality.conf.
|
|
|
12e95e |
+
|
|
|
12e95e |
+ # RHEL-08-020104
|
|
|
12e95e |
- accounts_password_pam_retry
|
|
|
12e95e |
|
|
|
12e95e |
# RHEL-08-020110
|
|
|
12e95e |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
12e95e |
index e4fee44f9f9..33e82401c3d 100644
|
|
|
12e95e |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
12e95e |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
12e95e |
@@ -53,6 +53,8 @@ selections:
|
|
|
12e95e |
- accounts_password_pam_ocredit
|
|
|
12e95e |
- accounts_password_pam_pwhistory_remember_password_auth
|
|
|
12e95e |
- accounts_password_pam_pwhistory_remember_system_auth
|
|
|
12e95e |
+- accounts_password_pam_pwquality_password_auth
|
|
|
12e95e |
+- accounts_password_pam_pwquality_system_auth
|
|
|
12e95e |
- accounts_password_pam_retry
|
|
|
12e95e |
- accounts_password_pam_ucredit
|
|
|
12e95e |
- accounts_password_pam_unix_rounds_password_auth
|
|
|
12e95e |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
12e95e |
index 83d04775e3a..5beeb4f28af 100644
|
|
|
12e95e |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
12e95e |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
12e95e |
@@ -64,6 +64,8 @@ selections:
|
|
|
12e95e |
- accounts_password_pam_ocredit
|
|
|
12e95e |
- accounts_password_pam_pwhistory_remember_password_auth
|
|
|
12e95e |
- accounts_password_pam_pwhistory_remember_system_auth
|
|
|
12e95e |
+- accounts_password_pam_pwquality_password_auth
|
|
|
12e95e |
+- accounts_password_pam_pwquality_system_auth
|
|
|
12e95e |
- accounts_password_pam_retry
|
|
|
12e95e |
- accounts_password_pam_ucredit
|
|
|
12e95e |
- accounts_password_pam_unix_rounds_password_auth
|