From c9dfb2665c2cb21dca5b19434c7cb41ecec247e3 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Aug 2022 12:05:54 +0200
Subject: [PATCH 11/11] Ensure check and remediation work on RHEL7 regardless
of authconfig runs
Patch-name: scap-security-guide-0.1.64-fix_smartcard_auth_rhel7-PR_9387.patch
Patch-status: Ensure smartcard_auth check and remediation work on RHEL7
---
.../smartcard_auth/bash/shared.sh | 44 ++++++++++-----
.../smartcard_auth/oval/shared.xml | 2 +
.../tests/installed_with_authconfig.fail.sh | 53 +++++++++++++++++++
.../installed_with_pam_faildelay.pass.sh | 11 ++++
.../installed_without_authconfig.fail.sh | 52 ++++++++++++++++++
5 files changed, 150 insertions(+), 12 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh
index 9d421063f7..925ec7bd8e 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/bash/shared.sh
@@ -23,6 +23,7 @@
SYSTEM_AUTH_CONF="/etc/pam.d/system-auth"
# Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF
PAM_ENV_SO="auth.*required.*pam_env.so"
+PAM_FAIL_DELAY="auth.*required.*pam_faildelay.so"
# Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF
SYSTEM_AUTH_PAM_SUCCEED="\
@@ -37,31 +38,50 @@ pam_pkcs11.so nodebug"
# Define smartcard-auth config location
SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth"
# Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF
-SMARTCARD_AUTH_SECTION="\
-auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card"
+SMARTCARD_AUTH_SECTION="auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card"
# Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF
PAM_PERMIT_SO="account.*required.*pam_permit.so"
# Define 'pam_pkcs11.so' password section
-SMARTCARD_PASSWORD_SECTION="\
-password required pam_pkcs11.so"
+SMARTCARD_PASSWORD_SECTION="password required pam_pkcs11.so"
# First Correct the SYSTEM_AUTH_CONF configuration
if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF"
then
- # Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file
- # and append (expected) pam_pkcs11.so row right after the pam_succeed_if.so we just added
- # in SYSTEM_AUTH_CONF file
- # This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED"
- echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF"
+ # Append pam_succeed_if.so row after pam_env.so or after pam_faildelay.so when it exists.
+ # Then append pam_pkcs11.so row right after the pam_succeed_if.so we just added
+ # in SYSTEM_AUTH_CONF file
+ # This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED"
+ if ! grep -q 'pam_faildelay.so' "$SYSTEM_AUTH_CONF"
+ then
+ echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF"
+ else
+ echo "$(awk '/^'"$PAM_FAIL_DELAY"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF"
+ fi
+
fi
# Then also correct the SMARTCARD_AUTH_CONF
-if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
+if ! grep -q 'auth.*pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
then
# Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file
- sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF"
+ sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a \
+ '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF"
+else
+ if ! grep -q 'auth.*pam_pkcs11.so.*no_debug.*wait_for_card' "$SMARTCARD_AUTH_CONF"
+ then
+ sed -i --follow-symlinks -e 's/^auth.*pam_pkcs11.so.*/'"$SMARTCARD_AUTH_SECTION"'/' "$SMARTCARD_AUTH_CONF"
+ fi
+fi
+if ! grep -q 'password.*pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
+then
# Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file
- sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF"
+ sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a \
+ '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF"
+else
+ if ! grep -q 'password.*required.*pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
+ then
+ sed -i --follow-symlinks -e 's/password.*pam_pkcs11.so.*/'"$SMARTCARD_PASSWORD_SECTION"'/' "$SMARTCARD_AUTH_CONF"
+ fi
fi
# Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
index 343da51124..e284636e8a 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
@@ -46,6 +46,7 @@
comment="Regular expression to check if smartcard authentication is enabled in /etc/pam.d/system-auth" version="1">
<concat>
<literal_component>\nauth[\s]+required[\s]+pam_env.so</literal_component>
+ <literal_component>(\nauth[\s]+required[\s]+pam_faildelay.so[\s]+delay=2000000)?</literal_component>
<literal_component>\nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s]</literal_component>
<literal_component>login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid</literal_component>
<literal_component>\nauth[\s]+\[success=done[\s]authinfo_unavail=ignore[\s]ignore=ignore[\s]default=die\][\s]</literal_component>
@@ -70,6 +71,7 @@
comment="Regular expressiion to check if smartcard authentication is required in /etc/pam.d/system-auth" version="1">
<concat>
<literal_component>\nauth[\s]+required[\s]+pam_env.so</literal_component>
+ <literal_component>(\nauth[\s]+required[\s]+pam_faildelay.so[\s]+delay=2000000)?</literal_component>
<literal_component>\nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s]</literal_component>
<literal_component>login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid</literal_component>
<literal_component>\nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s]</literal_component>
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh
new file mode 100644
index 0000000000..b0bbd7a8c0
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_authconfig.fail.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+# packages = pcsc-lite pam_pkcs11 esc
+
+systemctl enable pcscd.socket
+systemctl start pcscd.socket
+
+cat << EOF > "/etc/pam.d/system-auth"
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth required pam_env.so
+auth required pam_faildelay.so delay=2000000
+auth sufficient pam_unix.so nullok try_first_pass
+auth requisite pam_succeed_if.so uid >= 1000 quiet_success
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 1000 quiet
+account required pam_permit.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+EOF
+
+cat << EOF > "/etc/pam.d/smartcard-auth"
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth required pam_env.so
+auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 1000 quiet
+account required pam_permit.so
+
+password required pam_pkcs11.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
+EOF
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh
new file mode 100644
index 0000000000..c36ecbdb02
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_with_pam_faildelay.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = pcsc-lite pam_pkcs11 esc
+
+systemctl enable pcscd.socket
+systemctl start pcscd.socket
+
+. ./configure_pam_stack.sh
+
+# Add pam_faildelay line to system-auth
+PAM_ENV_SO="auth.*required.*pam_env.so"
+sed -i --follow-symlinks '/auth.*required.*pam_env.so/ a auth required pam_faildelay.so delay=2000000' /etc/pam.d/system-auth
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh
new file mode 100644
index 0000000000..83f4a81f08
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/tests/installed_without_authconfig.fail.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+# packages = pcsc-lite pam_pkcs11 esc
+
+systemctl enable pcscd.socket
+systemctl start pcscd.socket
+
+cat << EOF > "/etc/pam.d/system-auth"
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth required pam_env.so
+auth sufficient pam_unix.so try_first_pass nullok
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry
+=3 authtok_type=
+password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 s
+hadow
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
+use_uid
+session required pam_unix.so
+EOF
+
+cat << EOF > "/etc/pam.d/smartcard-auth"
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth required pam_env.so
+auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_permit.so
+
+password optional pam_pkcs11.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
+use_uid
+session required pam_unix.so
+EOF
--
2.37.2