Skip to content
This repository has been archived by the owner on Oct 24, 2023. It is now read-only.

chore(CIS): Ensure password creation requirements are configured #1035

Merged
merged 1 commit into from Apr 19, 2019
Merged

chore(CIS): Ensure password creation requirements are configured #1035

merged 1 commit into from Apr 19, 2019

Conversation

CecileRobertMichon
Copy link
Contributor

@CecileRobertMichon CecileRobertMichon commented Apr 11, 2019
edited

Reason for Change:

CIS 5.3.1: Ensure password creation requirements are configured.

This will enforce stricter password rules, >= 14 characters with at least 1 uppercase, 1 lowercase, 1 special char, 1 digit and no recognized dictionary words.

Issue Fixed:

#1016

Requirements:

Notes:

@codecov
Copy link

codecov bot commented Apr 11, 2019
edited

Codecov Report

Merging #1035 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #1035      +/-   ##
==========================================
+ Coverage   74.33%   74.33%   +<.01%     
==========================================
  Files         131      131              
  Lines       18259    18260       +1     
==========================================
+ Hits        13573    13574       +1     
  Misses       3905     3905              
  Partials      781      781

@CecileRobertMichon CecileRobertMichon changed the title [WIP] chore(CIS): Ensure password creation requirements are configured chore(CIS): Ensure password creation requirements are configured Apr 12, 2019
@acs-bot acs-bot added size/S and removed size/M labels Apr 12, 2019
@CecileRobertMichon
Copy link
Contributor Author

/hold

@acs-bot acs-bot added size/M and removed size/S labels Apr 16, 2019
@CecileRobertMichon
Copy link
Contributor Author

/hold cancel

@mboersma mboersma added the needs-rebase Changes in the target branch require a `git rebase` and `git push -f` label Apr 17, 2019
@CecileRobertMichon CecileRobertMichon removed the needs-rebase Changes in the target branch require a `git rebase` and `git push -f` label Apr 17, 2019
@acs-bot acs-bot removed the size/M label Apr 17, 2019
@acs-bot acs-bot added the size/L label Apr 17, 2019
@CecileRobertMichon
Copy link
Contributor Author

/hold cancel

validated E2E on Ubuntu distro:

ssh -A -i /go/src/github.com/Azure/aks-engine/_output/kubernetes-southcentralus-88993-ssh -p 22 -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR azureuser@kubernetes-southcentralus-88993.southcentralus.cloudapp.azure.com ssh -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR k8s-agentpool1-41958268-vmss000000 "/tmp/pwquality-validate.sh"
2019/04/18 17:23:51 + echo tooshort1@
+ sudo pwscore
Password quality check failed:
 The password contains less than 1 uppercase letters
+ echo password123456@J
+ sudo pwscore
Password quality check failed:
 The password fails the dictionary check - it is too simplistic/systematic
+ echo passSDWword@@@@J
+ sudo pwscore
Password quality check failed:
 The password contains less than 1 digits
+ echo passSDWword1111J
+ sudo pwscore
Password quality check failed:
 The password contains less than 1 non-alphanumeric characters
+ echo lowerrrr12case@
+ sudo pwscore
76
Password quality check failed:
 The password contains less than 1 uppercase letters
+ echo UPPERRR12CASE@
+ sudo pwscore
Password quality check failed:
 The password contains less than 1 lowercase letters
+ echo passSDWword1232rdw#@
+ sudo pwscore

chore(CIS): Ensure password creation requirements are configured
f9557e4 
fix indent

add sshd verification to e2e

fix test expectations

add pwquality file contents

fix file name

rebase errata

use Packer to write file to disk

add package to release notes

move files after package install

add -q option to apt-get install

add todo e2e

add todo e2e script

move file to /etc/security/pwquality.conf.d/CIS.conf

move file copy lines to function

add --force-confold option

add pwscore test

fix dash

extra dash

remove new packages from e2e not on vhd yet

pwscore needs sudo

fix validation script

remove log line
mboersma
mboersma reviewed Apr 18, 2019
View reviewed changes
parts/k8s/cloud-init/artifacts/cse_helpers.sh Show resolved Hide resolved
parts/k8s/cloud-init/artifacts/cse_install.sh
@@ -40,7 +40,7 @@ installDeps() {
retrycmd_if_failure 60 5 10 dpkg -i /tmp/packages-microsoft-prod.deb || exit $ERR_MS_PROD_DEB_PKG_ADD_FAIL
apt_get_update || exit $ERR_APT_UPDATE_TIMEOUT
apt_get_dist_upgrade || exit $ERR_APT_DIST_UPGRADE_TIMEOUT
apt_get_install 30 1 600 apt-transport-https blobfuse ca-certificates ceph-common cgroup-lite cifs-utils conntrack ebtables ethtool fuse git glusterfs-client init-system-helpers iproute2 ipset iptables jq mount nfs-common pigz socat util-linux xz-utils zip htop iotop iftop sysstat || exit $ERR_APT_INSTALL_TIMEOUT
apt_get_install 30 1 600 apt-transport-https blobfuse ca-certificates ceph-common cgroup-lite cifs-utils conntrack cracklib-runtime ebtables ethtool fuse git glusterfs-client init-system-helpers iproute2 ipset iptables jq libpam-pwquality libpwquality-tools mount nfs-common pigz socat util-linux xz-utils zip htop iotop iftop sysstat || exit $ERR_APT_INSTALL_TIMEOUT
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for alphabetizing, although I see some miscreants at the end of the list.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a python one-liner in a PR thread somewhere :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll fix the order for the other packages in a separate PR if that's okay with you so I don't have to rebase another time.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, of course. I was just noticing it.

test/e2e/kubernetes/scripts/pwquality-validate.sh Show resolved Hide resolved
@jackfrancis
Copy link
Member

lgtm pending "ubuntu" distro test

@CecileRobertMichon
Copy link
Contributor Author

Ubuntu distro tested, see above comment for output.

@mboersma
Copy link
Member

/lgtm

@acs-bot acs-bot added the lgtm label Apr 18, 2019
@acs-bot
Copy link

acs-bot commented Apr 18, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon, mboersma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [CecileRobertMichon,mboersma]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@acs-bot acs-bot merged commit 3ef0ae9 into Azure:master Apr 19, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mboersma mboersma mboersma left review comments

@jackfrancis jackfrancis jackfrancis left review comments

Assignees

@mboersma mboersma

Labels
approved lgtm size/L
Projects
No open projects
CIS spike - Spring 2019
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@CecileRobertMichon @jackfrancis @mboersma @acs-bot