From 1823d96e1e2c629932780040d522067454810983 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 17:52:49 +0100 Subject: [PATCH 01/33] update package_ypbind_removed rule for debian12 --- .../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index 10bac615f95..9203aa90bcb 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -36,6 +36,7 @@ template: name: package_removed vars: pkgname: ypbind + pkgname@debian12: ypbind-mt {{% if product in ["rhel9"] %}} warnings: From 8c2e2d7771cf284490954d55c980e4b787b0b21d Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 17:59:13 +0100 Subject: [PATCH 02/33] update accounts_password_pam_unix_remember for Debian 12 --- .../ansible/debian.yml | 48 +++++++++++++++++++ .../bash/debian.sh | 5 ++ .../oval/debian.xml | 1 + .../rule.yml | 2 +- 4 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh create mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml new file mode 100644 index 00000000000..09217290428 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml @@ -0,0 +1,48 @@ +# platform = multi_platform_debian +# reboot = false +# strategy = configure +# complexity = low +# disruption = medium + +{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}} + +# Modified version of macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match=''). +# The original macro is designed to search/replace also the control field thus treating the field as a constant and escaping the regex. +# Here we adapt the code to allow using regex on the control field. + +{{% set pam_file='/etc/pam.d/common-password' %}} +{{% set group='password' %}} +{{% set control='\[success=[A-Za-z0-9].*\]' %}} +{{% set module='pam_unix.so' %}} +{{% set option='remember' %}} +{{% set value='{{ var_password_pam_unix_remember }}' %}} + +- name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}' + ansible.builtin.lineinfile: + path: "{{{ pam_file }}}" + regexp: ^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b + state: absent + check_mode: true + changed_when: false + register: result_pam_module_{{{ option }}}_option_present + +- name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" PAM option for "{{{ module }}}" is included in {{{ pam_file }}}' + ansible.builtin.lineinfile: + path: "{{{ pam_file }}}" + backrefs: true + regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*) + line: \1 {{{ option }}}={{{ value }}} + state: present + register: result_pam_{{{ option }}}_add + when: + - result_pam_module_{{{ option }}}_option_present.found == 0 + +- name: '{{{ rule_title }}} - Ensure the required value for "{{{ option }}}" PAM option from "{{{ module }}}" in {{{ pam_file }}}' + ansible.builtin.lineinfile: + path: "{{{ pam_file }}}" + backrefs: true + regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*) + line: \1\2={{{ value }}} \3 + register: result_pam_{{{ option }}}_edit + when: + - result_pam_module_{{{ option }}}_option_present.found > 0 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh new file mode 100644 index 00000000000..e9352c4bc63 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh @@ -0,0 +1,5 @@ +# platform = multi_platform_debian + +{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}} + +{{{ bash_ensure_pam_module_options('/etc/pam.d/common-password', 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml new file mode 120000 index 00000000000..70f08ba8db1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml @@ -0,0 +1 @@ +ubuntu.xml \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml index 3b8210eaea5..99fb2b5abfa 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Limit Password Reuse' -{{% if 'ubuntu' not in product %}} +{{% if 'ubuntu' not in product and 'debian' not in product %}} {{% set configFile = "/etc/pam.d/system-auth" %}} {{% else %}} {{% set configFile = "/etc/pam.d/common-password" %}} From 275374517c06fdf1c18fd1544662cfdb0772ab6a Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:03:23 +0100 Subject: [PATCH 03/33] update accounts_passwords_pam_faillock_deny for debian 12 --- .../accounts_passwords_pam_faillock_deny/bash/shared.sh | 2 +- .../accounts_passwords_pam_faillock_deny/oval/debian.xml | 1 + .../accounts_passwords_pam_faillock_deny/rule.yml | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) create mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh index 449d912d0dd..78b9442c95d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml new file mode 120000 index 00000000000..70f08ba8db1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml @@ -0,0 +1 @@ +ubuntu.xml \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml index 41fba880482..eeb26a045b7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -19,7 +19,7 @@ description: |- Where count should be less than or equal to {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} and greater than 0. {{% endif %}} - {{% if 'ubuntu' not in product %}} + {{% if 'ubuntu' not in product and 'debian' not in product %}} In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. @@ -95,7 +95,7 @@ fixtext: |- edit the deny parameter in the following line after the pam_unix.so statement in the auth section, like this: 
auth required pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
- {{% elif 'ubuntu' in product %}} + {{% elif 'ubuntu' in product or 'debian' in product %}} Edit /etc/pam.d/common-auth and ensure that faillock is configured. The pam_faillock.so lines surround the pam_unix.so line. The comment "Added to enable faillock" is shown to highlight the additional lines From a5721174ebd5b4758c16e183c53d240a1721c48e Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:04:10 +0100 Subject: [PATCH 04/33] update accounts_passwords_pam_faillock_interval rule for Debian 12 --- .../accounts_passwords_pam_faillock_interval/bash/shared.sh | 2 +- .../accounts_passwords_pam_faillock_interval/oval/debian.xml | 1 + .../accounts_passwords_pam_faillock_interval/rule.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) create mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh index e7a0882f25c..d8b1908b719 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_debian {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml new file mode 120000 index 00000000000..70f08ba8db1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml @@ -0,0 +1 @@ +ubuntu.xml \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml index f4e2cc50c93..e4bd615121e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml @@ -17,7 +17,7 @@ description: |- Ensure that the file /etc/security/faillock.conf contains the following entry: fail_interval = <interval-in-seconds> where interval-in-seconds is {{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}} or greater. {{% endif %}} - {{% if 'ubuntu' not in product %}} + {{% if 'ubuntu' not in product and 'debian' not in product %}} In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. From 58406cb41a3d49e324746420fb92d299daf2e139 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:05:02 +0100 Subject: [PATCH 05/33] update accounts_passwords_pam_faillock_unlock_time rule for debian 12 --- .../accounts_passwords_pam_faillock_unlock_time/bash/shared.sh | 2 +- .../accounts_passwords_pam_faillock_unlock_time/oval/debian.xml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh index 3a32aad36c0..57ef23c9ef3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_debian {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml new file mode 120000 index 00000000000..70f08ba8db1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml @@ -0,0 +1 @@ +ubuntu.xml \ No newline at end of file From 028416ac58a97b4f37c55fd1aae876b183bc88fb Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:05:50 +0100 Subject: [PATCH 06/33] update accounts_password_pam_retry rule for debian 12 --- .../accounts_password_pam_retry/bash/debian.sh | 5 +++++ .../accounts_password_pam_retry/oval/shared.xml | 2 +- .../accounts_password_pam_retry/rule.yml | 6 +++--- 3 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/debian.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/debian.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/debian.sh new file mode 100644 index 00000000000..5324cef7214 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/debian.sh @@ -0,0 +1,5 @@ +# platform = multi_platform_debian + +{{{ bash_instantiate_variables("var_password_pam_retry") }}} + +{{{ bash_ensure_pam_module_options('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', 'retry', "$var_password_pam_retry", "$var_password_pam_retry") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml index ee1f51d3d4c..4ae8aec49b3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if 'ubuntu' in product %}} +{{% if 'ubuntu' in product or 'debian' in product %}} {{% set configuration_files = ["common-password"] %}} {{% elif product in ['ol8','ol9','rhel8', 'rhel9'] %}} {{% set configuration_files = ["password-auth","system-auth"] %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml index 411a67363a4..aa51339458f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml @@ -9,7 +9,7 @@ description: |- Edit the /etc/security/pwquality.conf to include {{% else %}} Edit the pam_pwquality.so statement in - {{% if 'ubuntu' not in product %}} + {{% if 'ubuntu' not in product and 'debian' not in product %}} /etc/pam.d/system-auth to show {{% else %}} /etc/pam.d/common-password to show @@ -63,7 +63,7 @@ ocil: |- 
$ grep retry /etc/security/pwquality.conf
{{% else %}} Check for the use of the "pwquality" retry option in the PAM files with the following command: - {{% if 'ubuntu' in product %}} + {{% if 'ubuntu' in product or 'debian' in product %}} 
$ grep pam_pwquality /etc/pam.d/common-password
{{% else %}} 
$ grep pam_pwquality /etc/pam.d/system-auth
@@ -82,7 +82,7 @@ fixtext: |- retry={{{ xccdf_value("var_password_pam_retry") }}} {{% else %}} - {{% if 'ubuntu' in product %}} + {{% if 'ubuntu' in product or 'debian' in product %}} Add the following line to the "/etc/pam.d/common-password" file (or modify the line to have the required value): {{% else %}} Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value): From e5c46775bd268b2fdb16fd668710ae1204f758ff Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:06:35 +0100 Subject: [PATCH 07/33] update accounts_password_set_max_life_root for debian 12 --- .../accounts_password_set_max_life_root/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh index 808365173de..7bdb759f686 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel +# platform = multi_platform_rhel,multi_platform_debian # reboot = false # strategy = restrict # complexity = low From 60345e9a8c378122ab3889d14e7f428cdb27cb82 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:08:55 +0100 Subject: [PATCH 08/33] update accounts_password_pam_unix_rounds_password_auth for debian 12 --- .../bash/shared.sh | 4 +++- .../oval/shared.xml | 6 +++++- .../rule.yml | 18 +++++++++++++++--- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh index a40010714fb..7374c21e869 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh @@ -1,9 +1,11 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian {{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}} {{% if product in ["sle12", "sle15"] %}} {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}} +{{% elif product in ["debian12"] %}} +{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', '\[success=1 default=ignore\]', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}} {{% else %}} {{{ bash_ensure_pam_module_configuration('/etc/pam.d/password-auth', 'password', 'sufficient', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}} {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml index 40f37245d66..33076d3621c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if product in ["sle12", "sle15"] %}} +{{% if product in ["sle12", "sle15", "debian12"] %}} {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}} {{% else %}} {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}} @@ -19,7 +19,11 @@ ^{{{ pam_passwd_file_path }}}$ + {{% if product in ["debian12"] %}} + ^\s*password\s+.*\s+pam_unix\.so.*rounds=([0-9]*).*$ + {{% else %}} ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$ + {{% endif %}} 1 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml index f454d4ef615..428b3e6948f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Set number of Password Hashing Rounds - password-auth' -{{% if product in ["sle12", "sle15"] %}} +{{% if product in ["sle12", "sle15", "debian12"] %}} {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}} {{% else %}} {{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}} @@ -15,8 +15,13 @@ description: |-

In file {{{ pam_passwd_file_path }}} append rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}} to the pam_unix.so entry, as shown below: + {{% if product in ["debian12"] %}} + 
password [success=1 default=ignore] pam_unix.so ...existing_options... rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
+ {{% else %}} 
password sufficient pam_unix.so ...existing_options... rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
+ The system's default number of rounds is 5000. + {{% endif %}} rationale: |- Using a higher number of rounds makes password cracking attacks more difficult. @@ -45,7 +50,11 @@ ocil: |- To verify the number of rounds for the password hashing algorithm is configured, run the following command: 
$ sudo grep rounds {{{ pam_passwd_file_path }}}
The output should show the following match: + {{% if product in ["debian12"] %}} + 
password [sucess=1 default=ignore] pam_unix.so sha512 rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
+ {{% else %}} 
password sufficient pam_unix.so sha512 rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
+ {{% endif %}} platform: package[pam] @@ -54,7 +63,10 @@ fixtext: |- Add or modify the following line in "{{{ pam_passwd_file_path }}}" and set "rounds" to {{{ xccdf_value("var_password_pam_unix_rounds") }}}. For example: - + {{% if product in ["debian12"] %}} + password [sucess=1 default=ignore] pam_unix.so sha512 rounds=5000 + {{% else %}} password sufficient pam_unix.so sha512 rounds=5000 - + {{% endif %}} + srg_requirement: '{{{ full_name }}} shadow password suite must be configured to use a sufficient number of hashing rounds in {{{ pam_passwd_file_path }}}.' From 04ff94616c48fa30c10c9a76af4ca40dc7cee91d Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:13:08 +0100 Subject: [PATCH 09/33] add oval_feed_url in debian 12 product and update security_patches_up_to_date rule --- .../software/updating/security_patches_up_to_date/rule.yml | 2 +- products/debian12/product.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml index fed8d1e7e33..b49c478adb6 100644 --- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml @@ -20,7 +20,7 @@ description: |- If the system is configured for online updates, invoking the following command will list available security updates: 
$ sudo zypper refresh && sudo zypper list-patches -g security
-{{% elif 'ubuntu' in product %}} +{{% elif 'ubuntu' in product or 'debian' in product %}} If the system has an apt repository available, run the following command to install updates: 
$ apt update && apt full-upgrade
{{% endif %}} diff --git a/products/debian12/product.yml b/products/debian12/product.yml index 93a29d900f3..7077bc2263a 100644 --- a/products/debian12/product.yml +++ b/products/debian12/product.yml @@ -17,6 +17,7 @@ pkg_manager: "apt_get" init_system: "systemd" +oval_feed_url: "https://www.debian.org/security/oval/oval-definitions-bookworm.xml.bz2" cpes_root: "../../shared/applicability" cpes: From 1a69ed265151f768f7e40ada04df70f2d53100ba Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:14:28 +0100 Subject: [PATCH 10/33] update bash_enable_pam_faillock_directly_in_pam_files macro for debian 12 --- shared/macros/10-bash.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 3e4f668e0ff..3d6ff4fc8c0 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -783,7 +783,7 @@ authselect enable-feature {{{ feature }}} #}} {{%- macro bash_enable_pam_faillock_directly_in_pam_files() -%}} -{{% if 'ubuntu' in product %}} +{{% if 'ubuntu' in product or 'debian' in product %}} pam_file="/etc/pam.d/common-auth" if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then # insert at the top From e6f0f0d1147c9c912380b9af2860e37d9bae3906 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:16:55 +0100 Subject: [PATCH 11/33] update accounts_password templates for debian 12 --- shared/templates/accounts_password/ansible.template | 2 +- shared/templates/accounts_password/bash.template | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/templates/accounts_password/ansible.template b/shared/templates/accounts_password/ansible.template index b324dc01a35..efa3c322928 100644 --- a/shared/templates/accounts_password/ansible.template +++ b/shared/templates/accounts_password/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian # reboot = false # strategy = restrict # complexity = low diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template index 46e98c1471a..2c35f3e218d 100644 --- a/shared/templates/accounts_password/bash.template +++ b/shared/templates/accounts_password/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian # reboot = false # strategy = restrict # complexity = low From d2633eaa6bd2479a982e5ac996e5a8b9ed74726f Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:35:07 +0100 Subject: [PATCH 12/33] update set_password_hashing_algorithm_logindefs for debian 12 --- .../set_password_hashing_algorithm_logindefs/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh index 2712118e5e3..517689729fc 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian {{{ bash_instantiate_variables("var_password_hashing_algorithm") }}} {{{ bash_replace_or_append('/etc/login.defs', '^ENCRYPT_METHOD', "$var_password_hashing_algorithm", '%s %s') }}} From 44d2ddfca103a38bc29dd7d063e964ce43c07384 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 20:25:05 +0100 Subject: [PATCH 13/33] update package_pam_pwquality_installed for debian 12 --- .../accounts-pam/package_pam_pwquality_installed/rule.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml index 04a3230ceb7..7791262d72f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true title: 'Install pam_pwquality Package' description: |- - {{% if 'ubuntu' not in product %}} + {{% if 'ubuntu' not in product and 'debian' not in product %}} {{{ describe_package_install(package="libpwquality") }}} {{% else %}} {{{ describe_package_install(package="libpam-pwquality") }}} @@ -34,7 +34,7 @@ references: ocil_clause: 'the package is not installed' ocil: |- -{{%- if 'ubuntu' not in product %}} +{{%- if 'ubuntu' not in product and 'debian' not in product %}} {{{ ocil_package(package="libpwquality") }}} {{%- else %}} {{{ ocil_package(package="libpam-pwquality") }}} @@ -46,5 +46,6 @@ template: pkgname: libpwquality pkgname@ubuntu2004: libpam-pwquality pkgname@ubuntu2204: libpam-pwquality + pkgname@debian12: libpam-pwquality platform: package[pam] From f0ea6d4498419f8e597d945a4e31867756cd6eab Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 15 Feb 2024 18:35:37 +0100 Subject: [PATCH 14/33] update anssi bp28 minimal profile for debian 12 Activate some rules that were previously disabled due to an incompatible prodtype. --- .../profiles/anssi_bp28_minimal.profile | 32 +++---------------- 1 file changed, 5 insertions(+), 27 deletions(-) diff --git a/products/debian12/profiles/anssi_bp28_minimal.profile b/products/debian12/profiles/anssi_bp28_minimal.profile index ded77a47463..2508a5d644d 100644 --- a/products/debian12/profiles/anssi_bp28_minimal.profile +++ b/products/debian12/profiles/anssi_bp28_minimal.profile @@ -15,55 +15,33 @@ selections: - anssi:all:minimal # PASS_MIN_LEN is handled by PAM on debian systems. - '!accounts_password_minlen_login_defs' + # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default + - 'package_pam_pwquality_installed' + # PAM honour login.defs file for algorithm + - 'set_password_hashing_algorithm_logindefs' # Following rules once had a prodtype incompatible with the debian12 product - - '!package_ypserv_removed' - - '!accounts_password_pam_dcredit' - '!accounts_passwords_pam_tally2_deny_root' - - '!security_patches_up_to_date' - - '!package_sendmail_removed' - '!ensure_redhat_gpgkey_installed' - - '!accounts_passwords_pam_faillock_deny' - - '!accounts_password_pam_unix_rounds_password_auth' - - '!accounts_passwords_pam_faillock_unlock_time' - - '!accounts_passwords_pam_faillock_interval' - - '!file_permissions_ungroupowned' - '!set_password_hashing_algorithm_systemauth' - - '!package_tftp-server_removed' - - '!package_rsh_removed' - '!package_dnf-automatic_installed' - - '!no_files_unowned_by_user' - '!accounts_passwords_pam_faillock_deny_root' - - '!accounts_password_pam_ocredit' - - '!accounts_password_pam_lcredit' - '!dnf-automatic_security_updates_only' - '!cracklib_accounts_password_pam_lcredit' - '!dnf-automatic_apply_updates' - '!cracklib_accounts_password_pam_ocredit' - - '!package_telnet-server_removed' - - '!package_talk_removed' - - '!accounts_password_pam_minlen' - - '!package_talk-server_removed' - - '!package_ypbind_removed' - '!accounts_password_pam_unix_rounds_system_auth' - '!timer_dnf-automatic_enabled' - '!accounts_passwords_pam_tally2' - '!cracklib_accounts_password_pam_ucredit' - - '!accounts_password_pam_unix_remember' - '!file_permissions_unauthorized_sgid' - '!ensure_gpgcheck_local_packages' - '!accounts_passwords_pam_tally2_unlock_time' - '!enable_authselect' - '!cracklib_accounts_password_pam_minlen' - - '!package_dhcp_removed' - - '!package_telnet_removed' - - '!dir_perms_world_writable_root_owned' - '!cracklib_accounts_password_pam_dcredit' - - '!package_xinetd_removed' - '!ensure_gpgcheck_globally_activated' - - '!package_tftp_removed' - - '!package_rsh-server_removed' - - '!accounts_password_pam_ucredit' - '!file_permissions_unauthorized_suid' - '!ensure_gpgcheck_never_disabled' - '!ensure_oracle_gpgkey_installed' + From e5e761f5ed626657a0ecd1974540e7a8821fe38f Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Fri, 16 Feb 2024 12:04:34 +0100 Subject: [PATCH 15/33] add audit_rules_privileged_commands_sudo for debian 12 --- .../audit_rules_privileged_commands_sudo/rule.yml | 2 +- .../templates/audit_rules_privileged_commands/bash.template | 4 ++-- .../templates/audit_rules_privileged_commands/oval.template | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml index 035ad30cef6..386996adf55 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}} {{%- set perm_x="-F perm=x " %}} {{%- endif %}} diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template index 63dfcb06cca..b1acb0c9e2d 100644 --- a/shared/templates/audit_rules_privileged_commands/bash.template +++ b/shared/templates/audit_rules_privileged_commands/bash.template @@ -1,7 +1,7 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}} {{%- set perm_x=" -F perm=x" %}} {{%- endif %}} -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian ACTION_ARCH_FILTERS="-a always,exit" OTHER_FILTERS="-F path={{{ PATH }}}{{{ perm_x }}}" diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template index 7ef67818cbf..617df29299d 100644 --- a/shared/templates/audit_rules_privileged_commands/oval.template +++ b/shared/templates/audit_rules_privileged_commands/oval.template @@ -1,4 +1,4 @@ -{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}} {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}} {{%- endif %}} From cb2330a6faded654958fc525a111c30854f53302 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Fri, 16 Feb 2024 12:27:16 +0100 Subject: [PATCH 16/33] update debian12 anssi intermediary profile Add some rules that were previously disabled due to prodtype. --- .../profiles/anssi_bp28_intermediary.profile | 132 +++--------------- 1 file changed, 16 insertions(+), 116 deletions(-) diff --git a/products/debian12/profiles/anssi_bp28_intermediary.profile b/products/debian12/profiles/anssi_bp28_intermediary.profile index b45640eecfc..0009703a286 100644 --- a/products/debian12/profiles/anssi_bp28_intermediary.profile +++ b/products/debian12/profiles/anssi_bp28_intermediary.profile @@ -20,138 +20,38 @@ selections: - anssi:all:intermediary # PASS_MIN_LEN is handled by PAM on debian systems. - '!accounts_password_minlen_login_defs' + # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default + - 'package_pam_pwquality_installed' + # PAM honour login.defs file for algorithm + - 'set_password_hashing_algorithm_logindefs' # Debian uses apparmor - '!selinux_state' # The following are MLS related rules (not part of ANSSI-BP-028) - '!accounts_polyinstantiated_tmp' - '!accounts_polyinstantiated_var_tmp' + - '!enable_pam_namespace' + # Following rules once had a prodtype incompatible with the debian12 product - - '!sysctl_net_ipv4_conf_default_secure_redirects' - - '!accounts_password_pam_dcredit' - - '!package_sendmail_removed' - - '!partition_for_boot' - - '!sysctl_net_ipv4_conf_all_accept_source_route' - - '!mount_option_home_nosuid' + - '!accounts_passwords_pam_tally2_deny_root' + - '!ensure_redhat_gpgkey_installed' + - '!set_password_hashing_algorithm_systemauth' + - '!package_dnf-automatic_installed' - '!accounts_passwords_pam_faillock_deny_root' + - '!dnf-automatic_security_updates_only' - '!cracklib_accounts_password_pam_lcredit' - - '!sysctl_fs_protected_regular' - '!dnf-automatic_apply_updates' - '!cracklib_accounts_password_pam_ocredit' - - '!enable_pam_namespace' - - '!package_talk_removed' - - '!accounts_password_pam_minlen' - '!accounts_password_pam_unix_rounds_system_auth' - - '!grub2_page_poison_argument' - - '!ensure_gpgcheck_local_packages' - - '!grub2_uefi_password' - - '!sysctl_net_ipv6_conf_all_accept_redirects' - - '!package_sudo_installed' - - '!package_xinetd_removed' - - '!package_rsh-server_removed' - - '!mount_option_srv_nosuid' - - '!mount_option_boot_noexec' - - '!mount_option_var_tmp_noexec' - - '!sysctl_net_ipv6_conf_default_router_solicitations' - - '!package_ypserv_removed' - - '!mount_option_tmp_nosuid' - - '!security_patches_up_to_date' - - '!sysctl_net_ipv4_conf_all_rp_filter' - - '!accounts_passwords_pam_faillock_unlock_time' - - '!file_permissions_ungroupowned' - - '!set_password_hashing_algorithm_systemauth' - - '!sysctl_net_ipv6_conf_all_accept_ra_defrtr' - - '!package_tftp-server_removed' - - '!package_rsh_removed' - - '!sysctl_net_ipv4_conf_default_accept_redirects' - - '!package_dnf-automatic_installed' - - '!sysctl_kernel_perf_event_max_sample_rate' - - '!sysctl_net_ipv6_conf_all_accept_ra_pinfo' - - '!sysctl_kernel_perf_cpu_time_max_percent' - '!timer_dnf-automatic_enabled' - '!accounts_passwords_pam_tally2' - - '!accounts_password_pam_unix_remember' - - '!file_permissions_unauthorized_sgid' - - '!sysctl_net_ipv6_conf_all_router_solicitations' - - '!sysctl_net_ipv4_conf_default_rp_filter' - - '!sudo_add_umask' - - '!sudo_add_env_reset' - - '!package_dhcp_removed' - - '!sysctl_net_ipv6_conf_default_accept_source_route' - - '!sysctl_fs_protected_fifos' - - '!grub2_page_alloc_shuffle_argument' - - '!mount_option_var_noexec' - - '!accounts_password_pam_ucredit' - - '!ensure_gpgcheck_never_disabled' - - '!mount_option_opt_nosuid' - - '!partition_for_opt' - - '!sysctl_kernel_sysrq' - - '!sysctl_net_ipv4_ip_forward' - - '!sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' - - '!postfix_network_listening_disabled' - - '!ensure_redhat_gpgkey_installed' - - '!accounts_passwords_pam_faillock_interval' - - '!sudo_add_ignore_dot' - - '!sysctl_kernel_perf_event_paranoid' - - '!mount_option_var_log_nosuid' - - '!sysctl_net_ipv6_conf_default_autoconf' - - '!sysctl_net_ipv6_conf_default_max_addresses' - - '!sysctl_net_ipv6_conf_default_accept_ra_rtr_pref' - - '!grub2_mds_argument' - - '!grub2_slub_debug_argument' - - '!dnf-automatic_security_updates_only' - - '!mount_option_var_log_noexec' - - '!partition_for_usr' - - '!package_telnet-server_removed' - - '!sysctl_net_ipv4_ip_local_port_range' - - '!package_talk-server_removed' - - '!sysctl_kernel_pid_max' - - '!package_ypbind_removed' - - '!sysctl_net_ipv4_conf_default_send_redirects' - - '!mount_option_var_nosuid' - - '!sysctl_net_ipv6_conf_all_max_addresses' - - '!sysctl_net_ipv4_conf_all_accept_redirects' - '!cracklib_accounts_password_pam_ucredit' - - '!sysctl_net_ipv4_conf_all_send_redirects' - - '!sysctl_net_ipv4_conf_all_secure_redirects' + - '!file_permissions_unauthorized_sgid' + - '!ensure_gpgcheck_local_packages' - '!accounts_passwords_pam_tally2_unlock_time' - - '!sysctl_net_ipv4_conf_default_accept_source_route' - - '!cracklib_accounts_password_pam_minlen' - - '!sebool_polyinstantiation_enabled' - - '!accounts_tmout' - - '!mount_option_nodev_nonroot_local_partitions' - - '!package_tftp_removed' - - '!sysctl_net_core_bpf_jit_harden' - - '!grub2_pti_argument' - - '!file_permissions_unauthorized_suid' - - '!accounts_passwords_pam_tally2_deny_root' - - '!sysctl_net_ipv6_conf_default_accept_redirects' - - '!sysctl_kernel_unprivileged_bpf_disabled' - - '!accounts_passwords_pam_faillock_deny' - - '!accounts_password_pam_unix_rounds_password_auth' - - '!sysctl_vm_mmap_min_addr' - - '!sysctl_net_ipv4_tcp_rfc1337' - - '!sysctl_net_ipv4_tcp_syncookies' - - '!sysctl_kernel_yama_ptrace_scope' - - '!sysctl_net_ipv6_conf_default_accept_ra_pinfo' - - '!accounts_password_pam_ocredit' - - '!accounts_password_pam_lcredit' - - '!no_files_unowned_by_user' - - '!mount_option_boot_nosuid' - - '!audit_rules_privileged_commands_sudo' - - '!mount_option_tmp_noexec' - - '!mount_option_home_noexec' - - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp' - - '!sysctl_net_ipv6_conf_all_accept_source_route' - - '!sysctl_net_ipv6_conf_default_accept_ra_defrtr' - '!enable_authselect' - - '!sysctl_net_ipv4_icmp_ignore_bogus_error_responses' - - '!sysctl_kernel_dmesg_restrict' - - '!package_telnet_removed' - - '!grub2_password' - - '!dir_perms_world_writable_root_owned' + - '!cracklib_accounts_password_pam_minlen' - '!cracklib_accounts_password_pam_dcredit' - - '!partition_for_var_tmp' - '!ensure_gpgcheck_globally_activated' - - '!sysctl_net_ipv6_conf_all_autoconf' + - '!file_permissions_unauthorized_suid' + - '!ensure_gpgcheck_never_disabled' - '!ensure_oracle_gpgkey_installed' - - '!mount_option_var_tmp_nosuid' From ee621300ca5527b4b5bae9e1425ca437e9cd7b72 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Mon, 19 Feb 2024 10:27:55 +0100 Subject: [PATCH 17/33] activate bash remediation for debian12 in audit_rules_privileged_commands_insmod --- .../audit_rules_privileged_commands_insmod/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh index 29bfc7be7d2..d9f12fbe2d7 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/insmod", "x", "modules") }}} From 69720ab8e6bee00d1dc7194ddad627e3bb2dc7c3 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Mon, 19 Feb 2024 10:29:13 +0100 Subject: [PATCH 18/33] activate bash remediation for debian12 in audit_rules_privileged_commands_modprobe --- .../audit_rules_privileged_commands_modprobe/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh index ed9771d0dfd..59dbba17482 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_rhel,multi_platform_ubuntu +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_ubuntu,multi_platform_debian # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/modprobe", "x", "modules") }}} From b3017a5902ace4199c15bd2b5f72a981f104c280 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Mon, 19 Feb 2024 10:29:39 +0100 Subject: [PATCH 19/33] activate bash remediation for debian12 in audit_rules_privileged_commands_rmmod --- .../audit_rules_privileged_commands_rmmod/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh index bf0a58b4336..afade41bccb 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' {{{ bash_fix_audit_watch_rule("auditctl", "/sbin/rmmod", "x", "modules") }}} From 43e27b7c54ef7e58109bc258606679c43f0ec99a Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Mon, 19 Feb 2024 10:31:28 +0100 Subject: [PATCH 20/33] enable bash remediation for debian12 in audit_rules_usergroup_modification --- .../templates/audit_rules_usergroup_modification/bash.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/audit_rules_usergroup_modification/bash.template b/shared/templates/audit_rules_usergroup_modification/bash.template index 62faac341c9..8a5568795f7 100644 --- a/shared/templates/audit_rules_usergroup_modification/bash.template +++ b/shared/templates/audit_rules_usergroup_modification/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' From 99a91f3dc59ba274f56f0cb71c703250035b377e Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Mon, 19 Feb 2024 10:33:54 +0100 Subject: [PATCH 21/33] update debian12 anssi enhanced profile Add some rules that were previously disabled due to prodtype. --- .../profiles/anssi_bp28_enhanced.profile | 170 +++--------------- 1 file changed, 25 insertions(+), 145 deletions(-) diff --git a/products/debian12/profiles/anssi_bp28_enhanced.profile b/products/debian12/profiles/anssi_bp28_enhanced.profile index b03c0008011..61111bf85a7 100644 --- a/products/debian12/profiles/anssi_bp28_enhanced.profile +++ b/products/debian12/profiles/anssi_bp28_enhanced.profile @@ -13,170 +13,50 @@ description: |- selections: - anssi:all:enhanced - - package_rsyslog_installed - - service_rsyslog_enabled + - 'package_rsyslog_installed' + - 'service_rsyslog_enabled' # PASS_MIN_LEN is handled by PAM on debian systems. - '!accounts_password_minlen_login_defs' + # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default + - 'package_pam_pwquality_installed' + # PAM honour login.defs file for algorithm + - 'set_password_hashing_algorithm_logindefs' # Debian uses apparmor - '!selinux_state' - '!audit_rules_mac_modification' - - apparmor_configured - - all_apparmor_profiles_enforced - - grub2_enable_apparmor - - package_apparmor_installed - - package_pam_apparmor_installed + - '!selinux_policytype' + - 'apparmor_configured' + - 'all_apparmor_profiles_enforced' + - 'grub2_enable_apparmor' + - 'package_apparmor_installed' + - 'package_pam_apparmor_installed' # The following are MLS related rules (not part of ANSSI-BP-028) - '!accounts_polyinstantiated_tmp' - '!accounts_polyinstantiated_var_tmp' + - '!enable_pam_namespace' + # Following rules once had a prodtype incompatible with the debian12 product - - '!sysctl_net_ipv4_conf_default_secure_redirects' - - '!accounts_password_pam_dcredit' - - '!package_sendmail_removed' - - '!partition_for_boot' - - '!sysctl_net_ipv4_conf_all_accept_source_route' - - '!mount_option_home_nosuid' - - '!audit_rules_usergroup_modification_opasswd' + - '!accounts_passwords_pam_tally2_deny_root' + - '!ensure_redhat_gpgkey_installed' + - '!set_password_hashing_algorithm_systemauth' + - '!package_dnf-automatic_installed' - '!accounts_passwords_pam_faillock_deny_root' + - '!dnf-automatic_security_updates_only' - '!cracklib_accounts_password_pam_lcredit' - - '!sysctl_fs_protected_regular' - '!dnf-automatic_apply_updates' - '!cracklib_accounts_password_pam_ocredit' - - '!enable_pam_namespace' - - '!package_talk_removed' - - '!audit_rules_privileged_commands_insmod' - - '!accounts_password_pam_minlen' - '!accounts_password_pam_unix_rounds_system_auth' - - '!sudo_dedicated_group' - - '!chronyd_configure_pool_and_server' - - '!grub2_page_poison_argument' - - '!ensure_gpgcheck_local_packages' - - '!grub2_uefi_password' - - '!sysctl_net_ipv6_conf_all_accept_redirects' - - '!audit_rules_usergroup_modification_group' - - '!package_sudo_installed' - - '!package_xinetd_removed' - - '!package_rsh-server_removed' - - '!mount_option_srv_nosuid' - - '!audit_sudo_log_events' - - '!mount_option_boot_noexec' - - '!mount_option_var_tmp_noexec' - - '!sysctl_net_ipv6_conf_default_router_solicitations' - - '!package_ypserv_removed' - - '!mount_option_tmp_nosuid' - - '!service_chronyd_or_ntpd_enabled' - - '!security_patches_up_to_date' - - '!sysctl_net_ipv4_conf_all_rp_filter' - - '!timer_logrotate_enabled' - - '!rsyslog_remote_tls' - - '!accounts_passwords_pam_faillock_unlock_time' - - '!file_permissions_ungroupowned' - - '!set_password_hashing_algorithm_systemauth' - - '!sysctl_net_ipv6_conf_all_accept_ra_defrtr' - - '!package_tftp-server_removed' - - '!package_rsh_removed' - - '!sysctl_net_ipv4_conf_default_accept_redirects' - - '!package_dnf-automatic_installed' - - '!audit_rules_privileged_commands_modprobe' - - '!sysctl_kernel_perf_event_max_sample_rate' - - '!sysctl_net_ipv6_conf_all_accept_ra_pinfo' - - '!sysctl_kernel_perf_cpu_time_max_percent' - '!timer_dnf-automatic_enabled' - '!accounts_passwords_pam_tally2' - - '!accounts_password_pam_unix_remember' - - '!file_permissions_unauthorized_sgid' - - '!sysctl_net_ipv6_conf_all_router_solicitations' - - '!sysctl_net_ipv4_conf_default_rp_filter' - - '!audit_rules_usergroup_modification_shadow' - - '!sudo_add_umask' - - '!sudo_add_env_reset' - - '!package_dhcp_removed' - - '!audit_rules_privileged_commands_kmod' - - '!sysctl_net_ipv6_conf_default_accept_source_route' - - '!sysctl_fs_protected_fifos' - - '!grub2_page_alloc_shuffle_argument' - - '!mount_option_var_noexec' - - '!accounts_password_pam_ucredit' - - '!ensure_gpgcheck_never_disabled' - - '!mount_option_opt_nosuid' - - '!partition_for_opt' - - '!sysctl_kernel_sysrq' - - '!sysctl_net_ipv4_ip_forward' - - '!sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' - - '!postfix_network_listening_disabled' - - '!install_PAE_kernel_on_x86-32' - - '!sysctl_kernel_modules_disabled' - - '!audit_rules_usergroup_modification_gshadow' - - '!ensure_redhat_gpgkey_installed' - - '!accounts_passwords_pam_faillock_interval' - - '!sudo_add_ignore_dot' - - '!sysctl_kernel_perf_event_paranoid' - - '!mount_option_var_log_nosuid' - - '!sysctl_net_ipv6_conf_default_autoconf' - - '!sysctl_net_ipv6_conf_default_max_addresses' - - '!sysctl_net_ipv6_conf_default_accept_ra_rtr_pref' - - '!grub2_mds_argument' - - '!audit_rules_privileged_commands_rmmod' - - '!grub2_slub_debug_argument' - - '!dnf-automatic_security_updates_only' - - '!audit_rules_usergroup_modification_passwd' - - '!mount_option_var_log_noexec' - - '!partition_for_usr' - - '!package_telnet-server_removed' - - '!sysctl_net_ipv4_ip_local_port_range' - - '!package_talk-server_removed' - - '!sysctl_kernel_pid_max' - - '!package_ypbind_removed' - - '!sysctl_net_ipv4_conf_default_send_redirects' - - '!mount_option_var_nosuid' - - '!sysctl_net_ipv6_conf_all_max_addresses' - - '!sysctl_net_ipv4_conf_all_accept_redirects' - '!cracklib_accounts_password_pam_ucredit' - - '!sysctl_net_ipv4_conf_all_send_redirects' - - '!sysctl_net_ipv4_conf_all_secure_redirects' + - '!file_permissions_unauthorized_sgid' + - '!ensure_gpgcheck_local_packages' - '!accounts_passwords_pam_tally2_unlock_time' - - '!selinux_policytype' - - '!sysctl_net_ipv4_conf_default_accept_source_route' - - '!cracklib_accounts_password_pam_minlen' - - '!sebool_polyinstantiation_enabled' - - '!accounts_tmout' - - '!mount_option_nodev_nonroot_local_partitions' - - '!package_tftp_removed' - - '!sysctl_net_core_bpf_jit_harden' - - '!grub2_pti_argument' - - '!file_permissions_unauthorized_suid' - - '!package_rsyslog-gnutls_installed' - - '!accounts_passwords_pam_tally2_deny_root' - - '!sysctl_net_ipv6_conf_default_accept_redirects' - - '!sysctl_kernel_unprivileged_bpf_disabled' - - '!accounts_passwords_pam_faillock_deny' - - '!accounts_password_pam_unix_rounds_password_auth' - - '!sysctl_vm_mmap_min_addr' - - '!sysctl_net_ipv4_tcp_rfc1337' - - '!sysctl_net_ipv4_tcp_syncookies' - - '!sysctl_kernel_yama_ptrace_scope' - - '!sysctl_net_ipv6_conf_default_accept_ra_pinfo' - - '!accounts_password_pam_ocredit' - - '!accounts_password_pam_lcredit' - - '!no_files_unowned_by_user' - - '!package_dracut-fips-aesni_installed' - - '!mount_option_boot_nosuid' - - '!audit_rules_privileged_commands_sudo' - - '!mount_option_tmp_noexec' - - '!mount_option_home_noexec' - - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp' - - '!sysctl_net_ipv6_conf_all_accept_source_route' - - '!rsyslog_remote_tls_cacert' - - '!sysctl_net_ipv6_conf_default_accept_ra_defrtr' - '!enable_authselect' - - '!sysctl_net_ipv4_icmp_ignore_bogus_error_responses' - - '!sysctl_kernel_dmesg_restrict' - - '!package_telnet_removed' - - '!grub2_password' - - '!dir_perms_world_writable_root_owned' + - '!cracklib_accounts_password_pam_minlen' - '!cracklib_accounts_password_pam_dcredit' - - '!partition_for_var_tmp' - '!ensure_gpgcheck_globally_activated' - - '!accounts_umask_etc_bashrc' - - '!sysctl_net_ipv6_conf_all_autoconf' + - '!file_permissions_unauthorized_suid' + - '!ensure_gpgcheck_never_disabled' - '!ensure_oracle_gpgkey_installed' - - '!mount_option_var_tmp_nosuid' + - '!package_dracut-fips-aesni_installed' From 07aa88162e6b3212d308ef99a3615a6025d7f4ed Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Mon, 19 Feb 2024 12:55:49 +0100 Subject: [PATCH 22/33] update debian12 anssi high profile Add some rules that were previously disabled due to prodtype. --- .../debian12/profiles/anssi_bp28_high.profile | 195 ++---------------- 1 file changed, 18 insertions(+), 177 deletions(-) diff --git a/products/debian12/profiles/anssi_bp28_high.profile b/products/debian12/profiles/anssi_bp28_high.profile index b15e6fa7d3e..97db7e1c8d3 100644 --- a/products/debian12/profiles/anssi_bp28_high.profile +++ b/products/debian12/profiles/anssi_bp28_high.profile @@ -17,9 +17,14 @@ selections: - service_rsyslog_enabled # PASS_MIN_LEN is handled by PAM on debian systems. - '!accounts_password_minlen_login_defs' + # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default + - 'package_pam_pwquality_installed' + # PAM honour login.defs file for algorithm + - 'set_password_hashing_algorithm_logindefs' # Debian uses apparmor - '!selinux_state' - '!audit_rules_mac_modification' + - '!selinux_policytype' - apparmor_configured - all_apparmor_profiles_enforced - grub2_enable_apparmor @@ -28,194 +33,30 @@ selections: # The following are MLS related rules (not part of ANSSI-BP-028) - '!accounts_polyinstantiated_tmp' - '!accounts_polyinstantiated_var_tmp' + - '!enable_pam_namespace' + # Following rules once had a prodtype incompatible with the debian12 product - - '!aide_verify_acls' - - '!sysctl_net_ipv4_conf_default_secure_redirects' - - '!accounts_password_pam_dcredit' - - '!sebool_ssh_sysadm_login' - - '!package_sendmail_removed' - - '!kernel_config_refcount_full' - - '!partition_for_boot' - - '!sysctl_net_ipv4_conf_all_accept_source_route' - - '!mount_option_home_nosuid' - - '!audit_rules_usergroup_modification_opasswd' + - '!accounts_passwords_pam_tally2_deny_root' + - '!ensure_redhat_gpgkey_installed' + - '!set_password_hashing_algorithm_systemauth' + - '!package_dnf-automatic_installed' - '!accounts_passwords_pam_faillock_deny_root' - - '!sysctl_fs_protected_regular' + - '!dnf-automatic_security_updates_only' - '!cracklib_accounts_password_pam_lcredit' - - '!kernel_config_sched_stack_end_check' - '!dnf-automatic_apply_updates' - '!cracklib_accounts_password_pam_ocredit' - - '!enable_pam_namespace' - - '!package_talk_removed' - - '!audit_rules_privileged_commands_insmod' - - '!accounts_password_pam_minlen' - '!accounts_password_pam_unix_rounds_system_auth' - - '!sudo_dedicated_group' - - '!chronyd_configure_pool_and_server' - - '!grub2_page_poison_argument' - - '!ensure_gpgcheck_local_packages' - - '!sebool_selinuxuser_execstack' - - '!grub2_uefi_password' - - '!sysctl_net_ipv6_conf_all_accept_redirects' - - '!kernel_config_slab_freelist_hardened' - - '!audit_rules_usergroup_modification_group' - - '!package_sudo_installed' - - '!kernel_config_slab_merge_default' - - '!package_xinetd_removed' - - '!package_rsh-server_removed' - - '!mount_option_srv_nosuid' - - '!audit_sudo_log_events' - - '!mount_option_boot_noexec' - - '!mount_option_var_tmp_noexec' - - '!kernel_config_gcc_plugin_structleak_byref_all' - - '!sysctl_net_ipv6_conf_default_router_solicitations' - - '!package_ypserv_removed' - - '!mount_option_tmp_nosuid' - - '!service_chronyd_or_ntpd_enabled' - - '!sebool_selinuxuser_execheap' - - '!security_patches_up_to_date' - - '!sysctl_net_ipv4_conf_all_rp_filter' - - '!timer_logrotate_enabled' - - '!rsyslog_remote_tls' - - '!accounts_passwords_pam_faillock_unlock_time' - - '!file_permissions_ungroupowned' - - '!set_password_hashing_algorithm_systemauth' - - '!sysctl_net_ipv6_conf_all_accept_ra_defrtr' - - '!package_tftp-server_removed' - - '!package_rsh_removed' - - '!sysctl_net_ipv4_conf_default_accept_redirects' - - '!package_dnf-automatic_installed' - - '!audit_rules_privileged_commands_modprobe' - - '!sysctl_kernel_perf_event_max_sample_rate' - - '!kernel_config_stackprotector_strong' - - '!sysctl_net_ipv6_conf_all_accept_ra_pinfo' - - '!sysctl_kernel_perf_cpu_time_max_percent' - - '!kernel_config_page_poisoning' - '!timer_dnf-automatic_enabled' - '!accounts_passwords_pam_tally2' - - '!accounts_password_pam_unix_remember' - - '!kernel_config_vmap_stack' - - '!file_permissions_unauthorized_sgid' - - '!sysctl_net_ipv6_conf_all_router_solicitations' - - '!sysctl_net_ipv4_conf_default_rp_filter' - - '!audit_rules_usergroup_modification_shadow' - - '!sudo_add_umask' - - '!sudo_add_env_reset' - - '!package_dhcp_removed' - - '!aide_scan_notification' - - '!audit_rules_privileged_commands_kmod' - - '!sysctl_net_ipv6_conf_default_accept_source_route' - - '!sysctl_fs_protected_fifos' - - '!kernel_config_strict_kernel_rwx' - - '!kernel_config_slab_freelist_random' - - '!kernel_config_hardened_usercopy' - - '!grub2_page_alloc_shuffle_argument' - - '!mount_option_var_noexec' - - '!accounts_password_pam_ucredit' - - '!ensure_gpgcheck_never_disabled' - - '!mount_option_opt_nosuid' - - '!partition_for_opt' - - '!sysctl_kernel_sysrq' - - '!aide_periodic_cron_checking' - - '!sysctl_net_ipv4_ip_forward' - - '!sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' - - '!postfix_network_listening_disabled' - - '!install_PAE_kernel_on_x86-32' - - '!sysctl_kernel_modules_disabled' - - '!sebool_secure_mode_insmod' - - '!audit_rules_usergroup_modification_gshadow' - - '!kernel_config_hardened_usercopy_fallback' - - '!ensure_redhat_gpgkey_installed' - - '!accounts_passwords_pam_faillock_interval' - - '!sudo_add_ignore_dot' - - '!sysctl_kernel_perf_event_paranoid' - - '!mount_option_var_log_nosuid' - - '!sysctl_net_ipv6_conf_default_autoconf' - - '!sysctl_net_ipv6_conf_default_max_addresses' - - '!kernel_config_gcc_plugin_latent_entropy' - - '!sysctl_net_ipv6_conf_default_accept_ra_rtr_pref' - - '!grub2_mds_argument' - - '!audit_rules_privileged_commands_rmmod' - - '!package_setroubleshoot-plugins_removed' - - '!grub2_slub_debug_argument' - - '!dnf-automatic_security_updates_only' - - '!audit_rules_usergroup_modification_passwd' - - '!mount_option_var_log_noexec' - - '!partition_for_usr' - - '!package_telnet-server_removed' - - '!kernel_config_gcc_plugin_stackleak' - - '!kernel_config_arm64_sw_ttbr0_pan' - - '!sysctl_net_ipv4_ip_local_port_range' - - '!package_talk-server_removed' - - '!sysctl_kernel_pid_max' - - '!package_ypbind_removed' - - '!sysctl_net_ipv4_conf_default_send_redirects' - - '!mount_option_var_nosuid' - - '!sysctl_net_ipv6_conf_all_max_addresses' - - '!sysctl_net_ipv4_conf_all_accept_redirects' - '!cracklib_accounts_password_pam_ucredit' - - '!sysctl_net_ipv4_conf_all_send_redirects' - - '!kernel_config_legacy_vsyscall_xonly' - - '!sysctl_net_ipv4_conf_all_secure_redirects' - - '!kernel_config_gcc_plugin_randstruct' + - '!file_permissions_unauthorized_sgid' + - '!ensure_gpgcheck_local_packages' - '!accounts_passwords_pam_tally2_unlock_time' - - '!selinux_policytype' - - '!sysctl_net_ipv4_conf_default_accept_source_route' - - '!cracklib_accounts_password_pam_minlen' - - '!kernel_config_debug_wx' - - '!sebool_polyinstantiation_enabled' - - '!accounts_tmout' - - '!mount_option_nodev_nonroot_local_partitions' - - '!package_tftp_removed' - - '!sysctl_net_core_bpf_jit_harden' - - '!kernel_config_strict_module_rwx' - - '!kernel_config_modify_ldt_syscall' - - '!aide_verify_ext_attributes' - - '!grub2_pti_argument' - - '!file_permissions_unauthorized_suid' - - '!package_rsyslog-gnutls_installed' - - '!accounts_passwords_pam_tally2_deny_root' - - '!sysctl_net_ipv6_conf_default_accept_redirects' - - '!sysctl_kernel_unprivileged_bpf_disabled' - - '!kernel_config_legacy_vsyscall_none' - - '!accounts_passwords_pam_faillock_deny' - - '!accounts_password_pam_unix_rounds_password_auth' - - '!aide_periodic_checking_systemd_timer' - - '!sysctl_vm_mmap_min_addr' - - '!sysctl_net_ipv4_tcp_rfc1337' - - '!sysctl_net_ipv4_tcp_syncookies' - - '!sysctl_kernel_yama_ptrace_scope' - - '!sysctl_net_ipv6_conf_default_accept_ra_pinfo' - - '!package_dracut-fips-aesni_installed' - - '!accounts_password_pam_ocredit' - - '!accounts_password_pam_lcredit' - - '!no_files_unowned_by_user' - - '!mount_option_boot_nosuid' - - '!kernel_config_bug_on_data_corruption' - - '!kernel_config_legacy_vsyscall_emulate' - - '!audit_rules_privileged_commands_sudo' - - '!mount_option_tmp_noexec' - - '!mount_option_home_noexec' - - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp' - - '!sebool_deny_execmem' - - '!sysctl_net_ipv6_conf_all_accept_source_route' - - '!rsyslog_remote_tls_cacert' - - '!sysctl_net_ipv6_conf_default_accept_ra_defrtr' - - '!package_setroubleshoot-server_removed' - - '!kernel_config_stackprotector' - - '!kernel_config_gcc_plugin_structleak' - '!enable_authselect' - - '!sysctl_net_ipv4_icmp_ignore_bogus_error_responses' - - '!sysctl_kernel_dmesg_restrict' - - '!package_telnet_removed' - - '!grub2_password' - - '!package_setroubleshoot_removed' - - '!kernel_config_fortify_source' - - '!dir_perms_world_writable_root_owned' + - '!cracklib_accounts_password_pam_minlen' - '!cracklib_accounts_password_pam_dcredit' - - '!partition_for_var_tmp' - '!ensure_gpgcheck_globally_activated' - - '!accounts_umask_etc_bashrc' - - '!sysctl_net_ipv6_conf_all_autoconf' + - '!file_permissions_unauthorized_suid' + - '!ensure_gpgcheck_never_disabled' - '!ensure_oracle_gpgkey_installed' - - '!mount_option_var_tmp_nosuid' + - '!package_dracut-fips-aesni_installed' From 1a128648cf79d105baa9cddfaa8c98c1161f7005 Mon Sep 17 00:00:00 2001 From: Alexandre SKRZYNIARZ Date: Wed, 28 Feb 2024 16:20:22 +0100 Subject: [PATCH 23/33] Update linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com> --- .../accounts_passwords_pam_faillock_deny/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh index 78b9442c95d..b30f58f3f88 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_all {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} From 92c4206ee9fe28612873a69d61b2703f57dde49b Mon Sep 17 00:00:00 2001 From: Alexandre SKRZYNIARZ Date: Wed, 28 Feb 2024 16:20:30 +0100 Subject: [PATCH 24/33] Update linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com> --- .../accounts_passwords_pam_faillock_interval/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh index d8b1908b719..289690e3d52 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_all {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}} From a438906f3ddba63a91751e43adfcfc88ec37ecff Mon Sep 17 00:00:00 2001 From: Alexandre SKRZYNIARZ Date: Wed, 28 Feb 2024 16:20:39 +0100 Subject: [PATCH 25/33] Update linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com> --- .../accounts_passwords_pam_faillock_unlock_time/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh index 57ef23c9ef3..51ef7f32347 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_all {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} From 7ba41dd3dc84aac094d82f13e191c2b5eed70305 Mon Sep 17 00:00:00 2001 From: Alexandre SKRZYNIARZ Date: Wed, 28 Feb 2024 16:20:47 +0100 Subject: [PATCH 26/33] Update linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com> --- .../set_password_hashing_algorithm_logindefs/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh index 517689729fc..c8a246b9048 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_all {{{ bash_instantiate_variables("var_password_hashing_algorithm") }}} {{{ bash_replace_or_append('/etc/login.defs', '^ENCRYPT_METHOD', "$var_password_hashing_algorithm", '%s %s') }}} From 44a24f3d5d9da55305e16526f016fc5f4c3a3b6c Mon Sep 17 00:00:00 2001 From: Alexandre SKRZYNIARZ Date: Wed, 28 Feb 2024 16:20:55 +0100 Subject: [PATCH 27/33] Update shared/templates/accounts_password/ansible.template Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com> --- shared/templates/accounts_password/ansible.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/accounts_password/ansible.template b/shared/templates/accounts_password/ansible.template index efa3c322928..f25e7cc5428 100644 --- a/shared/templates/accounts_password/ansible.template +++ b/shared/templates/accounts_password/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian +# platform = multi_platform_all # reboot = false # strategy = restrict # complexity = low From d1dfc70f8926133c67de85a4483920caf0c92507 Mon Sep 17 00:00:00 2001 From: Alexandre SKRZYNIARZ Date: Wed, 28 Feb 2024 16:21:04 +0100 Subject: [PATCH 28/33] Update shared/templates/accounts_password/bash.template Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com> --- shared/templates/accounts_password/bash.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template index 2c35f3e218d..372db9e6140 100644 --- a/shared/templates/accounts_password/bash.template +++ b/shared/templates/accounts_password/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian +# platform = multi_platform_all # reboot = false # strategy = restrict # complexity = low From 64fdbaa235d6a0a7da852a8079b3c0123f30401d Mon Sep 17 00:00:00 2001 From: Alexandre SKRZYNIARZ Date: Wed, 28 Feb 2024 16:22:37 +0100 Subject: [PATCH 29/33] Update shared/templates/audit_rules_privileged_commands/bash.template Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com> --- shared/templates/audit_rules_privileged_commands/bash.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template index b1acb0c9e2d..21121564e81 100644 --- a/shared/templates/audit_rules_privileged_commands/bash.template +++ b/shared/templates/audit_rules_privileged_commands/bash.template @@ -1,7 +1,7 @@ {{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}} {{%- set perm_x=" -F perm=x" %}} {{%- endif %}} -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_all ACTION_ARCH_FILTERS="-a always,exit" OTHER_FILTERS="-F path={{{ PATH }}}{{{ perm_x }}}" From 4bb30c30f0283dfba0331e20f61638752ec45689 Mon Sep 17 00:00:00 2001 From: Alexandre SKRZYNIARZ Date: Wed, 28 Feb 2024 16:22:45 +0100 Subject: [PATCH 30/33] Update shared/templates/audit_rules_usergroup_modification/bash.template Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com> --- .../templates/audit_rules_usergroup_modification/bash.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/audit_rules_usergroup_modification/bash.template b/shared/templates/audit_rules_usergroup_modification/bash.template index 8a5568795f7..bff0ed51210 100644 --- a/shared/templates/audit_rules_usergroup_modification/bash.template +++ b/shared/templates/audit_rules_usergroup_modification/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_all # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' From e43969d59b7300cf2040602fa782f0d657744e9c Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Thu, 4 Apr 2024 18:01:17 +0200 Subject: [PATCH 31/33] add an account_password_pam_faillock template rewrite accounts_passwords_pam_faillock_interval and accounts_passwords_pam_faillock_unlock_time to use this new template. --- .../ansible/shared.yml | 7 - .../bash/shared.sh | 6 - .../oval/debian.xml | 1 - .../oval/shared.xml | 285 --------------- .../oval/ubuntu.xml | 195 ---------- .../rule.yml | 10 + .../ansible/shared.yml | 7 - .../bash/shared.sh | 6 - .../oval/debian.xml | 1 - .../oval/openeuler.xml | 285 --------------- .../oval/shared.xml | 285 --------------- .../oval/ubuntu.xml | 195 ---------- .../rule.yml | 10 + .../ansible.template | 7 + .../bash.template | 6 + .../oval.template | 335 ++++++++++++++++++ .../template.yml | 4 + .../tests/authselect_modified_pam.fail.sh | 12 + .../conflicting_settings_authselect.fail.sh | 30 ++ .../pam_faillock_conflicting_settings.fail.sh | 16 + .../tests/pam_faillock_disabled.fail.sh | 15 + ...am_faillock_expected_faillock_conf.pass.sh | 10 + .../pam_faillock_expected_pam_files.pass.sh | 6 + ...pam_faillock_lenient_faillock_conf.fail.sh | 10 + .../pam_faillock_lenient_pam_files.fail.sh | 6 + ...ck_multiple_pam_unix_faillock_conf.fail.sh | 18 + ...illock_multiple_pam_unix_pam_files.fail.sh | 12 + ...am_faillock_not_required_pam_files.fail.sh | 24 ++ ...am_faillock_stricter_faillock_conf.pass.sh | 10 + .../pam_faillock_stricter_pam_files.pass.sh | 6 + .../tests/ubuntu_commented_values.fail.sh | 9 + .../tests/ubuntu_common.sh | 50 +++ .../tests/ubuntu_correct.pass.sh | 6 + .../tests/ubuntu_correct_pamd.pass.sh | 7 + .../tests/ubuntu_empty_faillock_conf.fail.sh | 8 + .../tests/ubuntu_missing_pamd.fail.sh | 9 + .../tests/ubuntu_multiple_pam_unix.fail.sh | 11 + .../tests/ubuntu_wrong_value.fail.sh | 6 + 38 files changed, 653 insertions(+), 1273 deletions(-) delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh delete mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh delete mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/ubuntu.xml create mode 100644 shared/templates/pam_account_password_faillock/ansible.template create mode 100644 shared/templates/pam_account_password_faillock/bash.template create mode 100644 shared/templates/pam_account_password_faillock/oval.template create mode 100644 shared/templates/pam_account_password_faillock/template.yml create mode 100644 shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_correct.pass.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh create mode 100644 shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml deleted file mode 100644 index 039fc519182..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml +++ /dev/null @@ -1,7 +0,0 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -# reboot = false -# strategy = restrict -# complexity = low -# disruption = low -{{{ ansible_pam_faillock_enable() }}} -{{{ ansible_pam_faillock_parameter_value("fail_interval", "var_accounts_passwords_pam_faillock_fail_interval") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh deleted file mode 100644 index 289690e3d52..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh +++ /dev/null @@ -1,6 +0,0 @@ -# platform = multi_platform_all - -{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}} - -{{{ bash_pam_faillock_enable() }}} -{{{ bash_pam_faillock_parameter_value("fail_interval", "$var_accounts_passwords_pam_faillock_fail_interval") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml deleted file mode 120000 index 70f08ba8db1..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/debian.xml +++ /dev/null @@ -1 +0,0 @@ -ubuntu.xml \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml deleted file mode 100644 index 1e22214cf84..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml +++ /dev/null @@ -1,285 +0,0 @@ - - - {{{ oval_metadata("The number of allowed failed logins should be set correctly.") }}} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ^[\s]*auth\N+pam_unix\.so - - - - ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - - - - ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - - - - ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+) - - - - ^[\s]*fail_interval[\s]*=[\s]*([0-9]+) - - - - - ^/etc/pam.d/system-auth$ - - - 1 - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - - - - - - ^/etc/security/faillock.conf$ - - 1 - - - - - - - - - - - diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml deleted file mode 100644 index 02a8568e010..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml +++ /dev/null @@ -1,195 +0,0 @@ -{{# Very similar OVAL is used in several rules, differing primarily in faillock.so parameter. #}} -{{# For transferability, we define the parameter and corresponding regular expressions in jinja. #}} -{{# The rules should ideally use a single template. #}} - -{{% set prm_name = "fail_interval" %}} -{{% set prm_regex_conf = "^[\s]*fail_interval[\s]*=[\s]*([0-9]+)" %}} -{{% set prm_regex_pamd = "^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)" %}} -{{% set ext_variable = "var_accounts_passwords_pam_faillock_fail_interval" %}} -{{% set description = "The number of allowed failed logins should be set correctly." %}} - - - - {{{ oval_metadata(description) }}} - - - - - - - - - - - - - - - - - - - - - - - - - ^\s*auth.*pam_unix\.so - - - - ^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc - - - - ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ - - - - {{{ prm_regex_pamd }}} - - - - {{{ prm_regex_conf }}} - - - - - - - - - /etc/pam.d/common-auth - - 1 - - - - - - - - - /etc/pam.d/common-auth - - 1 - - - - - - - - - /etc/pam.d/common-account - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - /etc/pam.d/common-auth - - 1 - - - - - - - - - - - - - - - - /etc/security/faillock.conf - - 1 - - diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml index e4bd615121e..7d785f2d9a3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml @@ -120,3 +120,13 @@ warnings: be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file. + +template: + name: pam_account_password_faillock + vars: + prm_name: fail_interval + prm_regex_conf: ^[\s]*fail_interval[\s]*=[\s]*([0-9]+) + prm_regex_pamd: ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+) + ext_variable: var_accounts_passwords_pam_faillock_fail_interval + description: The number of allowed failed logins should be set correctly. + variable_lower_bound: use_ext_variable diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml deleted file mode 100644 index 230ff5eaa3d..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml +++ /dev/null @@ -1,7 +0,0 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -# reboot = false -# strategy = restrict -# complexity = low -# disruption = low -{{{ ansible_pam_faillock_enable() }}} -{{{ ansible_pam_faillock_parameter_value("unlock_time", "var_accounts_passwords_pam_faillock_unlock_time") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh deleted file mode 100644 index 51ef7f32347..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh +++ /dev/null @@ -1,6 +0,0 @@ -# platform = multi_platform_all - -{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}} - -{{{ bash_pam_faillock_enable() }}} -{{{ bash_pam_faillock_parameter_value("unlock_time", "$var_accounts_passwords_pam_faillock_unlock_time") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml deleted file mode 120000 index 70f08ba8db1..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/debian.xml +++ /dev/null @@ -1 +0,0 @@ -ubuntu.xml \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml deleted file mode 100644 index 94c1ecaa55c..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml +++ /dev/null @@ -1,285 +0,0 @@ - - - {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ^[\s]*auth\N+pam_unix\.so - - - - ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - - - - ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so - - - - ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) - - - - ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) - - - - - ^/etc/pam.d/system-auth$ - - - 1 - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - - - - - - ^/etc/security/faillock.conf$ - - 1 - - - - - - - - - - - diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml deleted file mode 100644 index 5dd850d8caf..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml +++ /dev/null @@ -1,285 +0,0 @@ - - - {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ^[\s]*auth\N+pam_unix\.so - - - - ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - - - - ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - - - - ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) - - - - ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) - - - - - ^/etc/pam.d/system-auth$ - - - 1 - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - - - - - - ^/etc/security/faillock.conf$ - - 1 - - - - - - - - - - - diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/ubuntu.xml deleted file mode 100644 index 6f90a6e6a5f..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/ubuntu.xml +++ /dev/null @@ -1,195 +0,0 @@ -{{# Very similar OVAL is used in several rules, differing primarily in faillock.so parameter. #}} -{{# For transferability, we define the parameter and corresponding regular expressions in jinja. #}} -{{# The rules should ideally use a single template. #}} - -{{% set prm_name = "unlock_time" %}} -{{% set prm_regex_conf = "^[\s]*unlock_time[\s]*=[\s]*([0-9]+)" %}} -{{% set prm_regex_pamd = "^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)" %}} -{{% set ext_variable = "var_accounts_passwords_pam_faillock_unlock_time" %}} -{{% set description = "The unlock time after number of failed logins should be set correctly." %}} - - - - {{{ oval_metadata(description) }}} - - - - - - - - - - - - - - - - - - - - - - - - - ^\s*auth.*pam_unix\.so - - - - ^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc - - - - ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ - - - - {{{ prm_regex_pamd }}} - - - - {{{ prm_regex_conf }}} - - - - - - - - - /etc/pam.d/common-auth - - 1 - - - - - - - - - /etc/pam.d/common-auth - - 1 - - - - - - - - - /etc/pam.d/common-account - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - /etc/pam.d/common-auth - - 1 - - - - - - - - - - - - - - - - /etc/security/faillock.conf - - 1 - - diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml index ea9414e6b07..e20bb698663 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml @@ -127,3 +127,13 @@ warnings: be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file. + +template: + name: pam_account_password_faillock + vars: + prm_name: unlock_time + prm_regex_conf: ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) + prm_regex_pamd: ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) + ext_variable: var_accounts_passwords_pam_faillock_unlock_time + description: The unlock time after number of failed logins should be set correctly. + variable_lower_bound: use_ext_variable diff --git a/shared/templates/pam_account_password_faillock/ansible.template b/shared/templates/pam_account_password_faillock/ansible.template new file mode 100644 index 00000000000..5e1161920e5 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/ansible.template @@ -0,0 +1,7 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low +{{{ ansible_pam_faillock_enable() }}} +{{{ ansible_pam_faillock_parameter_value(PRM_NAME, EXT_VARIABLE) }}} diff --git a/shared/templates/pam_account_password_faillock/bash.template b/shared/templates/pam_account_password_faillock/bash.template new file mode 100644 index 00000000000..e46c3b85197 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/bash.template @@ -0,0 +1,6 @@ +# platform = multi_platform_all + +{{{ bash_instantiate_variables(EXT_VARIABLE) }}} + +{{{ bash_pam_faillock_enable() }}} +{{{ bash_pam_faillock_parameter_value(PRM_NAME, '$'+EXT_VARIABLE) }}} diff --git a/shared/templates/pam_account_password_faillock/oval.template b/shared/templates/pam_account_password_faillock/oval.template new file mode 100644 index 00000000000..34174e89664 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/oval.template @@ -0,0 +1,335 @@ + + + {{{ oval_metadata(DESCRIPTION) }}} + + {{% if 'debian' in product or 'ubuntu' in product %}} + + + + + + + + + + + + + + + + + + + + + + + {{% else %}} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + {{% endif %}} + + + + + ^\s*auth\N+pam_unix\.so + + + + {{% if 'debian' in product or 'ubuntu' in product %}} + ^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc + {{% elif 'openeuler' in product %}} + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail + {{% else %}} + ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail + {{% endif %}} + + + + {{% if 'debian' in product or 'ubuntu' in product %}} + ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ + {{% elif 'openeuler' in product %}} + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so + {{% else %}} + ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so + {{% endif %}} + + + + {{{ PRM_REGEX_PAMD }}} + + + + {{{ PRM_REGEX_CONF }}} + + + {{% macro generate_test_faillock_enabled(file_stem) %}} + + + + + + + /etc/pam.d/{{{file_stem}}}-auth + + 1 + + + + + + + + + /etc/pam.d/{{{ file_stem }}}-auth + + 1 + + {{% endmacro %}} + + {{{ generate_test_faillock_enabled (file_stem="system") }}} + {{{ generate_test_faillock_enabled (file_stem="password") }}} + {{{ generate_test_faillock_enabled (file_stem="common") }}} + + {{% macro generate_test_faillock_account(file_stem, file) %}} + + + + + + + /etc/pam.d/{{{ file }}} + + 1 + + {{% endmacro %}} + + {{{ generate_test_faillock_account (file_stem="system", file="system-auth") }}} + {{{ generate_test_faillock_account (file_stem="password", file="password-auth") }}} + {{{ generate_test_faillock_account (file_stem="common", file="common-account") }}} + + {{% macro generate_check_parameter_in_pam_file(file_stem) %}} + + + + + + + + + {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}} + + {{% endif %}} + {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}} + + {{% endif %}} + + + + /etc/pam.d/{{{ file_stem }}}-auth + + 1 + + {{% endmacro %}} + + + + + + {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}} + + {{% if VARIABLE_UPPER_BOUND == "use_ext_variable" %}} + + {{% elif VARIABLE_UPPER_BOUND is number %}} + {{{ VARIABLE_UPPER_BOUND }}} + {{% else %}} + + {{% endif %}} + + {{% endif %}} + + {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}} + + {{% if VARIABLE_LOWER_BOUND == "use_ext_variable" %}} + + {{% elif VARIABLE_LOWER_BOUND is number %}} + {{{ VARIABLE_LOWER_BOUND }}} + {{% else %}} + + {{% endif %}} + + {{% endif %}} + + {{{ generate_check_parameter_in_pam_file (file_stem="system") }}} + {{{ generate_check_parameter_in_pam_file (file_stem="password") }}} + {{{ generate_check_parameter_in_pam_file (file_stem="common") }}} + + + + + {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}} + + {{% endif %}} + {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}} + + {{% endif %}} + + + + + + + + + /etc/security/faillock.conf + + 1 + + + diff --git a/shared/templates/pam_account_password_faillock/template.yml b/shared/templates/pam_account_password_faillock/template.yml new file mode 100644 index 00000000000..b57de6fbb63 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/template.yml @@ -0,0 +1,4 @@ +supported_languages: + - ansible + - bash + - oval diff --git a/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh b/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh new file mode 100644 index 00000000000..b3232cc93ec --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora +# remediation = none + +SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" + +# This modification will break the integrity checks done by authselect. +if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then + sed -i "/^password.*requisite.*pam_pwquality\.so/a password requisite pam_pwhistory.so" $SYSTEM_AUTH_FILE +else + sed -i "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE +fi diff --git a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh new file mode 100644 index 00000000000..24f5731f63d --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# packages = authselect,pam +# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 + +pam_files=("password-auth" "system-auth") + +authselect create-profile testingProfile --base-on minimal + +CUSTOM_PROFILE_DIR="/etc/authselect/custom/testingProfile" + +authselect select --force custom/testingProfile + +truncate -s 0 /etc/security/faillock.conf + +echo "deny = 3" > /etc/security/faillock.conf + +{{{ bash_pam_faillock_enable() }}} + +for file in ${pam_files[@]}; do + if grep -qP "auth.*faillock\.so.*preauth" $CUSTOM_PROFILE_DIR/$file; then + sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/deny=3/" \ + "$CUSTOM_PROFILE_DIR/$file" + else + sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth deny=3" \ + "$CUSTOM_PROFILE_DIR/$file" + fi +done + + +authselect apply-changes diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh new file mode 100644 index 00000000000..aa3ca061de7 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# packages = authselect +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# remediation = none +# variables = var_accounts_passwords_pam_faillock_deny=3 + +authselect select sssd --force +authselect enable-feature with-faillock +# This test scenario simulates conflicting settings in pam and faillock.conf files. +# It means that authselect is not properly configured and may have a unexpected behaviour. The +# authselect integrity check will fail and the remediation will be aborted in order to preserve +# intentional changes. In this case, an informative message will be shown in the remediation report. +sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth +> /etc/security/faillock.conf +echo "deny = 3" >> /etc/security/faillock.conf +echo "silent" >> /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh new file mode 100644 index 00000000000..579e5670ea1 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle +{{%- if product in ["rhel7"] %}} +# packages = authconfig +{{%- else %}} +# packages = authselect +{{%- endif %}} +# variables = var_accounts_passwords_pam_faillock_deny=3 + +if [ -f /usr/sbin/authconfig ]; then + authconfig --disablefaillock --update +else + authselect select sssd --force + authselect disable-feature with-faillock +fi diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh new file mode 100644 index 00000000000..e770e300f52 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# packages = authselect +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# variables = var_accounts_passwords_pam_faillock_deny=3 + +authselect select sssd --force +authselect enable-feature with-faillock +> /etc/security/faillock.conf +echo "deny = 3" >> /etc/security/faillock.conf +echo "silent" >> /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh new file mode 100644 index 00000000000..24936609706 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = authconfig +# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# variables = var_accounts_passwords_pam_faillock_deny=3 + +authconfig --enablefaillock --faillockargs="deny=3" --update diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh new file mode 100644 index 00000000000..fd57152b8c4 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# packages = authselect +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# variables = var_accounts_passwords_pam_faillock_deny=3 + +authselect select sssd --force +authselect enable-feature with-faillock +> /etc/security/faillock.conf +echo "deny = 5" >> /etc/security/faillock.conf +echo "silent" >> /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh new file mode 100644 index 00000000000..34405f59422 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = authconfig +# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# variables = var_accounts_passwords_pam_faillock_deny=3 + +authconfig --enablefaillock --faillockargs="deny=5" --update diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh new file mode 100644 index 00000000000..efb57601cb9 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# packages = authselect +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# remediation = none +# variables = var_accounts_passwords_pam_faillock_deny=3 + +authselect select sssd --force +authselect enable-feature with-faillock +# Ensure the parameters only in /etc/security/faillock.conf +sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1/g' /etc/pam.d/system-auth /etc/pam.d/password-auth +> /etc/security/faillock.conf +echo "deny = 3" >> /etc/security/faillock.conf +echo "silent" >> /etc/security/faillock.conf + +# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere +# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically +# in order to preserve intentional changes. +echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh new file mode 100644 index 00000000000..dbc12db6b9f --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# packages = authconfig +# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# remediation = none +# variables = var_accounts_passwords_pam_faillock_deny=3 + +authconfig --enablefaillock --faillockargs="deny=3" --update + +# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere +# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically +# in order to preserve intentional changes. +echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh new file mode 100644 index 00000000000..b780f320362 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle +{{%- if product in ["rhel7"] %}} +# packages = authconfig +{{%- else %}} +# packages = authselect +# remediation = none +{{%- endif %}} +# variables = var_accounts_passwords_pam_faillock_deny=3 + +# This test scenario manually modify the pam_faillock.so entries in auth section from +# "required" to "sufficient". This makes pam_faillock.so behave differently than initially +# intentioned. We catch this, but we can't safely remediate in an automated way. +if [ -f /usr/sbin/authconfig ]; then + authconfig --enablefaillock --faillockargs="deny=3" --update +else + authselect select sssd --force + authselect enable-feature with-faillock + sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth +fi +sed -i --follow-symlinks 's/\(^\s*auth\s*\)\(\s.*\)\(pam_faillock\.so.*$\)/\1 sufficient \3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth +if [ -f /etc/security/faillock.conf ]; then + > /etc/security/faillock.conf +fi diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh new file mode 100644 index 00000000000..595b85192da --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# packages = authselect +# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8 +# variables = var_accounts_passwords_pam_faillock_deny=3 + +authselect select sssd --force +authselect enable-feature with-faillock +> /etc/security/faillock.conf +echo "deny = 2" >> /etc/security/faillock.conf +echo "silent" >> /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh new file mode 100644 index 00000000000..03f93edaa4f --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = authconfig +# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora +# variables = var_accounts_passwords_pam_faillock_deny=3 + +authconfig --enablefaillock --faillockargs="deny=2" --update diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh new file mode 100644 index 00000000000..06e07a9d968 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +source ubuntu_common.sh + +sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth +sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account + +echo "#deny=1" > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh new file mode 100644 index 00000000000..e64fb3528e8 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS +# Extra comments and whitespaces were added to test for edge cases + +cat >/etc/pam.d/common-auth </etc/pam.d/common-account < /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh new file mode 100644 index 00000000000..e6d203a01c5 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +source ubuntu_common.sh + +sed -i 's/\(.*pam_faillock.so.*\)/\1 deny=1/g' /etc/pam.d/common-auth + diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh new file mode 100644 index 00000000000..3b73ba396a6 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +# This test should fail because neither pam.d or faillock.conf have deny defined + +source ubuntu_common.sh + +echo > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh new file mode 100644 index 00000000000..40c103dc6f9 --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +source ubuntu_common.sh + +sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth +sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account + +echo "deny=1" > /etc/security/faillock.conf diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh new file mode 100644 index 00000000000..23be5083c6f --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = multi_platform_ubuntu +# remediation = none + +# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere +# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically +# in order to preserve intentional changes. + +source ubuntu_common.sh + +echo "auth sufficient pam_unix.so" >> /etc/pam.d/common-auth diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh new file mode 100644 index 00000000000..d236f32cb8b --- /dev/null +++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +source ubuntu_common.sh + +echo "deny=999" > /etc/security/faillock.conf From e243f8b668d5f1bad005af0c369006b8cc05b43c Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Wed, 3 Apr 2024 12:16:31 +0200 Subject: [PATCH 32/33] rewrite accounts_passwords_pam_faillock_deny rule to use pam_account_password_faillock template --- .../ansible/shared.yml | 7 - .../bash/shared.sh | 6 - .../oval/debian.xml | 1 - .../oval/openeuler.xml | 291 ------------------ .../oval/shared.xml | 291 ------------------ .../oval/ubuntu.xml | 201 ------------ .../rule.yml | 11 + 7 files changed, 11 insertions(+), 797 deletions(-) delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh delete mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml deleted file mode 100644 index 8ab749d4f7c..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml +++ /dev/null @@ -1,7 +0,0 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -# reboot = false -# strategy = restrict -# complexity = low -# disruption = low -{{{ ansible_pam_faillock_enable() }}} -{{{ ansible_pam_faillock_parameter_value("deny", "var_accounts_passwords_pam_faillock_deny") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh deleted file mode 100644 index b30f58f3f88..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh +++ /dev/null @@ -1,6 +0,0 @@ -# platform = multi_platform_all - -{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}} - -{{{ bash_pam_faillock_enable() }}} -{{{ bash_pam_faillock_parameter_value("deny", "$var_accounts_passwords_pam_faillock_deny") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml deleted file mode 120000 index 70f08ba8db1..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml +++ /dev/null @@ -1 +0,0 @@ -ubuntu.xml \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml deleted file mode 100644 index 0abb80d8d5d..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml +++ /dev/null @@ -1,291 +0,0 @@ - - - {{{ oval_metadata("Lockout account after failed login attempts") }}} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ^[\s]*auth\N+pam_unix\.so - - - - ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - - - - ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so - - - - ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) - - - - ^[\s]*deny[\s]*=[\s]*([0-9]+) - - - - - ^/etc/pam.d/system-auth$ - - - 1 - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - - - - - - - - 0 - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - - - - - - - ^/etc/security/faillock.conf$ - - 1 - - - - - - - - - - - - diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml deleted file mode 100644 index 4c3b56ba06c..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml +++ /dev/null @@ -1,291 +0,0 @@ - - - {{{ oval_metadata("Lockout account after failed login attempts") }}} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ^[\s]*auth\N+pam_unix\.so - - - - ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail - - - - ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so - - - - ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) - - - - ^[\s]*deny[\s]*=[\s]*([0-9]+) - - - - - ^/etc/pam.d/system-auth$ - - - 1 - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - - - - - - - - 0 - - - - - ^/etc/pam.d/system-auth$ - - 1 - - - - - - - - - - - - - - - ^/etc/pam.d/password-auth$ - - 1 - - - - - - - - - - - - - - - ^/etc/security/faillock.conf$ - - 1 - - - - - - - - - - - - diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml deleted file mode 100644 index 443a85b2934..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml +++ /dev/null @@ -1,201 +0,0 @@ -{{# Very similar OVAL is used in several rules, differing primarily in faillock.so parameter. #}} -{{# For transferability, we define the parameter and corresponding regular expressions in jinja. #}} -{{# The rules should ideally use a single template. #}} - -{{% set prm_name = "deny" %}} -{{% set prm_regex_conf = "^[\s]*deny[\s]*=[\s]*([0-9]+)" %}} -{{% set prm_regex_pamd = "^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)" %}} -{{% set ext_variable = "var_accounts_passwords_pam_faillock_deny" %}} -{{% set description = "Lockout account after failed login attempts." %}} - - - - {{{ oval_metadata(description) }}} - - - - - - - - - - - - - - - - - - - - - - - - - ^\s*auth.*pam_unix\.so - - - - ^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc - - - - ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ - - - - {{{ prm_regex_pamd }}} - - - - {{{ prm_regex_conf }}} - - - - - - - - - /etc/pam.d/common-auth - - 1 - - - - - - - - - /etc/pam.d/common-auth - - 1 - - - - - - - - - /etc/pam.d/common-account - - 1 - - - - - - - - - - - - - 0 - - - - - - - - - - - - - - - - /etc/pam.d/common-auth - - 1 - - - - - - - - - - - - - - - - - /etc/security/faillock.conf - - 1 - - diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml index eeb26a045b7..dd724d1625d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml @@ -129,3 +129,14 @@ warnings: srg_requirement: |- {{{ full_name }}} must automatically lock an account when three unsuccessful logon attempts occur. + +template: + name: pam_account_password_faillock + vars: + prm_name: deny + prm_regex_conf: ^[\s]*deny[\s]*=[\s]*([0-9]+) + prm_regex_pamd: ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) + ext_variable: var_accounts_passwords_pam_faillock_deny + description: Lockout account after failed login attempts. + variable_upper_bound: use_ext_variable + variable_lower_bound: 0 From f44e383effeaacd7997408ace5dd45ab61a286d8 Mon Sep 17 00:00:00 2001 From: Alexandre Skrzyniarz Date: Wed, 27 Mar 2024 17:29:57 +0100 Subject: [PATCH 33/33] factorise code in pam_account_password_unix_remember --- .../ansible/debian.yml | 48 ------ .../ansible/shared.yml | 62 +++++++- .../ansible/ubuntu.yml | 48 ------ .../bash/debian.sh | 5 - .../bash/shared.sh | 15 +- .../bash/ubuntu.sh | 5 - .../oval/debian.xml | 1 - .../oval/shared.xml | 144 +++++++++--------- .../oval/ubuntu.xml | 28 ---- 9 files changed, 141 insertions(+), 215 deletions(-) delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh delete mode 120000 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/ubuntu.xml diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml deleted file mode 100644 index 09217290428..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml +++ /dev/null @@ -1,48 +0,0 @@ -# platform = multi_platform_debian -# reboot = false -# strategy = configure -# complexity = low -# disruption = medium - -{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}} - -# Modified version of macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match=''). -# The original macro is designed to search/replace also the control field thus treating the field as a constant and escaping the regex. -# Here we adapt the code to allow using regex on the control field. - -{{% set pam_file='/etc/pam.d/common-password' %}} -{{% set group='password' %}} -{{% set control='\[success=[A-Za-z0-9].*\]' %}} -{{% set module='pam_unix.so' %}} -{{% set option='remember' %}} -{{% set value='{{ var_password_pam_unix_remember }}' %}} - -- name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}' - ansible.builtin.lineinfile: - path: "{{{ pam_file }}}" - regexp: ^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b - state: absent - check_mode: true - changed_when: false - register: result_pam_module_{{{ option }}}_option_present - -- name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" PAM option for "{{{ module }}}" is included in {{{ pam_file }}}' - ansible.builtin.lineinfile: - path: "{{{ pam_file }}}" - backrefs: true - regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*) - line: \1 {{{ option }}}={{{ value }}} - state: present - register: result_pam_{{{ option }}}_add - when: - - result_pam_module_{{{ option }}}_option_present.found == 0 - -- name: '{{{ rule_title }}} - Ensure the required value for "{{{ option }}}" PAM option from "{{{ module }}}" in {{{ pam_file }}}' - ansible.builtin.lineinfile: - path: "{{{ pam_file }}}" - backrefs: true - regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*) - line: \1\2={{{ value }}} \3 - register: result_pam_{{{ option }}}_edit - when: - - result_pam_module_{{{ option }}}_option_present.found > 0 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml index 658f8a3e475..be1d7c5e0f2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml @@ -1,21 +1,69 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_all # reboot = false # strategy = configure # complexity = low # disruption = medium -{{% if product in [ "sle12", "sle15" ] %}} -{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}} +{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}} + +{{% if "ubuntu" in product or "debian" in product %}} +{{% set pam_file='/etc/pam.d/common-password' %}} +{{% set group='password' %}} +{{% set control='\[success=[A-Za-z0-9].*\]' %}} +{{% set module='pam_unix.so' %}} +{{% set option='remember' %}} +{{% set value='{{ var_password_pam_unix_remember }}' %}} +{{% elif product in [ "sle12", "sle15" ] %}} +{{% set pam_file='/etc/pam.d/common-password' %}} {{% else %}} -{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}} +{{% set pam_file='/etc/pam.d/system-auth' %}} {{% endif %}} -{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}} +{{% if "ubuntu" in product or "debian" in product %}} + +# Modified version of macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match=''). +# The original macro is designed to search/replace also the control field thus treating the field as a constant and escaping the regex. +# Here we adapt the code to allow using regex on the control field. + +- name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}' + ansible.builtin.lineinfile: + path: "{{{ pam_file }}}" + regexp: ^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b + state: absent + check_mode: true + changed_when: false + register: result_pam_module_{{{ option }}}_option_present + +- name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" PAM option for "{{{ module }}}" is included in {{{ pam_file }}}' + ansible.builtin.lineinfile: + path: "{{{ pam_file }}}" + backrefs: true + regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*) + line: \1 {{{ option }}}={{{ value }}} + state: present + register: result_pam_{{{ option }}}_add + when: + - result_pam_module_{{{ option }}}_option_present.found == 0 -{{{ ansible_pam_pwhistory_enable(accounts_password_pam_unix_remember_file, +- name: '{{{ rule_title }}} - Ensure the required value for "{{{ option }}}" PAM option from "{{{ module }}}" in {{{ pam_file }}}' + ansible.builtin.lineinfile: + path: "{{{ pam_file }}}" + backrefs: true + regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*) + line: \1\2={{{ value }}} \3 + register: result_pam_{{{ option }}}_edit + when: + - result_pam_module_{{{ option }}}_option_present.found > 0 + + +{{% else %}} + +{{{ ansible_pam_pwhistory_enable(pam_file, 'requisite', '^password.*requisite.*pam_pwquality\.so') }}} -{{{ ansible_pam_pwhistory_parameter_value(accounts_password_pam_unix_remember_file, +{{{ ansible_pam_pwhistory_parameter_value(pam_file, 'remember', '{{ var_password_pam_unix_remember }}') }}} + +{{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml deleted file mode 100644 index 1532858150a..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml +++ /dev/null @@ -1,48 +0,0 @@ -# platform = multi_platform_ubuntu -# reboot = false -# strategy = configure -# complexity = low -# disruption = medium - -{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}} - -# Modified version of macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match=''). -# The original macro is designed to search/replace also the control field thus treating the field as a constant and escaping the regex. -# Here we adapt the code to allow using regex on the control field. - -{{% set pam_file='/etc/pam.d/common-password' %}} -{{% set group='password' %}} -{{% set control='\[success=[A-Za-z0-9].*\]' %}} -{{% set module='pam_unix.so' %}} -{{% set option='remember' %}} -{{% set value='{{ var_password_pam_unix_remember }}' %}} - -- name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}' - ansible.builtin.lineinfile: - path: "{{{ pam_file }}}" - regexp: ^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b - state: absent - check_mode: true - changed_when: false - register: result_pam_module_{{{ option }}}_option_present - -- name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" PAM option for "{{{ module }}}" is included in {{{ pam_file }}}' - ansible.builtin.lineinfile: - path: "{{{ pam_file }}}" - backrefs: true - regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*) - line: \1 {{{ option }}}={{{ value }}} - state: present - register: result_pam_{{{ option }}}_add - when: - - result_pam_module_{{{ option }}}_option_present.found == 0 - -- name: '{{{ rule_title }}} - Ensure the required value for "{{{ option }}}" PAM option from "{{{ module }}}" in {{{ pam_file }}}' - ansible.builtin.lineinfile: - path: "{{{ pam_file }}}" - backrefs: true - regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*) - line: \1\2={{{ value }}} \3 - register: result_pam_{{{ option }}}_edit - when: - - result_pam_module_{{{ option }}}_option_present.found > 0 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh deleted file mode 100644 index e9352c4bc63..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh +++ /dev/null @@ -1,5 +0,0 @@ -# platform = multi_platform_debian - -{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}} - -{{{ bash_ensure_pam_module_options('/etc/pam.d/common-password', 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh index c830c07aa2e..d012e29c415 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh @@ -1,12 +1,18 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle +# platform = multi_platform_all -{{% if product in [ "sle12", "sle15" ] %}} +{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}} + +{{% if "debian" in product or "ubuntu" in product or product in ["sle12", "sle15" ] %}} {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}} {{% else %}} {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}} {{% endif %}} -{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}} +{{% if "debian" in product or "ubuntu" in product %}} + +{{{ bash_ensure_pam_module_options(accounts_password_pam_unix_remember_file, 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}} + +{{% else %}} {{{ bash_pam_pwhistory_enable(accounts_password_pam_unix_remember_file, 'requisite', @@ -15,3 +21,6 @@ {{{ bash_pam_pwhistory_parameter_value(accounts_password_pam_unix_remember_file, 'remember', "$var_password_pam_unix_remember") }}} + +{{% endif %}} + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh deleted file mode 100644 index dedfc48a1e9..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh +++ /dev/null @@ -1,5 +0,0 @@ -# platform = multi_platform_ubuntu - -{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}} - -{{{ bash_ensure_pam_module_options('/etc/pam.d/common-password', 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml deleted file mode 120000 index 70f08ba8db1..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml +++ /dev/null @@ -1 +0,0 @@ -ubuntu.xml \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml index eae79c23ea6..945e014deb0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if product in [ "sle12", "sle15" ] %}} +{{% if product in [ "sle12", "sle15" ] or "debian" in product or "ubuntu" in product %}} {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}} {{% else %}} {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}} @@ -9,150 +9,154 @@ {{{ oval_metadata("The passwords to remember should be set correctly.") }}} - - - - - - - - - - - - - - + + + + + + + + + + + + + + + comment="Remember parameter of pam_unix.so is properly configured"/> + + + check="all" version="1" comment="Check pam_pwhistory.so presence in PAM file"> + version="1"> {{{ accounts_password_pam_unix_remember_file }}} + var_check="at least one" operation="pattern match"/> 1 + id="test_accounts_password_pam_unix_remember_pamd" check="all" version="1" + comment="Check remember parameter is present and correct in PAM file"> + id="object_accounts_password_pam_unix_remember_pamd" version="1"> {{{ accounts_password_pam_unix_remember_file }}} + var_ref="var_accounts_password_pam_unix_remember_pam_param_regex"/> 1 + id="state_accounts_password_pam_unix_remember" version="1"> + var_ref="var_password_pam_unix_remember"/> + datatype="int" comment="number of passwords that should be remembered"/> + + id="test_accounts_password_pam_unix_remember_no_pwhistory_conf" + comment="Check the absence of remember parameter in /etc/security/pwhistory.conf"> + object_ref="object_accounts_password_pam_unix_remember_param_conf"/> + id="object_accounts_password_pam_unix_remember_param_conf" version="1" + comment="Collect the pam_pwhistory.so remember parameter from /etc/security/pwhistory.conf"> ^/etc/security/pwhistory.conf$ + var_ref="var_accounts_password_pam_unix_remember_conf_param_regex"/> 1 + id="test_accounts_password_pam_unix_remember_no_pamd" version="1" + check="all" check_existence="none_exist" + comment="Check remember parameter is absent in PAM file"> + id="test_accounts_password_pam_unix_remember_pwhistory_conf" version="1" + check="all" check_existence="all_exist" + comment="Check remember parameter is present and correct in /etc/security/pwhistory.conf"> + datatype="string" version="1" + comment="The regex is to confirm the pam_pwhistory.so module is enabled"> ^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*$ + datatype="string" version="1" + comment="The regex is to collect the pam_pwhistory.so remember paramerter from PAM files"> ^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ + datatype="string" version="1" + comment="The regex is to collect the pam_pwhistory.so remember paramerter in pwhistory.conf"> ^\s*remember\s*=\s*([0-9]+) + check="all" check_existence="all_exist" + comment="Test if remember attribute of pam_unix.so is set correctly in {{{ accounts_password_pam_unix_remember_file }}}"> - /etc/pam.d/system-auth - ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$ + {{{ accounts_password_pam_unix_remember_file }}} + ^\s*password\s+(?:(?:sufficient)|(?:required)|(?:\[.*\]))\s+pam_unix\.so.*remember=([0-9]*).*$ 1 + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/ubuntu.xml deleted file mode 100644 index 13ca8a977b7..00000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/ubuntu.xml +++ /dev/null @@ -1,28 +0,0 @@ - - - {{{ oval_metadata("The passwords to remember should be set correctly.") }}} - - - - - - - - - - - - - /etc/pam.d/common-password - ^\s*password\s+\[.*\]\s+pam_unix\.so.*remember=([0-9]*).*$ - 1 - - - - - - - - -