-
Notifications
You must be signed in to change notification settings - Fork 670
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6879 from teacup-on-rockingchair/suse_SLES-15-010250
SLES-15-010250 add rule, remediation and tests.
- Loading branch information
Showing
6 changed files
with
78 additions
and
0 deletions.
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
...m/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# platform = multi_platform_sle | ||
. /usr/share/scap-security-guide/remediation_functions | ||
|
||
ensure_pam_module_options '/etc/pam.d/common-auth' 'auth' 'required' 'pam_unix.so' 'sha512' '' '' |
64 changes: 64 additions & 0 deletions
64
...nts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
documentation_complete: true | ||
|
||
prodtype: sle15 | ||
|
||
title: "Set PAM's Common Authentication Hashing Algorithm" | ||
|
||
description: |- | ||
The PAM system service can be configured to only store encrypted | ||
representations of passwords. In | ||
<tt>/etc/pam.d/common-auth</tt>, | ||
the | ||
<tt>auth</tt> section of the file controls which PAM modules execute | ||
during a password change. Set the <tt>pam_unix.so</tt> module in the | ||
<tt>auth</tt> section to include the argument <tt>sha512</tt>, as shown | ||
below: | ||
<br /> | ||
<pre>auth required pam_unix.so sha512 <i>other arguments...</i></pre> | ||
<br /> | ||
This will help ensure when local users change their authentication method, | ||
hashes for the new authentications will be generated using the SHA-512 | ||
algorithm. This is the default. | ||
rationale: |- | ||
Unapproved mechanisms used for authentication to the cryptographic module | ||
are not verified and therefore cannot be relied on to provide | ||
confidentiality or integrity, and data may be compromised. | ||
This setting ensures user and group account administration utilities are | ||
configured to store only encrypted representations of passwords. | ||
Additionally, the <tt>crypt_style</tt> configuration option ensures the use | ||
of a strong hashing algorithm that makes password cracking attacks more | ||
difficult. | ||
severity: medium | ||
|
||
identifiers: | ||
cce@sle15: CCE-85754-0 | ||
|
||
references: | ||
disa: CCI-000803 | ||
nist: IA-7,IA-7.1 | ||
srg@sle15: SRG-OS-000120-GPOS-00061 | ||
vmmsrg@sle15: SRG-OS-000480-VMM-002000 | ||
stigid@sle15: SLES-15-010250 | ||
|
||
ocil_clause: 'it does not' | ||
|
||
ocil: |- | ||
Inspect the contents of <tt>/etc/pam.d/common-auth</tt> | ||
and ensure that the <tt>pam_unix.so</tt> module includes the argument | ||
<tt>sha512</tt>: | ||
<pre>$ grep sha512 /etc/pam.d/common-auth</pre> | ||
platform: pam | ||
|
||
template: | ||
name: pam_options | ||
vars: | ||
path: /etc/pam.d/common-auth | ||
type: auth | ||
control_flag: required | ||
module: pam_unix.so | ||
arguments: | ||
- argument: sha512 | ||
new_argument: sha512 |
3 changes: 3 additions & 0 deletions
3
...set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_required.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
|
||
echo "auth optional pam_unix.so try_first_pass sha512" > /etc/pam.d/common-auth |
3 changes: 3 additions & 0 deletions
3
...m/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_sha512.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
|
||
echo "auth required pam_unix.so try_first_pass" > /etc/pam.d/common-auth |
3 changes: 3 additions & 0 deletions
3
...ord_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
|
||
echo "auth required pam_unix.so try_first_pass sha512" > /etc/pam.d/common-auth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters