-
Notifications
You must be signed in to change notification settings - Fork 670
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLES-15-010250 add rule, remediation and tests. #6879
Merged
vojtapolasek
merged 4 commits into
ComplianceAsCode:master
from
teacup-on-rockingchair:suse_SLES-15-010250
May 3, 2021
Merged
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
73e5952
SLES-15-010250 add rule, remediation and tests.
brett060102 edeb2c5
Fix rule
teacup-on-rockingchair 3d977bd
Drop duplicate functionality in oval and ansible
teacup-on-rockingchair 5cdb94e
Update linux_os/guide/system/accounts/accounts-pam/set_password_hashi…
teacup-on-rockingchair File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
31 changes: 31 additions & 0 deletions
31
...t_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# platform = multi_platform_sle | ||
# reboot = false | ||
# strategy = configure | ||
# complexity = low | ||
# disruption = low | ||
|
||
- name: Check to see if 'sha512' parameter is present | ||
shell: | | ||
grep -e '^\s*auth\s\+[a-z]+\s\+pam_unix\.so.*sha512.*' /etc/pam.d/common-auth | cat | ||
register: check_pam_unix_sha512_result | ||
|
||
- name: Make sure pam_unix.so has 'sha512' parameter set | ||
replace: | ||
path: /etc/pam.d/common-auth | ||
regexp: ^(\s*auth\s+[a-z]+\s+pam_unix\.so\s+[^\n]*)([^A-Za-z]?.*) | ||
replace: '\1 sha512 \2' | ||
register: pam_unix_sha512_result | ||
when: '"sha512" not in check_pam_unix_sha512_result.stdout' | ||
|
||
- name: Check to see if pam_unix.so is required | ||
shell: | | ||
grep -e '^\s*auth\s\+required\s\+pam_unix\.so.*' /etc/pam.d/common-auth | cat | ||
register: check_pam_unix_required_result | ||
|
||
- name: Make sure pam_unix.so is required | ||
replace: | ||
path: /etc/pam.d/common-auth | ||
regexp: ^(\s*auth\s+)([a-z]+)(\s+pam_unix\.so\s+[^\n]*[^A-Za-z]?.*) | ||
replace: '\1required\3' | ||
register: pam_unix_required_result | ||
when: '"required" not in check_pam_unix_required_result.stdout' |
4 changes: 4 additions & 0 deletions
4
...m/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# platform = multi_platform_sle | ||
. /usr/share/scap-security-guide/remediation_functions | ||
|
||
ensure_pam_module_options '/etc/pam.d/common-auth' 'auth' 'required' 'pam_unix.so' 'sha512' '' '' |
19 changes: 19 additions & 0 deletions
19
.../set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
<def-group> | ||
<definition class="compliance" id="set_password_hashing_algorithm_commonauth" version="1"> | ||
{{{ oval_metadata("The auth mechanism hashing algorithm should be set correctly in /etc/pam.d/common-auth.") }}} | ||
<criteria operator="AND"> | ||
<criterion test_ref="test_pam_unix_common_sha512" /> | ||
</criteria> | ||
</definition> | ||
|
||
<ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/common-auth for correct settings" id="test_pam_unix_common_sha512" version="1"> | ||
<ind:object object_ref="object_pam_unix_common_sha512" /> | ||
</ind:textfilecontent54_test> | ||
|
||
<ind:textfilecontent54_object comment="check /etc/pam.d/common-auth for correct settings" id="object_pam_unix_common_sha512" version="1"> | ||
<ind:filepath>/etc/pam.d/common-auth</ind:filepath> | ||
<ind:pattern operation="pattern match">^[\s]*auth[\s]+(?:(?:required))[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern> | ||
<ind:instance datatype="int">1</ind:instance> | ||
</ind:textfilecontent54_object> | ||
|
||
</def-group> |
64 changes: 64 additions & 0 deletions
64
...nts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_commonauth/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,64 @@ | ||||||
documentation_complete: true | ||||||
|
||||||
prodtype: sle15 | ||||||
|
||||||
title: "Set PAM's Common Authentication Hashing Algorithm" | ||||||
|
||||||
description: |- | ||||||
The PAM system service can be configured to only store encrypted | ||||||
representations of passwords. In | ||||||
<tt>/etc/pam.d/common-auth</tt>, | ||||||
the | ||||||
<tt>auth</tt> section of the file controls which PAM modules execute | ||||||
during a password change. Set the <tt>pam_unix.so</tt> module in the | ||||||
<tt>auth</tt> section to include the argument <tt>sha512</tt>, as shown | ||||||
below: | ||||||
<br /> | ||||||
<pre>auth required pam_unix.so sha512 <i>other arguments...</i></pre> | ||||||
<br /> | ||||||
This will help ensure when local users change their authentication method, | ||||||
hashes for the new authentications will be generated using the SHA-512 | ||||||
algorithm. This is the default. | ||||||
|
||||||
rationale: |- | ||||||
Unapproved mechanisms used for authentication to the cryptographic module | ||||||
are not verified and therefore cannot be relied on to provide | ||||||
confidentiality or integrity, and data may be compromised. | ||||||
This setting ensures user and group account administration utilities are | ||||||
configured to store only encrypted representations of passwords. | ||||||
Additionally, the <tt>crypt_style</tt> configuration option ensures the use | ||||||
of a strong hashing algorithm that makes password cracking attacks more | ||||||
difficult. | ||||||
|
||||||
severity: medium | ||||||
|
||||||
identifiers: | ||||||
cce@sle15: CCE-85754-0 | ||||||
|
||||||
references: | ||||||
disa@sle15: CCI-000803 | ||||||
nist@sle15: IA-7,IA-7.1 | ||||||
teacup-on-rockingchair marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
srg@sle15: SRG-OS-000120-GPOS-00061 | ||||||
vmmsrg@sle15: SRG-OS-000480-VMM-002000 | ||||||
stigid@sle15: SLES-15-010250 | ||||||
|
||||||
ocil_clause: 'it does not' | ||||||
|
||||||
ocil: |- | ||||||
Inspect the contents of <tt>/etc/pam.d/common-auth</tt> | ||||||
and ensure that the <tt>pam_unix.so</tt> module includes the argument | ||||||
<tt>sha512</tt>: | ||||||
<pre>$ grep sha512 /etc/pam.d/common-auth</pre> | ||||||
|
||||||
platform: pam | ||||||
|
||||||
template: | ||||||
name: pam_options | ||||||
vars: | ||||||
path: /etc/pam.d/common-auth | ||||||
type: password | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I suppose you want to check auth section, not password section.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks 🙇, should be ok in edeb2c5 |
||||||
control_flag: required | ||||||
module: pam_unix.so | ||||||
arguments: | ||||||
- argument: sha512 | ||||||
new_argument: sha512 |
3 changes: 3 additions & 0 deletions
3
...set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_required.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
|
||
echo "auth optional pam_unix.so try_first_pass sha512" > /etc/pam.d/common-auth |
3 changes: 3 additions & 0 deletions
3
...m/set_password_hashing_algorithm_commonauth/tests/common-auth.pam_unix_not_sha512.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
|
||
echo "auth required pam_unix.so try_first_pass" > /etc/pam.d/common-auth |
3 changes: 3 additions & 0 deletions
3
...ord_hashing_algorithm/set_password_hashing_algorithm_commonauth/tests/common-auth.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# platform = SUSE Linux Enterprise 15 | ||
|
||
echo "auth required pam_unix.so try_first_pass sha512" > /etc/pam.d/common-auth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CCIs are product independent
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks 🙇, should be ok in edeb2c5