SLES-15-010250 add rule, remediation and tests. #6879
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # platform = multi_platform_sle | ||
| # reboot = false | ||
| # strategy = configure | ||
| # complexity = low | ||
| # disruption = low | ||
|
|
||
| - name: Check to see if 'sha512' parameter is present | ||
| shell: | | ||
| grep -e '^\s*auth\s\+[a-z]+\s\+pam_unix\.so.*sha512.*' /etc/pam.d/common-auth | cat | ||
| register: check_pam_unix_sha512_result | ||
|
|
||
| - name: Make sure pam_unix.so has 'sha512' parameter set | ||
| replace: | ||
| path: /etc/pam.d/common-auth | ||
| regexp: ^(\s*auth\s+[a-z]+\s+pam_unix\.so\s+[^\n]*)([^A-Za-z]?.*) | ||
| replace: '\1 sha512 \2' | ||
| register: pam_unix_sha512_result | ||
| when: '"sha512" not in check_pam_unix_sha512_result.stdout' | ||
|
|
||
| - name: Check to see if pam_unix.so is required | ||
| shell: | | ||
| grep -e '^\s*auth\s\+required\s\+pam_unix\.so.*' /etc/pam.d/common-auth | cat | ||
| register: check_pam_unix_required_result | ||
|
|
||
| - name: Make sure pam_unix.so is required | ||
| replace: | ||
| path: /etc/pam.d/common-auth | ||
| regexp: ^(\s*auth\s+)([a-z]+)(\s+pam_unix\.so\s+[^\n]*[^A-Za-z]?.*) | ||
| replace: '\1required\3' | ||
| register: pam_unix_required_result | ||
| when: '"required" not in check_pam_unix_required_result.stdout' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| # platform = multi_platform_sle | ||
| . /usr/share/scap-security-guide/remediation_functions | ||
|
|
||
| ensure_pam_module_options '/etc/pam.d/common-auth' 'auth' 'required' 'pam_unix.so' 'sha512' '' '' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="set_password_hashing_algorithm_commonauth" version="1"> | ||
| {{{ oval_metadata("The auth mechanism hashing algorithm should be set correctly in /etc/pam.d/common-auth.") }}} | ||
| <criteria operator="AND"> | ||
| <criterion test_ref="test_pam_unix_common_sha512" /> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/common-auth for correct settings" id="test_pam_unix_common_sha512" version="1"> | ||
| <ind:object object_ref="object_pam_unix_common_sha512" /> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object comment="check /etc/pam.d/common-auth for correct settings" id="object_pam_unix_common_sha512" version="1"> | ||
| <ind:filepath>/etc/pam.d/common-auth</ind:filepath> | ||
| <ind:pattern operation="pattern match">^[\s]*auth[\s]+(?:(?:required))[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern> | ||
| <ind:instance datatype="int">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| </def-group> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,64 @@ | ||||||
| documentation_complete: true | ||||||
|
|
||||||
| prodtype: sle15 | ||||||
|
|
||||||
| title: "Set PAM's Common Authentication Hashing Algorithm" | ||||||
|
|
||||||
| description: |- | ||||||
| The PAM system service can be configured to only store encrypted | ||||||
| representations of passwords. In | ||||||
| <tt>/etc/pam.d/common-auth</tt>, | ||||||
| the | ||||||
| <tt>auth</tt> section of the file controls which PAM modules execute | ||||||
| during a password change. Set the <tt>pam_unix.so</tt> module in the | ||||||
| <tt>auth</tt> section to include the argument <tt>sha512</tt>, as shown | ||||||
| below: | ||||||
| <br /> | ||||||
| <pre>auth required pam_unix.so sha512 <i>other arguments...</i></pre> | ||||||
| <br /> | ||||||
| This will help ensure when local users change their authentication method, | ||||||
| hashes for the new authentications will be generated using the SHA-512 | ||||||
| algorithm. This is the default. | ||||||
|
|
||||||
| rationale: |- | ||||||
| Unapproved mechanisms used for authentication to the cryptographic module | ||||||
| are not verified and therefore cannot be relied on to provide | ||||||
| confidentiality or integrity, and data may be compromised. | ||||||
| This setting ensures user and group account administration utilities are | ||||||
| configured to store only encrypted representations of passwords. | ||||||
| Additionally, the <tt>crypt_style</tt> configuration option ensures the use | ||||||
| of a strong hashing algorithm that makes password cracking attacks more | ||||||
| difficult. | ||||||
|
|
||||||
| severity: medium | ||||||
|
|
||||||
| identifiers: | ||||||
| cce@sle15: CCE-85754-0 | ||||||
|
|
||||||
| references: | ||||||
| disa@sle15: CCI-000803 | ||||||
| nist@sle15: IA-7,IA-7.1 | ||||||
teacup-on-rockingchair marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| srg@sle15: SRG-OS-000120-GPOS-00061 | ||||||
| vmmsrg@sle15: SRG-OS-000480-VMM-002000 | ||||||
| stigid@sle15: SLES-15-010250 | ||||||
|
|
||||||
| ocil_clause: 'it does not' | ||||||
|
|
||||||
| ocil: |- | ||||||
| Inspect the contents of <tt>/etc/pam.d/common-auth</tt> | ||||||
| and ensure that the <tt>pam_unix.so</tt> module includes the argument | ||||||
| <tt>sha512</tt>: | ||||||
| <pre>$ grep sha512 /etc/pam.d/common-auth</pre> | ||||||
|
|
||||||
| platform: pam | ||||||
|
|
||||||
| template: | ||||||
| name: pam_options | ||||||
| vars: | ||||||
| path: /etc/pam.d/common-auth | ||||||
| type: password | ||||||
|
There was a problem hiding this comment. I suppose you want to check auth section, not password section.
Suggested change
There was a problem hiding this comment. Thanks 🙇, should be ok in edeb2c5 |
||||||
| control_flag: required | ||||||
| module: pam_unix.so | ||||||
| arguments: | ||||||
| - argument: sha512 | ||||||
| new_argument: sha512 | ||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # platform = SUSE Linux Enterprise 15 | ||
|
|
||
| echo "auth optional pam_unix.so try_first_pass sha512" > /etc/pam.d/common-auth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # platform = SUSE Linux Enterprise 15 | ||
|
|
||
| echo "auth required pam_unix.so try_first_pass" > /etc/pam.d/common-auth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # platform = SUSE Linux Enterprise 15 | ||
|
|
||
| echo "auth required pam_unix.so try_first_pass sha512" > /etc/pam.d/common-auth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CCIs are product independent
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks 🙇, should be ok in edeb2c5