-
Notifications
You must be signed in to change notification settings - Fork 709
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
7 changed files
with
100 additions
and
0 deletions.
There are no files selected for viewing
9 changes: 9 additions & 0 deletions
9
...word_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_commented_values.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
|
||
source ubuntu_common.sh | ||
|
||
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth | ||
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account | ||
|
||
echo "#audit" > /etc/security/faillock.conf |
50 changes: 50 additions & 0 deletions
50
...ocking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_common.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
#!/bin/bash | ||
|
||
# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS | ||
# Extra comments and whitespaces were added to test for edge cases | ||
|
||
cat >/etc/pam.d/common-auth <<EOF | ||
## Leading and trailing whitespaces should be ok | ||
auth required pam_faillock.so preauth | ||
# here are the per-package modules (the "Primary" block) | ||
auth [success=2 default=ignore] pam_unix.so nullok | ||
## Several lines of comments should not | ||
## break faillock remediation logic | ||
## Nor should commented pam_unix | ||
#auth [success=2 default=ignore] pam_unix.so nullok | ||
auth [success=1 default=ignore] pam_sss.so use_first_pass | ||
## Some more user comments | ||
auth [default=die] pam_faillock.so authfail | ||
## and some more | ||
auth sufficient pam_faillock.so authsucc | ||
# here's the fallback if no module succeeds | ||
auth requisite pam_deny.so | ||
# prime the stack with a positive return value if there isn't one already; | ||
# this avoids us returning an error just because nothing sets a success code | ||
# since the modules above will each just jump around | ||
auth required pam_permit.so | ||
# and here are more per-package modules (the "Additional" block) | ||
auth optional pam_cap.so | ||
# end of pam-auth-update config | ||
EOF | ||
|
||
|
||
cat >/etc/pam.d/common-account <<EOF | ||
# here are the per-package modules (the "Primary" block) | ||
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so | ||
# here's the fallback if no module succeeds | ||
account requisite pam_deny.so | ||
# prime the stack with a positive return value if there isn't one already; | ||
# this avoids us returning an error just because nothing sets a success code | ||
# since the modules above will each just jump around | ||
account required pam_permit.so | ||
# and here are more per-package modules (the "Additional" block) | ||
account sufficient pam_localuser.so | ||
account [default=bad success=ok user_unknown=ignore] pam_sss.so | ||
# end of pam-auth-update config | ||
account required pam_faillock.so | ||
EOF |
6 changes: 6 additions & 0 deletions
6
..._out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_correct.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
|
||
source ubuntu_common.sh | ||
|
||
echo "audit" > /etc/security/faillock.conf |
7 changes: 7 additions & 0 deletions
7
...password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_correct_pamd.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
|
||
source ubuntu_common.sh | ||
|
||
sed -i 's/\(.*pam_faillock.so.*\)/\1 audit/g' /etc/pam.d/common-auth | ||
|
8 changes: 8 additions & 0 deletions
8
...d_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_empty_faillock_conf.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
|
||
# This test should fail because neither pam.d or faillock.conf have audit defined | ||
|
||
source ubuntu_common.sh | ||
|
||
echo > /etc/security/faillock.conf |
9 changes: 9 additions & 0 deletions
9
...password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_missing_pamd.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
|
||
source ubuntu_common.sh | ||
|
||
sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth | ||
sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account | ||
|
||
echo "audit" > /etc/security/faillock.conf |
11 changes: 11 additions & 0 deletions
11
...ord_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_multiple_pam_unix.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
# remediation = none | ||
|
||
# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere | ||
# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically | ||
# in order to preserve intentional changes. | ||
|
||
source ubuntu_common.sh | ||
|
||
echo "auth sufficient pam_unix.so" >> /etc/pam.d/common-auth |