From d9445add924ae37374722e4057d2377c3898b3f0 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 2 Jan 2025 15:54:53 +0000 Subject: [PATCH 1/8] Add no_empty_passwords rule to ubuntu2404 cis control 5.3.3.4.1 --- controls/cis_ubuntu2404.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index fbc438cf883..428e2142940 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -2028,8 +2028,9 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - no_empty_passwords + status: automated - id: 5.3.3.4.2 title: Ensure pam_unix does not include remember (Automated) From fc7d14e82fd2e613c051f96f5f085cb6be7fe984 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 2 Jan 2025 17:07:55 +0000 Subject: [PATCH 2/8] Add package applicability of pam --- .../password_storage/no_empty_passwords/rule.yml | 4 ++++ .../no_empty_passwords/tests/no_nullok.pass.sh | 1 + .../no_empty_passwords/tests/nullok_present.fail.sh | 3 ++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml index a4f085ec0d2..d148d9a9f4a 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml @@ -102,3 +102,7 @@ warnings: container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway. + +{{% if 'ubuntu' in product %}} +platform: package[pam] +{{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh index e0a57695fb1..554e4427321 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh @@ -1,5 +1,6 @@ #!/bin/bash # platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu +# packages = pam {{% if 'ubuntu' in product %}} sed -i --follow-symlinks '/nullok/d' /etc/pam.d/common-password diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh index d39f4a897f9..829ef5d6557 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh @@ -1,10 +1,11 @@ #!/bin/bash # platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu +# packages = pam {{% if 'ubuntu' in product %}} for FILE in "/etc/pam.d/common-password"; do if ! grep -q "^[^#].*pam_unix\.so.*nullok" ${FILE}; then - sed -i 's/\([\s]pam_unix\.so\)/\1 nullok/g' ${FILE} + sed -i 's/\([\s].*pam_unix\.so\)/\1 nullok/g' ${FILE} fi done {{% else %}} From 0a0d68ea5089ace96d134ccf7c0e405be067bd5c Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 2 Jan 2025 17:10:00 +0000 Subject: [PATCH 3/8] Make sure nullok is removed to avoid pam-auth keeping the original parameters --- .../password_storage/no_empty_passwords/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh index 9c097499f77..8b6d39cdc2d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh @@ -24,7 +24,7 @@ sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ { s/\s*nullok//g } }' "$config_file" - +{{{ bash_remove_pam_module_option('/etc/pam.d/common-password', 'password', '', 'pam_unix.so', 'nullok') }}} DEBIAN_FRONTEND=noninteractive pam-auth-update {{% else %}} if [ -f /usr/bin/authselect ]; then From becfacf7ab783158b08e4c6e321cde1ae389ce98 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 2 Jan 2025 17:10:40 +0000 Subject: [PATCH 4/8] Remove the additional Priority line --- shared/macros/10-bash.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 82ac231dfac..460dfdfdd4a 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -913,6 +913,7 @@ if [ ! -f "$conf_path"/"$conf_name" ]; then if [ -f "$conf_path"/unix ]; then if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then cp "$conf_path"/unix "$conf_path"/"$conf_name" + sed '/Priority: 256/d' "$conf_path"/"$conf_name" sed -i '/Default: yes/a Priority: 257\ Conflicts: unix' "$conf_path"/"$conf_name" DEBIAN_FRONTEND=noninteractive pam-auth-update From 66d1a1e7c2c8bfa1fcc6daefdc14bc9d8c07551c Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Mon, 6 Jan 2025 23:01:51 +0000 Subject: [PATCH 5/8] Fix nullok_present.fail.sh of no_empty_passwords --- .../no_empty_passwords/tests/nullok_present.fail.sh | 4 ++-- .../tests/nullok_present_password_auth.fail.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh index 829ef5d6557..00ae6330142 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh @@ -5,14 +5,14 @@ {{% if 'ubuntu' in product %}} for FILE in "/etc/pam.d/common-password"; do if ! grep -q "^[^#].*pam_unix\.so.*nullok" ${FILE}; then - sed -i 's/\([\s].*pam_unix\.so\)/\1 nullok/g' ${FILE} + sed -i 's/\(^[^#].*pam_unix\.so\)/\1 nullok/g' ${FILE} fi done {{% else %}} SYSTEM_AUTH_FILE="/etc/pam.d/system-auth" if ! $(grep -q "^[^#].*pam_unix\.so.*nullok" $SYSTEM_AUTH_FILE); then - sed -i --follow-symlinks 's/\([\s].*pam_unix\.so.*\)\s\(try_first_pass.*\)/\1nullok \2/' $SYSTEM_AUTH_FILE + sed -i --follow-symlinks 's/\(^[^#].*pam_unix\.so.*\)\s\(try_first_pass.*\)/\1nullok \2/' $SYSTEM_AUTH_FILE fi {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password_auth.fail.sh index effd5b7c066..88eb70d7020 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password_auth.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password_auth.fail.sh @@ -4,5 +4,5 @@ PASSWORD_AUTH_FILE="/etc/pam.d/password-auth" if ! $(grep -q "^[^#].*pam_unix\.so.*nullok" $PASSWORD_AUTH_FILE); then - sed -i --follow-symlinks 's/\([\s].*pam_unix\.so.*\)\s\(try_first_pass.*\)/\1nullok \2/' $PASSWORD_AUTH_FILE + sed -i --follow-symlinks 's/\(^[^#].*pam_unix\.so.*\)\s\(try_first_pass.*\)/\1nullok \2/' $PASSWORD_AUTH_FILE fi From 255a0885aed7f991ec8162ac29981f2b46e138d7 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Wed, 8 Jan 2025 16:49:42 +0000 Subject: [PATCH 6/8] Revert "Remove the additional Priority line" This reverts commit d110d7b1f7d5473872b2ecfa6f4876185ea5f7a8. --- shared/macros/10-bash.jinja | 1 - 1 file changed, 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 460dfdfdd4a..82ac231dfac 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -913,7 +913,6 @@ if [ ! -f "$conf_path"/"$conf_name" ]; then if [ -f "$conf_path"/unix ]; then if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then cp "$conf_path"/unix "$conf_path"/"$conf_name" - sed '/Priority: 256/d' "$conf_path"/"$conf_name" sed -i '/Default: yes/a Priority: 257\ Conflicts: unix' "$conf_path"/"$conf_name" DEBIAN_FRONTEND=noninteractive pam-auth-update From e35c58474d507d244400169b35435d9e9ee531db Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Fri, 10 Jan 2025 14:49:41 +0000 Subject: [PATCH 7/8] Revert "Make sure nullok is removed to avoid pam-auth keeping the original parameters" This reverts commit 0a0d68ea5089ace96d134ccf7c0e405be067bd5c. --- .../password_storage/no_empty_passwords/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh index 8b6d39cdc2d..9c097499f77 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh @@ -24,7 +24,7 @@ sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ { s/\s*nullok//g } }' "$config_file" -{{{ bash_remove_pam_module_option('/etc/pam.d/common-password', 'password', '', 'pam_unix.so', 'nullok') }}} + DEBIAN_FRONTEND=noninteractive pam-auth-update {{% else %}} if [ -f /usr/bin/authselect ]; then From 4f1d6b309d7baac38b8bd9ccebea41274cf5f059 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Fri, 10 Jan 2025 17:43:46 +0000 Subject: [PATCH 8/8] Use pam-auth-update in tests --- .../tests/no_nullok.pass.sh | 33 +++++++++++++++- .../tests/nullok_commented.pass.sh | 38 ++++++++++++++++++- .../tests/nullok_present.fail.sh | 36 +++++++++++++++--- 3 files changed, 100 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh index 554e4427321..41454c199d9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh @@ -3,7 +3,38 @@ # packages = pam {{% if 'ubuntu' in product %}} -sed -i --follow-symlinks '/nullok/d' /etc/pam.d/common-password +config_file=/usr/share/pam-configs/tmp_unix + +cat << EOF > "$config_file" +Name: Unix authentication +Default: yes +Priority: 256 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so nullok try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so nullok +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_unix + +rm "$config_file" + {{% else %}} sed -i --follow-symlinks '/nullok/d' /etc/pam.d/system-auth sed -i --follow-symlinks '/nullok/d' /etc/pam.d/password-auth diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh index 1f4e2b6f050..a9fa304c5ac 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh @@ -1,7 +1,43 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu +# packages = pam +{{% if 'ubuntu' in product %}} +config_file=/usr/share/pam-configs/tmp_unix + +cat << EOF > "$config_file" +Name: Unix authentication +Default: yes +Priority: 256 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so nullok try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so nullok +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt # nullok +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt # nullok +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_unix + +rm "$config_file" + +{{% else %}} for pam_file in /etc/pam.d/system-auth /etc/pam.d/password-auth; do sed -i --follow-symlinks '/nullok/d' $pam_file echo "# auth sufficient pam_unix.so try_first_pass nullok" >> $pam_file done +{{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh index 00ae6330142..004e9c3692d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh @@ -3,11 +3,37 @@ # packages = pam {{% if 'ubuntu' in product %}} -for FILE in "/etc/pam.d/common-password"; do - if ! grep -q "^[^#].*pam_unix\.so.*nullok" ${FILE}; then - sed -i 's/\(^[^#].*pam_unix\.so\)/\1 nullok/g' ${FILE} - fi -done +config_file=/usr/share/pam-configs/tmp_unix + +cat << EOF > "$config_file" +Name: Unix authentication +Default: yes +Priority: 256 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so nullok try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so nullok +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt nullok +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt nullok +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_unix + +rm "$config_file" {{% else %}} SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"