Skip to content

Commit

Permalink
Add 'required' check in oval
Browse files Browse the repository at this point in the history
Add correct os into applicable platform
Update the ubuntu oval to pass on both required and requisite
Remove the check for authsucc since preauth can clear the count too
Implement individual tests for pam_faillock_{deny, unlock_time, interval}
  • Loading branch information
alanmcanonical committed Dec 6, 2024
1 parent 9dee381 commit cf728c8
Show file tree
Hide file tree
Showing 59 changed files with 189 additions and 571 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# packages = authselect,pam
# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# packages = authselect,pam
# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
<constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_auth_regex"
datatype="string" version="1"
comment="regex to identify pam_faillock.so entries in auth section of pam files">
<value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
<value>^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail</value>
</constant_variable>

<constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_account_regex"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,4 @@

source ubuntu_common.sh

sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account

echo "#audit" > /etc/security/faillock.conf
Original file line number Diff line number Diff line change
@@ -1,50 +1,24 @@
#!/bin/bash

# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
# Extra comments and whitespaces were added to test for edge cases

cat >/etc/pam.d/common-auth <<EOF
## Leading and trailing whitespaces should be ok
auth required pam_faillock.so preauth
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
## Several lines of comments should not
## break faillock remediation logic
## Nor should commented pam_unix
#auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
## Some more user comments
auth [default=die] pam_faillock.so authfail
## and some more
auth sufficient pam_faillock.so authsucc
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
cat << EOF > /usr/share/pam-configs/faillock
Name: Enable pam_faillock to deny access
Default: yes
Priority: 0
Auth-Type: Primary
Auth:
[default=die] pam_faillock.so authfail
EOF


cat >/etc/pam.d/common-account <<EOF
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
account required pam_faillock.so
cat << EOF > /usr/share/pam-configs/faillock_notify
Name: Notify of failed login attempts and reset count upon success
Default: yes
Priority: 1024
Auth-Type: Primary
Auth:
requisite pam_faillock.so preauth
Account-Type: Primary
Account:
required pam_faillock.so
EOF

DEBIAN_FRONTEND=noninteractive pam-auth-update
Original file line number Diff line number Diff line change
@@ -1,7 +1,25 @@
#!/bin/bash
# platform = multi_platform_ubuntu

source ubuntu_common.sh
cat << EOF > /usr/share/pam-configs/faillock
Name: Enable pam_faillock to deny access
Default: yes
Priority: 0
Auth-Type: Primary
Auth:
[default=die] pam_faillock.so authfail audit
EOF

sed -i 's/\(.*pam_faillock.so.*\)/\1 audit/g' /etc/pam.d/common-auth
cat << EOF > /usr/share/pam-configs/faillock_notify
Name: Notify of failed login attempts and reset count upon success
Default: yes
Priority: 1024
Auth-Type: Primary
Auth:
requisite pam_faillock.so preauth audit
Account-Type: Primary
Account:
required pam_faillock.so
EOF

DEBIAN_FRONTEND=noninteractive pam-auth-update
Original file line number Diff line number Diff line change
@@ -1,9 +1,4 @@
#!/bin/bash
# platform = multi_platform_ubuntu

source ubuntu_common.sh

sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account

echo "audit" > /etc/security/faillock.conf
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@

source ubuntu_common.sh

echo "auth sufficient pam_unix.so" >> /etc/pam.d/common-auth
sed -i '/# end of pam-auth-update config/i\auth sufficient pam_unix.so' /etc/pam.d/common-auth
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# variables = var_accounts_passwords_pam_faillock_deny=10

source ubuntu_common.sh

sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account

echo "#deny=1" > /etc/security/faillock.conf
Original file line number Diff line number Diff line change
@@ -1,50 +1,24 @@
#!/bin/bash

# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
# Extra comments and whitespaces were added to test for edge cases

cat >/etc/pam.d/common-auth <<EOF
## Leading and trailing whitespaces should be ok
auth required pam_faillock.so preauth
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
## Several lines of comments should not
## break faillock remediation logic
## Nor should commented pam_unix
#auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
## Some more user comments
auth [default=die] pam_faillock.so authfail
## and some more
auth sufficient pam_faillock.so authsucc
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
cat << EOF > /usr/share/pam-configs/faillock
Name: Enable pam_faillock to deny access
Default: yes
Priority: 0
Auth-Type: Primary
Auth:
[default=die] pam_faillock.so authfail
EOF


cat >/etc/pam.d/common-account <<EOF
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
account required pam_faillock.so
cat << EOF > /usr/share/pam-configs/faillock_notify
Name: Notify of failed login attempts and reset count upon success
Default: yes
Priority: 1024
Auth-Type: Primary
Auth:
requisite pam_faillock.so preauth
Account-Type: Primary
Account:
required pam_faillock.so
EOF

DEBIAN_FRONTEND=noninteractive pam-auth-update
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# variables = var_accounts_passwords_pam_faillock_deny=10

source ubuntu_common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,26 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# variables = var_accounts_passwords_pam_faillock_deny=10

source ubuntu_common.sh
cat << EOF > /usr/share/pam-configs/faillock
Name: Enable pam_faillock to deny access
Default: yes
Priority: 0
Auth-Type: Primary
Auth:
[default=die] pam_faillock.so authfail deny=1
EOF

sed -i 's/\(.*pam_faillock.so.*\)/\1 deny=1/g' /etc/pam.d/common-auth
cat << EOF > /usr/share/pam-configs/faillock_notify
Name: Notify of failed login attempts and reset count upon success
Default: yes
Priority: 1024
Auth-Type: Primary
Auth:
requisite pam_faillock.so preauth deny=1
Account-Type: Primary
Account:
required pam_faillock.so
EOF

DEBIAN_FRONTEND=noninteractive pam-auth-update

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
#!/bin/bash
# platform = multi_platform_ubuntu

source ubuntu_common.sh

sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account
# variables = var_accounts_passwords_pam_faillock_deny=10

echo "deny=1" > /etc/security/faillock.conf

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# variables = var_accounts_passwords_pam_faillock_deny=10

source ubuntu_common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# packages = authselect,pam
# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# packages = authselect,pam
# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# packages = authselect,pam
# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# packages = authselect,pam
# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# variables = var_accounts_passwords_pam_faillock_fail_interval=800

source ubuntu_common.sh

sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account

echo "#fail_interval=900" > /etc/security/faillock.conf
Loading

0 comments on commit cf728c8

Please sign in to comment.