-
Notifications
You must be signed in to change notification settings - Fork 706
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement rule 5.3.3.3.2 Ensure password history is enforced for the …
…root user
- Loading branch information
1 parent
51f879b
commit 18fb0c5
Showing
6 changed files
with
131 additions
and
0 deletions.
There are no files selected for viewing
13 changes: 13 additions & 0 deletions
13
...locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| # platform = multi_platform_ubuntu | ||
|
|
||
| {{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}} | ||
| conf_file=/usr/share/pam-configs/cac_pwhistory | ||
| if ! grep -qE 'pam_pwhistory\.so\s+[^#]*\benforce_for_root\b' "$conf_file"; then | ||
| sed -i -E '/^Password:/,/^[^[:space:]]/ { | ||
| /pam_pwhistory\.so/ { | ||
| s/$/ enforce_for_root/g | ||
| } | ||
| }' "$conf_file" | ||
| fi | ||
|
|
||
| DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory |
52 changes: 52 additions & 0 deletions
52
...ocking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| {{% if "sle12" in product or "debian" in product or "ubuntu" in product %}} | ||
| {{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}} | ||
| {{% else %}} | ||
| {{%- set accounts_password_pam_file = '/etc/pam.d/system-auth' -%}} | ||
| {{% endif %}} | ||
|
|
||
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="2"> | ||
| {{{ oval_metadata("Enforce password history for root of pam_pwhistory.") }}} | ||
| <criteria operator="AND" comment="Check if pam_pwhistory.so is properly configured"> | ||
| <criterion test_ref="test_accounts_password_pam_pwhistory_enabled" | ||
| comment="pam_pwhistory.so is properly defined in password section of PAM file"/> | ||
| <criterion test_ref="test_accounts_password_pam_pwhistory_enforce_for_root_parameter" | ||
| comment="enforce_for_root parameter of pam_pwhistory.so is properly configured"/> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <!-- is pam_pwhistory.so enabled? --> | ||
| <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_enabled" | ||
| check="all" version="1" comment="Check pam_pwhistory.so presence in PAM file"> | ||
| <ind:object object_ref="object_accounts_password_pam_pwhistory_enabled"/> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_enabled" | ||
| version="1"> | ||
| <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath> | ||
| <ind:pattern var_ref="var_accounts_password_pam_pwhistory_module_regex" | ||
| var_check="at least one" operation="pattern match"/> | ||
| <ind:instance datatype="int">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <!-- variables used to check the module implementation --> | ||
| <local_variable id="var_accounts_password_pam_pwhistory_module_regex" | ||
| datatype="string" version="1" | ||
| comment="The regex is to confirm the pam_pwhistory.so module is enabled"> | ||
| <literal_component>^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so.*$</literal_component> | ||
| </local_variable> | ||
|
|
||
| <!-- Check the pam_pwhistory.so enforce_for_root parameter --> | ||
| <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_enforce_for_root_parameter" version="1" | ||
| check="all" check_existence="all_exist" | ||
| comment="Test if enforce_for_root attribute of pam_pwhistory.so is set correctly in {{{ accounts_password_pam_file }}}"> | ||
| <ind:object object_ref="object_accounts_password_pam_pwhistory_enforce_for_root_parameter" /> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_enforce_for_root_parameter" version="1"> | ||
| <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath> | ||
| <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so\s+[^#]*\benforce_for_root\b.*$</ind:pattern> | ||
| <ind:instance datatype="int">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| </def-group> |
18 changes: 18 additions & 0 deletions
18
...s-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| documentation_complete: true | ||
|
|
||
|
|
||
| title: 'Limit Password Reuse' | ||
|
|
||
| description: |- | ||
| Do not allow root to reuse recent passwords. This can be | ||
| accomplished by using the <tt>enforce_for_root</tt> option for the | ||
| <tt>pam_pwhistory</tt> PAM modules. | ||
| <br /><br /> | ||
| In the file <tt>/etc/pam.d/common-password</tt>, make sure the parameters | ||
| <tt>enforce_for_root</tt> is present. | ||
| rationale: 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.' | ||
|
|
||
| severity: medium | ||
|
|
||
| platform: package[pam] |
16 changes: 16 additions & 0 deletions
16
...tempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_argument_missing.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ubuntu | ||
| # packages = pam | ||
|
|
||
| config_file=/usr/share/pam-configs/tmp_pwhistory | ||
|
|
||
| cat << EOF > "$config_file" | ||
| Name: pwhistory password history checking | ||
| Default: yes | ||
| Priority: 1024 | ||
| Password-Type: Primary | ||
| Password: requisite pam_pwhistory.so try_first_pass use_authtok | ||
| EOF | ||
|
|
||
| DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory | ||
| rm "$config_file" |
16 changes: 16 additions & 0 deletions
16
...mpts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_commented_argument.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ubuntu | ||
| # packages = pam | ||
|
|
||
| config_file=/usr/share/pam-configs/tmp_pwhistory | ||
|
|
||
| cat << EOF > "$config_file" | ||
| Name: pwhistory password history checking | ||
| Default: yes | ||
| Priority: 1024 | ||
| Password-Type: Primary | ||
| Password: requisite pam_pwhistory.so remember=6 try_first_pass use_authtok # enforce_for_root | ||
| EOF | ||
|
|
||
| DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory | ||
| rm "$config_file" |
16 changes: 16 additions & 0 deletions
16
..._attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_correct_value.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ubuntu | ||
| # packages = pam | ||
|
|
||
| config_file=/usr/share/pam-configs/tmp_pwhistory | ||
|
|
||
| cat << EOF > "$config_file" | ||
| Name: pwhistory password history checking | ||
| Default: yes | ||
| Priority: 1024 | ||
| Password-Type: Primary | ||
| Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok | ||
| EOF | ||
|
|
||
| DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory | ||
| rm "$config_file" |