Skip to content

Commit

Permalink
Move regex into smaller checks and restrict ubuntu2004 tests
Browse files Browse the repository at this point in the history
This commit will move a bigger regex check into smaller regex variables. Applying the commit will result in the order of the file to not matter, so long as the arguments are the same. This originally was not the case, and needed to be in a precise order.

Ubuntu2004 STIG guidelines for UBTU-20-010072 do not require that the parameter must not exist within common-auth if it already exists in /etc/security/faillock.conf. Additionally, there is no need to use "accounts" parameter as this is not needed per STIG guidelines.
  • Loading branch information
dexterle committed Jul 17, 2023
1 parent 5ce8815 commit 0397b8c
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 69 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
comment="Check expected value for pam_faillock.so audit parameter">
<criteria operator="AND"
comment="Check expected pam_faillock.so audit parameter in pam files">
{{% if 'ubuntu' not in product %}}
{{% if 'ubuntu2004' not in product %}}
<criterion
test_ref="test_pam_faillock_audit_parameter_system_auth"
comment="Check the audit parameter in auth section of system-auth file"/>
Expand All @@ -24,15 +24,15 @@
test_ref="test_pam_faillock_audit_parameter_common_auth"
comment="Check the audit parmaeter in auth section of common-auth file"/>
{{% endif %}}
{{% if 'ubuntu' not in product %}}
{{% if 'ubuntu2004' not in product %}}
<criterion
test_ref="test_pam_faillock_audit_parameter_no_faillock_conf"
comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
{{% endif %}}
</criteria>
<criteria operator="AND"
comment="Check expected pam_faillock.so audit parameter in faillock.conf">
{{% if 'ubuntu' not in product %}}
{{% if 'ubuntu2004' not in product %}}
<criterion
test_ref="test_pam_faillock_audit_parameter_no_pamd_system"
comment="Check the audit parameter is not present system-auth file"/>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,28 +34,21 @@
</constant_variable>

<constant_variable
id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_preauth_regex"
id="var_accounts_passwords_pam_faillock_interval_pam_faillock_auth_preauth_regex"
datatype="string" version="1"
comment="regex to identify pam_faillock.so entries in auth section of pam files">
<value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*$</value>
</constant_variable>

<constant_variable
id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_unix_regex"
datatype="string" version="1"
comment="regex to identify pam_faillock.so entries in auth section of pam files">
<value>^\s*auth.*pam_unix\.so.*$</value>
</constant_variable>

<constant_variable
id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authfail_regex"
id="var_accounts_passwords_pam_faillock_interval_pam_faillock_auth_authfail_regex"
datatype="string" version="1"
comment="regex to identify pam_faillock.so entries in auth section of pam files">
<value>^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail.*$</value>
</constant_variable>

<constant_variable
id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authsucc_regex"
id="var_accounts_passwords_pam_faillock_interval_pam_faillock_auth_authsucc_regex"
datatype="string" version="1"
comment="regex to identify pam_faillock.so entries in auth section of pam files">
<value>^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc.*$</value>
Expand Down Expand Up @@ -110,13 +103,13 @@
comment="Check common definition of pam_faillock.so in auth section of common-auth">
<ind:filepath>/etc/pam.d/common-auth</ind:filepath>
<ind:pattern operation="pattern match"
var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_preauth_regex"/>
var_ref="var_accounts_passwords_pam_faillock_interval_pam_faillock_auth_preauth_regex"/>
<ind:pattern operation="pattern match"
var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_unix_regex"/>
var_ref="var_accounts_passwords_pam_faillock_interval_pam_unix_regex"/>
<ind:pattern operation="pattern match"
var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authfail_regex"/>
var_ref="var_accounts_passwords_pam_faillock_interval_pam_faillock_auth_authfail_regex"/>
<ind:pattern operation="pattern match"
var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authsucc_regex"/>
var_ref="var_accounts_passwords_pam_faillock_interval_pam_faillock_auth_authsucc_regex"/>
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>

Expand Down Expand Up @@ -158,7 +151,7 @@
<ind:textfilecontent54_object version="1"
id="object_accounts_passwords_pam_faillock_interval_parameter_pamd_common"
comment="Get the pam_faillock.so fail_interval parameter from common-auth file">
<ind:filepath>/etc/pam.d/comon-auth</ind:filepath>
<ind:filepath>/etc/pam.d/common-auth</ind:filepath>
<ind:pattern operation="pattern match"
var_ref="var_accounts_passwords_pam_faillock_interval_pam_faillock_fail_interval_parameter_regex"/>
<ind:instance datatype="int" operation="equals">1</ind:instance>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
that if faillock.conf is available, authselect tool only manage parameters on it -->
<criteria operator="OR"
comment="Check expected value for pam_faillock.so silent parameter">
{{% if 'ubuntu' not in product %}}
{{% if 'ubuntu2004' not in product %}}
<criteria operator="AND"
comment="Check expected pam_faillock.so silent parameter in pam files">
<criterion
Expand All @@ -23,7 +23,7 @@
{{% endif %}}
<criteria operator="AND"
comment="Check expected pam_faillock.so silent parameter in faillock.conf">
{{% if 'ubuntu' not in product %}}
{{% if 'ubuntu2004' not in product %}}
<criterion
test_ref="test_pam_faillock_silent_parameter_no_pamd_system"
comment="Check the silent parameter is not present system-auth file"/>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,17 @@
comment="pam_unix.so appears only once in auth section of common-auth"/>
<criterion test_ref="test_accounts_passwords_pam_faillock_unlock_time_common_pam_faillock_auth"
comment="pam_faillock.so is properly defined in auth section of common-auth"/>
{{% if 'ubuntu2004' not in product %}}
<criterion test_ref="test_accounts_passwords_pam_faillock_unlock_time_common_pam_faillock_account"
comment="pam_faillock.so is properly defined in common-account"/>
{{% endif %}}
</criteria>
<criteria operator="OR"
comment="Check expected value for pam_faillock.so unlock_time parameter">
{{% if 'ubuntu2004' in product %}}
<criterion test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_common"
comment="Check the unlock_time parameter is not present common-auth file"/>
{{% endif %}}
<criterion test_ref="test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf"
comment="Ensure the unlock_time parameter is present in /etc/security/faillock.conf"/>
</criteria>
Expand All @@ -31,10 +35,25 @@
<value>^\s*auth.*pam_unix\.so</value>
</constant_variable>

<constant_variable id="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_auth_regex"
<constant_variable
id="var_accounts_passwords_pam_faillock_unlock_pam_faillock_auth_authfail_regex"
datatype="string" version="1"
comment="regex to identify pam_faillock.so entries in auth section of pam files">
<value>^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail.*$</value>
</constant_variable>

<constant_variable
id="var_accounts_passwords_pam_faillock_unlock_pam_faillock_auth_authsucc_regex"
datatype="string" version="1"
comment="regex to identify pam_faillock.so entries in auth section of pam files">
<value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*\n^\s*auth.*pam_unix\.so.*\n^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail.*\n^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc.*$</value>
<value>^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc.*$</value>
</constant_variable>

<constant_variable
id="var_accounts_passwords_pam_faillock_unlock_pam_faillock_auth_preauth_regex"
datatype="string" version="1"
comment="regex to identify pam_faillock.so entries in auth section of pam files">
<value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*$</value>
</constant_variable>

<constant_variable id="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_account_regex"
Expand Down Expand Up @@ -86,7 +105,13 @@
comment="Check common definition of pam_faillock.so in auth section of common-auth">
<ind:filepath>/etc/pam.d/common-auth</ind:filepath>
<ind:pattern operation="pattern match"
var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_faillock_auth_regex"/>
var_ref="var_accounts_passwords_pam_faillock_unlock_pam_faillock_auth_authfail_regex"/>
<ind:pattern operation="pattern match"
var_ref="var_accounts_passwords_pam_faillock_unlock_pam_faillock_auth_authsucc_regex"/>
<ind:pattern operation="pattern match"
var_ref="var_accounts_passwords_pam_faillock_unlock_pam_faillock_auth_preauth_regex"/>
<ind:pattern operation="pattern match"
var_ref="var_accounts_passwords_pam_faillock_unlock_time_pam_unix_regex"/>
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>

Expand Down
71 changes: 25 additions & 46 deletions shared/macros/10-ansible.jinja
Original file line number Diff line number Diff line change
Expand Up @@ -985,6 +985,14 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul

{{{ ansible_check_authselect_presence() }}}

- name: {{{ rule_title }}} - Set /etc/pam.d/ path facts
set_fact:
{{% if 'ubuntu' in product %}}
pam_path: ['/etc/pam.d/common-auth']
{{% else %}}
pam_path: ['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']
{{% endif %}}

- name: {{{ rule_title }}} - Remediation where authselect tool is present
block:
{{{ ansible_enable_authselect_feature('with-faillock') | indent(4) }}}
Expand Down Expand Up @@ -1016,16 +1024,11 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
insertbefore: ^auth.*sufficient.*pam_unix\.so.*
{{% endif %}}
state: present
loop:
{{% if 'ubuntu' in product %}}
- /etc/pam.d/common-auth
{{% else %}}
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
{{% endif %}}
loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
{{% if 'ubuntu' not in product %}}

{{% if 'ubuntu' in product %}}
- name: {{{ rule_title }}} - Enable pam_faillock.so authsucc editing PAM files
ansible.builtin.lineinfile:
path: /etc/pam.d/common-auth
Expand All @@ -1046,13 +1049,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
{{% endif %}}
insertbefore: ^auth.*required.*pam_deny\.so.*
state: present
loop:
{{% if 'ubuntu' in product %}}
- /etc/pam.d/common-auth
{{% else %}}
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
{{% endif %}}
loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0

Expand All @@ -1063,9 +1060,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
line: account required pam_faillock.so
insertbefore: ^account.*required.*pam_unix\.so.*
state: present
loop:
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
loop: '{{ pam_path }}'
when:
- result_pam_faillock_is_enabled.found == 0
{{% endif %}}
Expand Down Expand Up @@ -1093,6 +1088,14 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
{{{ ansible_instantiate_variables( faillock_var_name ) }}}
{{%- endif %}}

- name: {{{ rule_title }}} - Set /etc/pam.d/ path facts
set_fact:
{{% if 'ubuntu' in product %}}
pam_path: ['/etc/pam.d/common-auth']
{{% else %}}
pam_path: ['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']
{{% endif %}}

- name: {{{ rule_title }}} - Check the presence of /etc/security/faillock.conf file
ansible.builtin.stat:
path: /etc/security/faillock.conf
Expand Down Expand Up @@ -1150,13 +1153,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
line: \1required\3 {{{ parameter }}}={{ {{{ faillock_var_name }}} }}
{{%- endif %}}
state: present
loop:
{{% if 'ubuntu' in product %}}
- /etc/pam.d/common-auth
{{% else %}}
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
{{% endif %}}
loop: '{{ pam_path }}'
when:
- result_pam_faillock_{{{ parameter }}}_parameter_is_present.found == 0

Expand All @@ -1172,13 +1169,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
line: \1required\3 {{{ parameter }}}={{ {{{ faillock_var_name }}} }}
{{%- endif %}}
state: present
loop:
{{% if 'ubuntu' in product %}}
- /etc/pam.d/common-auth
{{% else %}}
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
{{% endif %}}
loop: '{{ pam_path }}'
when:
- result_pam_faillock_{{{ parameter }}}_parameter_is_present.found == 0
{{%- endif %}}
Expand All @@ -1191,13 +1182,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)({{{ parameter }}})=[0-9]+(.*)
line: \1required\3\4={{ {{{ faillock_var_name }}} }}\5
state: present
loop:
{{% if 'ubuntu' in product %}}
- /etc/pam.d/common-auth
{{% else %}}
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
{{% endif %}}
loop: '{{ pam_path }}'
when:
- result_pam_faillock_{{{ parameter }}}_parameter_is_present.found > 0

Expand All @@ -1209,13 +1194,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)({{{ parameter }}})=[0-9]+(.*)
line: \1required\3\4={{ {{{ faillock_var_name }}} }}\5
state: present
loop:
{{% if 'ubuntu' in product %}}
- /etc/pam.d/common-auth
{{% else %}}
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
{{% endif %}}
loop: '{{ pam_path }}'
when:
- result_pam_faillock_{{{ parameter }}}_parameter_is_present.found > 0
{{%- endif %}}
Expand Down

0 comments on commit 0397b8c

Please sign in to comment.