-
Notifications
You must be signed in to change notification settings - Fork 706
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Introduce rule authconfig_config_files_symlinks
This new rule covers the DISA STIG requirement OL07-00-010199. Add OVAL checks and a few tests for this new rule. Also include this rule in OL7 stig profile. Signed-off-by: Federico Ramirez <[email protected]>
- Loading branch information
Showing
6 changed files
with
187 additions
and
0 deletions.
There are no files selected for viewing
43 changes: 43 additions & 0 deletions
43
linux_os/guide/system/auditing/authconfig_config_files_symlinks/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| {{{ oval_metadata("Prevent overwriting of custom authentication configuration settings by the authconfig utility") }}} | ||
| <criteria operator="AND" comment="password-auth and system-auth are symlinks"> | ||
| <criterion comment="/etc/pam.d/password-auth is a symlink and points to /etc/pam.d/password-auth-local" | ||
| test_ref="test_password-auth_is_a_symlink" /> | ||
| <criterion comment="/etc/pam.d/system-auth is a symlink and points to /etc/pam.d/system-auth-local" | ||
| test_ref="test_system-auth_is_a_symlink" /> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <unix:symlink_test check="all" check_existence="all_exist" | ||
| comment="/etc/pam.d/password-auth is a symlink and points to /etc/pam.d/password-auth-local" | ||
| id="test_password-auth_is_a_symlink" version="1"> | ||
| <unix:object object_ref="object_password-auth_is_a_symlink" /> | ||
| <unix:state state_ref="state_password-auth_is_a_symlink" /> | ||
| </unix:symlink_test> | ||
|
|
||
| <unix:symlink_test check="all" check_existence="all_exist" | ||
| comment="/etc/pam.d/system-auth is a symlink and points to /etc/pam.d/system-auth-local" | ||
| id="test_system-auth_is_a_symlink" version="1"> | ||
| <unix:object object_ref="object_system-auth_is_a_symlink" /> | ||
| <unix:state state_ref="state_system-auth_is_a_symlink" /> | ||
| </unix:symlink_test> | ||
|
|
||
| <unix:symlink_object comment="/etc/pam.d/system-auth is a symlink" id="object_system-auth_is_a_symlink" version="1"> | ||
| <unix:filepath>/etc/pam.d/system-auth</unix:filepath> | ||
| </unix:symlink_object> | ||
|
|
||
| <unix:symlink_object comment="/etc/pam.d/password-auth is a symlink" id="object_password-auth_is_a_symlink" version="1"> | ||
| <unix:filepath>/etc/pam.d/password-auth</unix:filepath> | ||
| </unix:symlink_object> | ||
|
|
||
| <unix:symlink_state comment="/etc/pam.d/system-auth points to /etc/pam.d/system-auth-local" | ||
| id="state_system-auth_is_a_symlink" version="1"> | ||
| <unix:canonical_path>/etc/pam.d/system-auth-local</unix:canonical_path> | ||
| </unix:symlink_state> | ||
|
|
||
| <unix:symlink_state comment="/etc/pam.d/password-auth points to /etc/pam.d/password-auth-local" | ||
| id="state_password-auth_is_a_symlink" version="1"> | ||
| <unix:canonical_path>/etc/pam.d/password-auth-local</unix:canonical_path> | ||
| </unix:symlink_state> | ||
| </def-group> |
56 changes: 56 additions & 0 deletions
56
linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: ol7 | ||
|
|
||
| title: 'Ensure system-auth and password-auth files are symbolic links pointing to system-auth-local and password-auth-local' | ||
|
|
||
| description: |- | ||
| {{{ full_name }}} must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | ||
| This can be avoided by creating new local configuration files and creating new or moving existing | ||
| symbolic links to them. The authconfig utility will recognize the local configuration files and not | ||
| overwrite them, while writing its own settings to the original configuration files. | ||
| rationale: |- | ||
| When using the authconfig utility to modify authentication configuration settings, the "system-auth" | ||
| and "password-auth" files and any custom settings that they may contain are overwritten. | ||
| severity: medium | ||
|
|
||
| references: | ||
| disa: CCI-000196 | ||
| srg: SRG-OS-000073-GPOS-00041 | ||
| stigid@ol7: OL07-00-010199 | ||
|
|
||
| ocil_clause: 'The system-auth and password-auth files are not symbolic links or they do not point to system-auth-local password-auth-local' | ||
|
|
||
| ocil: |- | ||
| Verify "system-auth" and "password-auth" files are symbolic links pointing to "system-auth-local" and "password-auth-local": | ||
| <pre>$ sudo ls -l /etc/pam.d/{password,system}-auth</pre> | ||
| fixtext: |- | ||
| Create custom configuration files and their corresponding symbolic links: | ||
| Rename the existing configuration files (skip this step if symbolic links are already present): | ||
| <pre>$ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac</pre> | ||
| <pre>$ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac</pre> | ||
| Create custom system- and password-auth configuration file: | ||
| <pre>$ sudo touch /etc/pam.d/{system,password}-auth-local</pre> | ||
| Make sure the custom config files include the -ac files: | ||
| <pre>(type) include password-auth-ac</pre> | ||
| Create new or move existing symbolic links to the new custom configuration files: | ||
| <pre>$ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth</pre> | ||
| <pre>$ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth</pre> | ||
| Once finished, the file structure should be the following: | ||
| <pre>$ sudo ls -1 /etc/pam.d/{password,system}-auth* | ||
| /etc/pam.d/password-auth | ||
| /etc/pam.d/password-auth-ac | ||
| /etc/pam.d/password-auth-local | ||
| /etc/pam.d/system-auth | ||
| /etc/pam.d/system-auth-ac | ||
| /etc/pam.d/system-auth-local</pre> | ||
41 changes: 41 additions & 0 deletions
41
linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ol,multi_platform_rhel | ||
| # remediation = none | ||
|
|
||
| mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac | ||
| mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac | ||
|
|
||
| cat << EOF > /etc/pam.d/system-auth-local | ||
| auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| auth include system-auth-ac | ||
| auth sufficient pam_unix.so try_first_pass | ||
| auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| account required pam_faillock.so | ||
| account include system-auth-ac | ||
| password requisite pam_pwhistory.so use_authtok remember=5 retry=3 | ||
| password include system-auth-ac | ||
| password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok | ||
| session include system-auth-ac | ||
| EOF | ||
|
|
||
| cat << EOF > /etc/pam.d/password-auth-local | ||
| auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| auth include password-auth-ac | ||
| auth sufficient pam_unix.so try_first_pass | ||
| auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| account required pam_faillock.so | ||
| account include password-auth-ac | ||
| password requisite pam_pwhistory.so use_authtok remember=5 retry=3 | ||
| password include password-auth-ac | ||
| password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok | ||
| session include password-auth-ac | ||
| EOF | ||
|
|
||
| ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth | ||
| ln -s /etc/pam.d/password-auth-local /etc/pam.d/password-auth |
5 changes: 5 additions & 0 deletions
5
linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ol,multi_platform_rhel | ||
| # remediation = none | ||
|
|
||
| touch /etc/pam.d/{password,system}-auth-{mycustomconfig,ac} |
41 changes: 41 additions & 0 deletions
41
...uide/system/auditing/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ol,multi_platform_rhel | ||
| # remediation = none | ||
|
|
||
| mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac | ||
| mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac | ||
|
|
||
| cat << EOF > /etc/pam.d/system-auth-mycustomconfig | ||
| auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| auth include system-auth-ac | ||
| auth sufficient pam_unix.so try_first_pass | ||
| auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| account required pam_faillock.so | ||
| account include system-auth-ac | ||
| password requisite pam_pwhistory.so use_authtok remember=5 retry=3 | ||
| password include system-auth-ac | ||
| password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok | ||
| session include system-auth-ac | ||
| EOF | ||
|
|
||
| cat << EOF > /etc/pam.d/password-auth-mycustomconfig | ||
| auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| auth include password-auth-ac | ||
| auth sufficient pam_unix.so try_first_pass | ||
| auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| account required pam_faillock.so | ||
| account include password-auth-ac | ||
| password requisite pam_pwhistory.so use_authtok remember=5 retry=3 | ||
| password include password-auth-ac | ||
| password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok | ||
| session include password-auth-ac | ||
| EOF | ||
|
|
||
| ln -s /etc/pam.d/system-auth-mycustomconfig /etc/pam.d/system-auth | ||
| ln -s /etc/pam.d/password-auth-mycustomconfig /etc/pam.d/password-auth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters