-
Notifications
You must be signed in to change notification settings - Fork 710
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #10129 from freddieRv/authconfig-config-files-syml…
…inks Introduce new rule authconfig_config_files_symlinks
- Loading branch information
Showing
8 changed files
with
212 additions
and
5 deletions.
There are no files selected for viewing
48 changes: 48 additions & 0 deletions
48
linux_os/guide/system/auditing/authconfig_config_files_symlinks/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| {{{ oval_metadata("Ensure system-auth and password-auth files are symbolic links pointing to system-auth-local and password-auth-local") }}} | ||
| <criteria operator="AND" comment="password-auth and system-auth are symlinks"> | ||
| <criterion comment="/etc/pam.d/password-auth is a symlink and | ||
| points to /etc/pam.d/password-auth-local" | ||
| test_ref="test_password-auth_is_a_symlink" /> | ||
| <criterion comment="/etc/pam.d/system-auth is a symlink and | ||
| points to /etc/pam.d/system-auth-local" | ||
| test_ref="test_system-auth_is_a_symlink" /> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <unix:symlink_test check="all" check_existence="all_exist" | ||
| comment="/etc/pam.d/password-auth is a symlink and points to /etc/pam.d/password-auth-local" | ||
| id="test_password-auth_is_a_symlink" version="1"> | ||
| <unix:object object_ref="object_password-auth_is_a_symlink" /> | ||
| <unix:state state_ref="state_password-auth_is_a_symlink" /> | ||
| </unix:symlink_test> | ||
|
|
||
| <unix:symlink_test check="all" check_existence="all_exist" | ||
| comment="/etc/pam.d/system-auth is a symlink and points to /etc/pam.d/system-auth-local" | ||
| id="test_system-auth_is_a_symlink" version="1"> | ||
| <unix:object object_ref="object_system-auth_is_a_symlink" /> | ||
| <unix:state state_ref="state_system-auth_is_a_symlink" /> | ||
| </unix:symlink_test> | ||
|
|
||
| <unix:symlink_object comment="/etc/pam.d/system-auth is a symlink" | ||
| id="object_system-auth_is_a_symlink" version="1"> | ||
| <unix:filepath>/etc/pam.d/system-auth</unix:filepath> | ||
| </unix:symlink_object> | ||
|
|
||
| <unix:symlink_object comment="/etc/pam.d/password-auth is a symlink" | ||
| id="object_password-auth_is_a_symlink" version="1"> | ||
| <unix:filepath>/etc/pam.d/password-auth</unix:filepath> | ||
| </unix:symlink_object> | ||
|
|
||
| <unix:symlink_state comment="/etc/pam.d/system-auth points to /etc/pam.d/system-auth-local" | ||
| id="state_system-auth_is_a_symlink" version="1"> | ||
| <unix:canonical_path>/etc/pam.d/system-auth-local</unix:canonical_path> | ||
| </unix:symlink_state> | ||
|
|
||
| <unix:symlink_state | ||
| comment="/etc/pam.d/password-auth points to /etc/pam.d/password-auth-local" | ||
| id="state_password-auth_is_a_symlink" version="1"> | ||
| <unix:canonical_path>/etc/pam.d/password-auth-local</unix:canonical_path> | ||
| </unix:symlink_state> | ||
| </def-group> |
75 changes: 75 additions & 0 deletions
75
linux_os/guide/system/auditing/authconfig_config_files_symlinks/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: ol7,rhel7 | ||
|
|
||
| title: |- | ||
| Ensure system-auth and password-auth files are symbolic links pointing | ||
| to system-auth-local and password-auth-local | ||
| description: |- | ||
| {{{ full_name }}} must be configured to prevent overwriting of custom authentication | ||
| configuration settings by the authconfig utility. | ||
| This can be avoided by creating new local configuration files and creating new or moving | ||
| existing symbolic links to them. The authconfig utility will recognize the local configuration | ||
| files and not overwrite them, while writing its own settings to the original configuration | ||
| files. | ||
| rationale: |- | ||
| When using the authconfig utility to modify authentication configuration settings, | ||
| the "system-auth" and "password-auth" files and any custom settings that they may | ||
| contain are overwritten. | ||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@rhel7: CCE-86062-7 | ||
|
|
||
| references: | ||
| disa: CCI-000196 | ||
| srg: SRG-OS-000073-GPOS-00041 | ||
| stigid@ol7: OL07-00-010199 | ||
| stigid@rhel7: RHEL-07-010199 | ||
|
|
||
| warnings: | ||
| - general: |- | ||
| This rule doesn't come with a remediation. PAM files are very sensible to ordering and | ||
| custom PAM files make it nearly impossible to design an automated remediation that | ||
| is safe to use for all cases. | ||
| ocil_clause: |- | ||
| The system-auth and password-auth files are not symbolic links or they | ||
| do not point to system-auth-local password-auth-local | ||
| ocil: |- | ||
| Verify "system-auth" and "password-auth" files are symbolic | ||
| links pointing to "system-auth-local" and "password-auth-local": | ||
| <pre>$ sudo ls -l /etc/pam.d/{password,system}-auth</pre> | ||
| fixtext: |- | ||
| Create custom configuration files and their corresponding symbolic links: | ||
| Rename the existing configuration files | ||
| (skip this step if symbolic links are already present): | ||
| <pre>$ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac</pre> | ||
| <pre>$ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac</pre> | ||
| Create custom system- and password-auth configuration file: | ||
| <pre>$ sudo touch /etc/pam.d/{system,password}-auth-local</pre> | ||
| Make sure the custom config files include the -ac files: | ||
| <pre>(type) include password-auth-ac</pre> | ||
| Create new or move existing symbolic links to the new custom configuration files: | ||
| <pre>$ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth</pre> | ||
| <pre>$ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth</pre> | ||
| Once finished, the file structure should be the following: | ||
| <pre>$ sudo ls -1 /etc/pam.d/{password,system}-auth* | ||
| /etc/pam.d/password-auth | ||
| /etc/pam.d/password-auth-ac | ||
| /etc/pam.d/password-auth-local | ||
| /etc/pam.d/system-auth | ||
| /etc/pam.d/system-auth-ac | ||
| /etc/pam.d/system-auth-local</pre> | ||
41 changes: 41 additions & 0 deletions
41
linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/correct_set-up.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ol,multi_platform_rhel | ||
| # remediation = none | ||
|
|
||
| mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac | ||
| mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac | ||
|
|
||
| cat << EOF > /etc/pam.d/system-auth-local | ||
| auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| auth include system-auth-ac | ||
| auth sufficient pam_unix.so try_first_pass | ||
| auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| account required pam_faillock.so | ||
| account include system-auth-ac | ||
| password requisite pam_pwhistory.so use_authtok remember=5 retry=3 | ||
| password include system-auth-ac | ||
| password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok | ||
| session include system-auth-ac | ||
| EOF | ||
|
|
||
| cat << EOF > /etc/pam.d/password-auth-local | ||
| auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| auth include password-auth-ac | ||
| auth sufficient pam_unix.so try_first_pass | ||
| auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| account required pam_faillock.so | ||
| account include password-auth-ac | ||
| password requisite pam_pwhistory.so use_authtok remember=5 retry=3 | ||
| password include password-auth-ac | ||
| password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok | ||
| session include password-auth-ac | ||
| EOF | ||
|
|
||
| ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth | ||
| ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth |
5 changes: 5 additions & 0 deletions
5
linux_os/guide/system/auditing/authconfig_config_files_symlinks/tests/no_symlinks.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ol,multi_platform_rhel | ||
| # remediation = none | ||
|
|
||
| touch /etc/pam.d/{password,system}-auth-{mycustomconfig,ac} |
41 changes: 41 additions & 0 deletions
41
...uide/system/auditing/authconfig_config_files_symlinks/tests/symlinks_wrong_target.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ol,multi_platform_rhel | ||
| # remediation = none | ||
|
|
||
| mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac | ||
| mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac | ||
|
|
||
| cat << EOF > /etc/pam.d/system-auth-mycustomconfig | ||
| auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| auth include system-auth-ac | ||
| auth sufficient pam_unix.so try_first_pass | ||
| auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| account required pam_faillock.so | ||
| account include system-auth-ac | ||
| password requisite pam_pwhistory.so use_authtok remember=5 retry=3 | ||
| password include system-auth-ac | ||
| password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok | ||
| session include system-auth-ac | ||
| EOF | ||
|
|
||
| cat << EOF > /etc/pam.d/password-auth-mycustomconfig | ||
| auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| auth include password-auth-ac | ||
| auth sufficient pam_unix.so try_first_pass | ||
| auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 | ||
| account required pam_faillock.so | ||
| account include password-auth-ac | ||
| password requisite pam_pwhistory.so use_authtok remember=5 retry=3 | ||
| password include password-auth-ac | ||
| password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok | ||
| session include password-auth-ac | ||
| EOF | ||
|
|
||
| ln -sf /etc/pam.d/system-auth-mycustomconfig /etc/pam.d/system-auth | ||
| ln -sf /etc/pam.d/password-auth-mycustomconfig /etc/pam.d/password-auth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,3 @@ | ||
| CCE-86035-3 | ||
| CCE-86036-1 | ||
| CCE-86037-9 | ||
| CCE-86039-5 | ||
| CCE-86062-7 | ||
| CCE-86063-5 | ||
| CCE-86064-3 | ||
| CCE-86065-0 | ||
|
|
||