Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root

[rumch-se]

Description:

• This fix corrects some errors related to SLE 12/15 rule accounts_passwords_pam_tally2_deny_root

Rationale:

• 1/In pam_tally2 uses /etc/pam.d/login to set configuration parameters. 2/When we need to have even_deny_root parameter we need to remove onerr=fail configuration parameter

[openshift-ci]

Hi @rumch-se. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root
@@ -165,6 +165,9 @@
 [reference]:
 SRG-OS-000021-GPOS-00005
 
+[reference]:
+5.3.2
+
 [rationale]:
 By limiting the number of failed logon attempts, the risk of unauthorized system access via
 user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking

OCIL for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root' differs.
--- ocil:ssg-accounts_passwords_pam_tally2_deny_root_ocil:questionnaire:1
+++ ocil:ssg-accounts_passwords_pam_tally2_deny_root_ocil:questionnaire:1
@@ -1,6 +1,6 @@
 To ensure that even the root account is locked after a defined number of failed password
 attempts, run the following command:
-$ grep even_deny_root /etc/pam.d/common-auth
+$ grep even_deny_root /etc/pam.d/login
 The output should show even_deny_root.
 Is it the case that limiting the number of failed logon attempts for the root user is not configured?
 
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root
@@ -1,20 +1,22 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q pam; then
 
-if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-auth"; then
+if grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s.*\bonerr=fail\b' "/etc/pam.d/login"; then
+ sed -i -E --follow-symlinks 's/(.*auth.*'"required"'.*pam_tally2.so.*)\sonerr=fail=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/login"
+fi
+if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/login"; then
 # Line matching group + control + module was not found. Check group + module.
- if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-auth")" -eq 1 ]; then
+ if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/login")" -eq 1 ]; then
 # The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/common-auth"
+ sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/login"
 else
- echo 'auth '"required"' pam_tally2.so' >> "/etc/pam.d/common-auth"
+ echo 'auth '"required"' pam_tally2.so' >> "/etc/pam.d/login"
 fi
 fi
 # Check the option
-if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*\seven_deny_root\b' "/etc/pam.d/common-auth"; then
- sed -i -E --follow-symlinks '/\s*auth\s+'"required"'\s+pam_tally2.so.*/ s/$/ even_deny_root/' "/etc/pam.d/common-auth"
+if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*\seven_deny_root\b' "/etc/pam.d/login"; then
+ sed -i -E --follow-symlinks '/\s*auth\s+'"required"'\s+pam_tally2.so.*/ s/$/ even_deny_root/' "/etc/pam.d/login"
 fi
-
 if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-account"; then
 # Line matching group + control + module was not found. Check group + module.
 if [ "$(grep -cP '^\s*account\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-account")" -eq 1 ]; then

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root
@@ -14,9 +14,29 @@
 - restrict_strategy
 
 - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- - Check if expected PAM module line is present in /etc/pam.d/common-auth
- ansible.builtin.lineinfile:
- path: /etc/pam.d/common-auth
+ - Ensure the "onerr=fail" option from "pam_tally2.so" is not present in /etc/pam.d/login
+ ansible.builtin.replace:
+ dest: /etc/pam.d/login
+ regexp: (.*auth.*required.*pam_tally2.so.*)\bonerr=fail\b=?[0-9a-zA-Z]*(.*)
+ replace: \1\2
+ register: result_pam_option_removal
+ when: '"pam" in ansible_facts.packages'
+ tags:
+ - CCE-91546-2
+ - NIST-800-53-AC-7(b)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(c)
+ - accounts_passwords_pam_tally2_deny_root
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+
+- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
+ - Check if expected PAM module line is present in /etc/pam.d/login
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/login
 regexp: ^\s*auth\s+required\s+pam_tally2.so\s*.*
 state: absent
 check_mode: true
@@ -36,14 +56,14 @@
 - restrict_strategy
 
 - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- - Include or update the PAM module line in /etc/pam.d/common-auth
+ - Include or update the PAM module line in /etc/pam.d/login
 block:
 
 - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- - Check if required PAM module line is present in /etc/pam.d/common-auth with
- different control
- ansible.builtin.lineinfile:
- path: /etc/pam.d/common-auth
+ - Check if required PAM module line is present in /etc/pam.d/login with different
+ control
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/login
 regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
 state: absent
 check_mode: true
@@ -51,9 +71,9 @@
 register: result_pam_line_other_control_present
 
 - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- - Ensure the correct control for the required PAM module line in /etc/pam.d/common-auth
+ - Ensure the correct control for the required PAM module line in /etc/pam.d/login
 ansible.builtin.replace:
- dest: /etc/pam.d/common-auth
+ dest: /etc/pam.d/login
 regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
 replace: \1required \2
 register: result_pam_module_edit
@@ -61,9 +81,9 @@
 - result_pam_line_other_control_present.found == 1
 
 - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- - Ensure the required PAM module line is included in /etc/pam.d/common-auth
- ansible.builtin.lineinfile:
- dest: /etc/pam.d/common-auth
+ - Ensure the required PAM module line is included in /etc/pam.d/login
+ ansible.builtin.lineinfile:
+ dest: /etc/pam.d/login
 line: auth required pam_tally2.so
 register: result_pam_module_add
 when:
@@ -97,9 +117,9 @@
 - restrict_strategy
 
 - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- - Check if the required PAM module option is present in /etc/pam.d/common-auth
- ansible.builtin.lineinfile:
- path: /etc/pam.d/common-auth
+ - Check if the required PAM module option is present in /etc/pam.d/login
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/login
 regexp: ^\s*auth\s+required\s+pam_tally2.so\s*.*\seven_deny_root\b
 state: absent
 check_mode: true
@@ -119,9 +139,9 @@
 - restrict_strategy
 
 - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
- - Ensure the "even_deny_root" PAM option for "pam_tally2.so" is included in /etc/pam.d/common-auth
- ansible.builtin.lineinfile:
- path: /etc/pam.d/common-auth
+ - Ensure the "even_deny_root" PAM option for "pam_tally2.so" is included in /etc/pam.d/login
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/login
 backrefs: true
 regexp: ^(\s*auth\s+required\s+pam_tally2.so.*)
 line: \1 even_deny_root

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

sle12 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[rumch-se]

Hello @ggbecker
Thank you for your feedback. I have confirmed the proposed changes.
Have a nice day
Rumen

[rumch-se]

Hello @marcusburghardt
I removed the ubuntu product support from the rule.
Have a nice day
Rumen

[codeclimate]

Code Climate has analyzed commit a5f1f43 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.5% (0.1% change).

View more on Code Climate.

[teacup-on-rockingchair]

LGTM 👍

[marcusburghardt]

Automatus errors are not related to this PR and were already fixed here: #10582