Skip to content

libpamtest: Test failed login & pam_faillock #17

libpamtest: Test failed login & pam_faillock

libpamtest: Test failed login & pam_faillock #17

Workflow file for this run

---
name: pam
on: [push, pull_request]
env:
ANSIBLE_FORCE_COLOR: '1'
jobs:
pamtester:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install pamtester and test prerequisites
run: sudo apt-get install -y pamtester cron at
- name: Test pre-harden
run: |
# Everyone is allowed to use cron
pamtester cron nobody acct_mgmt || exit 1
# Everyone is allowed to use atd
pamtester atd nobody acct_mgmt || exit 1
# Everyone is allowed to use su
# TODO: Prompts for a password
#pamtester su nobody authenticate || exit 1
# Unknown services
# TODO: authenticate & chauthtok
for operation in acct_mgmt open_session; do pamtester nonexistent nobody "${operation}" || exit 1; done
- name: Run Ansible playbook for pam
run: ansible-playbook harden.yml --tags pam --skip-tags slackware,centos
- name: Test post-harden
run: |
# random users should not be able to use cron
# enforced with pam_access
pamtester cron nobody acct_mgmt && exit 1
# random users should not be able to use atd
# enforced with pam_access
pamtester atd nobody acct_mgmt && exit 1
# su shouldn't be allowed
pamtester su nobody authenticate && exit 1
# Unknown services should be denied by /etc/pam.d/other
for operation in authenticate acct_mgmt chauthtok open_session; do echo "[*] Testing nonexistent service operation ${operation}"; pamtester nonexistent nobody "${operation}" && exit 1; done; true
libpamtest:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install testing prerequisites
run: sudo apt-get install -y libcmocka-dev libpam-wrapper libpam0g-dev libpamtest0-dev
- name: Compile test program
run: pushd tests && make -f ../Makefile test && popd
# This should fail as pam_matrix is not in use yet
- name: Run tests - round 1
run: tests/test -t 1 -r 2
- name: Prepare environment for testing
run: ansible-playbook tests/pamtests.yml --tags setup
- name: Run tests - round 2
run: |
# Show user
id
# Authentication should succeed against pam_matrix
echo '[*] Test 1'
tests/test -t 1 -r 0
# pam_unix(login:account) should block as invalid user
echo '[*] Test 2'
tests/test -t 2 -r 2
# These will fail as a regular user with "unix_chkpwd[1550490]: could not obtain user info (root)"
#echo '[*] Test 3'
#tests/test -t 3 -r 2
#echo '[*] Test 4'
#tests/test -t 4 -r 2
#echo '[*] Test 5'
#tests/test -t 5 -r 2
#echo '[*] Test 6'
#tests/test -t 6 -r 2
# Should work as root
echo '[*] Test 7'
sudo tests/test -t 3 -r 0
echo '[*] Test 8'
sudo tests/test -t 4 -r 0
echo '[*] Test 9'
sudo tests/test -t 5 -r 0
echo '[*] Test 10'
sudo tests/test -t 6 -r 0
# Anyone can use su
echo '[*] Test 11'
tests/test -t 7 -r 0
echo '[*] Test 12'
# Wrong password
tests/test -t 8 -r 2
- name: Harden PAM
run: |
ansible-playbook harden.yml --tags pam --skip-tags slackware
sudo pam-auth-update --enable access
# Re-create common-auth-matrix
sudo rm -v /etc/pam.d/common-auth-matrix
ansible-playbook tests/pamtests.yml --tags setup
- name: Run tests - post-harden
run: |
# Login for "nobody" should be blocked by hardened configuration even with a valid password
sudo tests/test -t 6 -r 2
# Use of su should be denied
tests/test -t 7 -r 2
# Test failed login & pam_faillock
sudo tests/test -t 8 -r 2
ls -l /var/run/faillock/nobody
sudo faillock --user nobody
- name: chmod /var/log/auth.log
run: sudo chmod -c 644 /var/log/auth.log
- name: Archive auth.log
uses: actions/upload-artifact@v4
with:
name: auth.log
path: |
/var/log/auth.log
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-auth-matrix
/etc/pam.d/common-password
/etc/pam.d/common-session