forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request ComplianceAsCode#12654 from alanmcanonical/ubuntu_…
…enable_faillock Rewrite pam faillock related implementation and template
- Loading branch information
Showing
59 changed files
with
226 additions
and
555 deletions.
There are no files selected for viewing
1 change: 1 addition & 0 deletions
1
...t_password_attempts/account_passwords_pam_faillock_audit/tests/expected_pam_files.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
...ut_password_attempts/account_passwords_pam_faillock_audit/tests/missing_parameter.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
#!/bin/bash | ||
# packages = authselect,pam | ||
# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9 | ||
|
||
source common.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
64 changes: 19 additions & 45 deletions
64
...ocking_out_password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_common.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,50 +1,24 @@ | ||
#!/bin/bash | ||
|
||
# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS | ||
# Extra comments and whitespaces were added to test for edge cases | ||
|
||
cat >/etc/pam.d/common-auth <<EOF | ||
## Leading and trailing whitespaces should be ok | ||
auth required pam_faillock.so preauth | ||
# here are the per-package modules (the "Primary" block) | ||
auth [success=2 default=ignore] pam_unix.so nullok | ||
## Several lines of comments should not | ||
## break faillock remediation logic | ||
## Nor should commented pam_unix | ||
#auth [success=2 default=ignore] pam_unix.so nullok | ||
auth [success=1 default=ignore] pam_sss.so use_first_pass | ||
## Some more user comments | ||
auth [default=die] pam_faillock.so authfail | ||
## and some more | ||
auth sufficient pam_faillock.so authsucc | ||
# here's the fallback if no module succeeds | ||
auth requisite pam_deny.so | ||
# prime the stack with a positive return value if there isn't one already; | ||
# this avoids us returning an error just because nothing sets a success code | ||
# since the modules above will each just jump around | ||
auth required pam_permit.so | ||
# and here are more per-package modules (the "Additional" block) | ||
auth optional pam_cap.so | ||
# end of pam-auth-update config | ||
cat << EOF > /usr/share/pam-configs/faillock | ||
Name: Enable pam_faillock to deny access | ||
Default: yes | ||
Priority: 0 | ||
Auth-Type: Primary | ||
Auth: | ||
[default=die] pam_faillock.so authfail | ||
EOF | ||
|
||
|
||
cat >/etc/pam.d/common-account <<EOF | ||
# here are the per-package modules (the "Primary" block) | ||
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so | ||
# here's the fallback if no module succeeds | ||
account requisite pam_deny.so | ||
# prime the stack with a positive return value if there isn't one already; | ||
# this avoids us returning an error just because nothing sets a success code | ||
# since the modules above will each just jump around | ||
account required pam_permit.so | ||
# and here are more per-package modules (the "Additional" block) | ||
account sufficient pam_localuser.so | ||
account [default=bad success=ok user_unknown=ignore] pam_sss.so | ||
# end of pam-auth-update config | ||
account required pam_faillock.so | ||
cat << EOF > /usr/share/pam-configs/faillock_notify | ||
Name: Notify of failed login attempts and reset count upon success | ||
Default: yes | ||
Priority: 1024 | ||
Auth-Type: Primary | ||
Auth: | ||
requisite pam_faillock.so preauth | ||
Account-Type: Primary | ||
Account: | ||
required pam_faillock.so | ||
EOF | ||
|
||
DEBIAN_FRONTEND=noninteractive pam-auth-update |
22 changes: 20 additions & 2 deletions
22
...password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_correct_pamd.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,25 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
|
||
source ubuntu_common.sh | ||
cat << EOF > /usr/share/pam-configs/faillock | ||
Name: Enable pam_faillock to deny access | ||
Default: yes | ||
Priority: 0 | ||
Auth-Type: Primary | ||
Auth: | ||
[default=die] pam_faillock.so authfail audit | ||
EOF | ||
|
||
sed -i 's/\(.*pam_faillock.so.*\)/\1 audit/g' /etc/pam.d/common-auth | ||
cat << EOF > /usr/share/pam-configs/faillock_notify | ||
Name: Notify of failed login attempts and reset count upon success | ||
Default: yes | ||
Priority: 1024 | ||
Auth-Type: Primary | ||
Auth: | ||
requisite pam_faillock.so preauth audit | ||
Account-Type: Primary | ||
Account: | ||
required pam_faillock.so | ||
EOF | ||
|
||
DEBIAN_FRONTEND=noninteractive pam-auth-update |
5 changes: 0 additions & 5 deletions
5
...password_attempts/accounts_passwords_pam_faillock_audit/tests/ubuntu_missing_pamd.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,4 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
|
||
source ubuntu_common.sh | ||
|
||
sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth | ||
sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account | ||
|
||
echo "audit" > /etc/security/faillock.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 1 addition & 3 deletions
4
...sword_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_commented_values.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,7 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
# variables = var_accounts_passwords_pam_faillock_deny=10 | ||
|
||
source ubuntu_common.sh | ||
|
||
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth | ||
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account | ||
|
||
echo "#deny=1" > /etc/security/faillock.conf |
64 changes: 19 additions & 45 deletions
64
...locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_common.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,50 +1,24 @@ | ||
#!/bin/bash | ||
|
||
# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS | ||
# Extra comments and whitespaces were added to test for edge cases | ||
|
||
cat >/etc/pam.d/common-auth <<EOF | ||
## Leading and trailing whitespaces should be ok | ||
auth required pam_faillock.so preauth | ||
# here are the per-package modules (the "Primary" block) | ||
auth [success=2 default=ignore] pam_unix.so nullok | ||
## Several lines of comments should not | ||
## break faillock remediation logic | ||
## Nor should commented pam_unix | ||
#auth [success=2 default=ignore] pam_unix.so nullok | ||
auth [success=1 default=ignore] pam_sss.so use_first_pass | ||
## Some more user comments | ||
auth [default=die] pam_faillock.so authfail | ||
## and some more | ||
auth sufficient pam_faillock.so authsucc | ||
# here's the fallback if no module succeeds | ||
auth requisite pam_deny.so | ||
# prime the stack with a positive return value if there isn't one already; | ||
# this avoids us returning an error just because nothing sets a success code | ||
# since the modules above will each just jump around | ||
auth required pam_permit.so | ||
# and here are more per-package modules (the "Additional" block) | ||
auth optional pam_cap.so | ||
# end of pam-auth-update config | ||
cat << EOF > /usr/share/pam-configs/faillock | ||
Name: Enable pam_faillock to deny access | ||
Default: yes | ||
Priority: 0 | ||
Auth-Type: Primary | ||
Auth: | ||
[default=die] pam_faillock.so authfail | ||
EOF | ||
|
||
|
||
cat >/etc/pam.d/common-account <<EOF | ||
# here are the per-package modules (the "Primary" block) | ||
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so | ||
# here's the fallback if no module succeeds | ||
account requisite pam_deny.so | ||
# prime the stack with a positive return value if there isn't one already; | ||
# this avoids us returning an error just because nothing sets a success code | ||
# since the modules above will each just jump around | ||
account required pam_permit.so | ||
# and here are more per-package modules (the "Additional" block) | ||
account sufficient pam_localuser.so | ||
account [default=bad success=ok user_unknown=ignore] pam_sss.so | ||
# end of pam-auth-update config | ||
account required pam_faillock.so | ||
cat << EOF > /usr/share/pam-configs/faillock_notify | ||
Name: Notify of failed login attempts and reset count upon success | ||
Default: yes | ||
Priority: 1024 | ||
Auth-Type: Primary | ||
Auth: | ||
requisite pam_faillock.so preauth | ||
Account-Type: Primary | ||
Account: | ||
required pam_faillock.so | ||
EOF | ||
|
||
DEBIAN_FRONTEND=noninteractive pam-auth-update |
1 change: 1 addition & 0 deletions
1
...g_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
23 changes: 21 additions & 2 deletions
23
..._password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_correct_pamd.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,26 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
# variables = var_accounts_passwords_pam_faillock_deny=10 | ||
|
||
source ubuntu_common.sh | ||
cat << EOF > /usr/share/pam-configs/faillock | ||
Name: Enable pam_faillock to deny access | ||
Default: yes | ||
Priority: 0 | ||
Auth-Type: Primary | ||
Auth: | ||
[default=die] pam_faillock.so authfail deny=1 | ||
EOF | ||
|
||
sed -i 's/\(.*pam_faillock.so.*\)/\1 deny=1/g' /etc/pam.d/common-auth | ||
cat << EOF > /usr/share/pam-configs/faillock_notify | ||
Name: Notify of failed login attempts and reset count upon success | ||
Default: yes | ||
Priority: 1024 | ||
Auth-Type: Primary | ||
Auth: | ||
requisite pam_faillock.so preauth deny=1 | ||
Account-Type: Primary | ||
Account: | ||
required pam_faillock.so | ||
EOF | ||
|
||
DEBIAN_FRONTEND=noninteractive pam-auth-update |
8 changes: 0 additions & 8 deletions
8
...rd_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_empty_faillock_conf.fail.sh
This file was deleted.
Oops, something went wrong.
6 changes: 1 addition & 5 deletions
6
..._password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_missing_pamd.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,5 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
|
||
source ubuntu_common.sh | ||
|
||
sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth | ||
sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account | ||
# variables = var_accounts_passwords_pam_faillock_deny=10 | ||
|
||
echo "deny=1" > /etc/security/faillock.conf |
11 changes: 0 additions & 11 deletions
11
...word_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_multiple_pam_unix.fail.sh
This file was deleted.
Oops, something went wrong.
1 change: 1 addition & 0 deletions
1
...t_password_attempts/accounts_passwords_pam_faillock_deny/tests/ubuntu_wrong_value.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
...ut_password_attempts/accounts_passwords_pam_faillock_dir/tests/expected_pam_files.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
...ssword_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_authfail.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
...assword_attempts/accounts_passwords_pam_faillock_dir/tests/missing_dir_in_preauth.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
...g_out_password_attempts/accounts_passwords_pam_faillock_dir/tests/wrong_pam_files.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 1 addition & 3 deletions
4
...d_attempts/accounts_passwords_pam_faillock_interval/tests/ubuntu_commented_values.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,7 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_ubuntu | ||
# variables = var_accounts_passwords_pam_faillock_fail_interval=800 | ||
|
||
source ubuntu_common.sh | ||
|
||
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth | ||
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account | ||
|
||
echo "#fail_interval=900" > /etc/security/faillock.conf |
Oops, something went wrong.