Skip to content

Commit

Permalink
Merge pull request ComplianceAsCode#12654 from alanmcanonical/ubuntu_…
Browse files Browse the repository at this point in the history
…enable_faillock

Rewrite pam faillock related implementation and template
  • Loading branch information
dodys authored Dec 10, 2024
2 parents 5a8ed26 + cf728c8 commit f1d163c
Show file tree
Hide file tree
Showing 59 changed files with 226 additions and 555 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# packages = authselect,pam
# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/bin/bash
# packages = authselect,pam
# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
<constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_auth_regex"
datatype="string" version="1"
comment="regex to identify pam_faillock.so entries in auth section of pam files">
<value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
<value>^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail</value>
</constant_variable>

<constant_variable id="var_accounts_passwords_pam_faillock_{{{ prm_name }}}_pam_faillock_account_regex"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,4 @@

source ubuntu_common.sh

sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account

echo "#audit" > /etc/security/faillock.conf
Original file line number Diff line number Diff line change
@@ -1,50 +1,24 @@
#!/bin/bash

# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
# Extra comments and whitespaces were added to test for edge cases

cat >/etc/pam.d/common-auth <<EOF
## Leading and trailing whitespaces should be ok
auth required pam_faillock.so preauth
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
## Several lines of comments should not
## break faillock remediation logic
## Nor should commented pam_unix
#auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
## Some more user comments
auth [default=die] pam_faillock.so authfail
## and some more
auth sufficient pam_faillock.so authsucc
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
cat << EOF > /usr/share/pam-configs/faillock
Name: Enable pam_faillock to deny access
Default: yes
Priority: 0
Auth-Type: Primary
Auth:
[default=die] pam_faillock.so authfail
EOF


cat >/etc/pam.d/common-account <<EOF
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
account required pam_faillock.so
cat << EOF > /usr/share/pam-configs/faillock_notify
Name: Notify of failed login attempts and reset count upon success
Default: yes
Priority: 1024
Auth-Type: Primary
Auth:
requisite pam_faillock.so preauth
Account-Type: Primary
Account:
required pam_faillock.so
EOF

DEBIAN_FRONTEND=noninteractive pam-auth-update
Original file line number Diff line number Diff line change
@@ -1,7 +1,25 @@
#!/bin/bash
# platform = multi_platform_ubuntu

source ubuntu_common.sh
cat << EOF > /usr/share/pam-configs/faillock
Name: Enable pam_faillock to deny access
Default: yes
Priority: 0
Auth-Type: Primary
Auth:
[default=die] pam_faillock.so authfail audit
EOF

sed -i 's/\(.*pam_faillock.so.*\)/\1 audit/g' /etc/pam.d/common-auth
cat << EOF > /usr/share/pam-configs/faillock_notify
Name: Notify of failed login attempts and reset count upon success
Default: yes
Priority: 1024
Auth-Type: Primary
Auth:
requisite pam_faillock.so preauth audit
Account-Type: Primary
Account:
required pam_faillock.so
EOF

DEBIAN_FRONTEND=noninteractive pam-auth-update
Original file line number Diff line number Diff line change
@@ -1,9 +1,4 @@
#!/bin/bash
# platform = multi_platform_ubuntu

source ubuntu_common.sh

sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account

echo "audit" > /etc/security/faillock.conf
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@

source ubuntu_common.sh

echo "auth sufficient pam_unix.so" >> /etc/pam.d/common-auth
sed -i '/# end of pam-auth-update config/i\auth sufficient pam_unix.so' /etc/pam.d/common-auth
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# variables = var_accounts_passwords_pam_faillock_deny=10

source ubuntu_common.sh

sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account

echo "#deny=1" > /etc/security/faillock.conf
Original file line number Diff line number Diff line change
@@ -1,50 +1,24 @@
#!/bin/bash

# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
# Extra comments and whitespaces were added to test for edge cases

cat >/etc/pam.d/common-auth <<EOF
## Leading and trailing whitespaces should be ok
auth required pam_faillock.so preauth
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
## Several lines of comments should not
## break faillock remediation logic
## Nor should commented pam_unix
#auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
## Some more user comments
auth [default=die] pam_faillock.so authfail
## and some more
auth sufficient pam_faillock.so authsucc
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
cat << EOF > /usr/share/pam-configs/faillock
Name: Enable pam_faillock to deny access
Default: yes
Priority: 0
Auth-Type: Primary
Auth:
[default=die] pam_faillock.so authfail
EOF


cat >/etc/pam.d/common-account <<EOF
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
account required pam_faillock.so
cat << EOF > /usr/share/pam-configs/faillock_notify
Name: Notify of failed login attempts and reset count upon success
Default: yes
Priority: 1024
Auth-Type: Primary
Auth:
requisite pam_faillock.so preauth
Account-Type: Primary
Account:
required pam_faillock.so
EOF

DEBIAN_FRONTEND=noninteractive pam-auth-update
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# variables = var_accounts_passwords_pam_faillock_deny=10

source ubuntu_common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,26 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# variables = var_accounts_passwords_pam_faillock_deny=10

source ubuntu_common.sh
cat << EOF > /usr/share/pam-configs/faillock
Name: Enable pam_faillock to deny access
Default: yes
Priority: 0
Auth-Type: Primary
Auth:
[default=die] pam_faillock.so authfail deny=1
EOF

sed -i 's/\(.*pam_faillock.so.*\)/\1 deny=1/g' /etc/pam.d/common-auth
cat << EOF > /usr/share/pam-configs/faillock_notify
Name: Notify of failed login attempts and reset count upon success
Default: yes
Priority: 1024
Auth-Type: Primary
Auth:
requisite pam_faillock.so preauth deny=1
Account-Type: Primary
Account:
required pam_faillock.so
EOF

DEBIAN_FRONTEND=noninteractive pam-auth-update

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
#!/bin/bash
# platform = multi_platform_ubuntu

source ubuntu_common.sh

sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account
# variables = var_accounts_passwords_pam_faillock_deny=10

echo "deny=1" > /etc/security/faillock.conf

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# variables = var_accounts_passwords_pam_faillock_deny=10

source ubuntu_common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# packages = authselect,pam
# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# packages = authselect,pam
# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# packages = authselect,pam
# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#!/bin/bash
# packages = authselect,pam
# platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9

source common.sh

Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# variables = var_accounts_passwords_pam_faillock_fail_interval=800

source ubuntu_common.sh

sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account

echo "#fail_interval=900" > /etc/security/faillock.conf
Loading

0 comments on commit f1d163c

Please sign in to comment.