From 24fa3082517af6361e977663261d7f851a3033da Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Tue, 4 Feb 2025 09:50:18 +0000 Subject: [PATCH] Create a new rule no_empty_passwords_unix --- .../no_empty_passwords_unix/bash/shared.sh | 11 ++++++ .../no_empty_passwords_unix/oval/shared.xml | 19 ++++++++++ .../no_empty_passwords_unix/rule.yml | 22 +++++++++++ .../tests/no_nullok.pass.sh | 36 ++++++++++++++++++ .../tests/nullok_commented.pass.sh | 36 ++++++++++++++++++ .../tests/nullok_present.fail.sh | 37 +++++++++++++++++++ 6 files changed, 161 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/no_nullok.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/nullok_commented.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/nullok_present.fail.sh diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh new file mode 100644 index 00000000000..9e6ec55cb64 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh @@ -0,0 +1,11 @@ +# platform = multi_platform_ubuntu +# reboot = false +# strategy = configure +# complexity = low +# disruption = medium + +{{{ bash_pam_unix_enable() }}} +config_file="/usr/share/pam-configs/cac_unix" +sed -i '/pam_unix\.so/s/nullok//g' "$config_file" + +DEBIAN_FRONTEND=noninteractive pam-auth-update diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/oval/shared.xml new file mode 100644 index 00000000000..5d9fbae073a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/oval/shared.xml @@ -0,0 +1,19 @@ + + + {{{ oval_metadata("The file /etc/pam.d/common-* should not contain the nullok option") }}} + + + + + + + + + ^/etc/pam.d/common-(password|auth|account|session|session-noninteractive)$ + ^[^#]*\bnullok\b.*$ + 1 + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/rule.yml new file mode 100644 index 00000000000..a8a37982191 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/rule.yml @@ -0,0 +1,22 @@ +documentation_complete: true + +title: 'Prevent Login to Accounts With Empty Password' + +description: |- + If an account is configured for password authentication + but does not have an assigned password, it may be possible to log + into the account without authentication. Remove any instances of the + nullok in + /etc/pam.d/common-{password,auth,account,session,session-noninteractive} + to prevent logins with empty passwords. + +rationale: |- + If an account has an empty password, anyone could log in and + run commands with the privileges of that account. Accounts with + empty passwords should never be used in operational environments. + +severity: high + +platform: system_with_kernel + +platform: package[pam] diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/no_nullok.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/no_nullok.pass.sh new file mode 100644 index 00000000000..7c775a69dd1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/no_nullok.pass.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# platform = multi_platform_ubuntu +# packages = pam + +config_file=/usr/share/pam-configs/tmp_unix + +cat << EOF > "$config_file" +Name: Unix authentication +Conflicts: unix +Default: yes +Priority: 256 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_unix + +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/nullok_commented.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/nullok_commented.pass.sh new file mode 100644 index 00000000000..f85b3bfe8b8 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/nullok_commented.pass.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# platform = multi_platform_ubuntu +# packages = pam + +config_file=/usr/share/pam-configs/tmp_unix + +cat << EOF > "$config_file" +Name: Unix authentication +Conflicts: unix +Default: yes +Priority: 256 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so try_first_pass # nullok +Auth-Initial: + [success=end default=ignore] pam_unix.so # nullok +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt # nullok +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt # nullok +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_unix + +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/nullok_present.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/nullok_present.fail.sh new file mode 100644 index 00000000000..2a66c4d1010 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/tests/nullok_present.fail.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# platform = multi_platform_ubuntu +# packages = pam + +config_file=/usr/share/pam-configs/tmp_unix + +cat << EOF > "$config_file" +Name: Unix authentication +Conflicts: unix +Default: yes +Priority: 256 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so nullok try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so nullok +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt nullok +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt nullok +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_unix + +rm "$config_file" +