2015-10-08 22:36:20 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
#########################################################################
|
|
|
|
#
|
|
|
|
# * DO NOT REMOVE *
|
|
|
|
#-----------------------------------------------------
|
|
|
|
# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
|
|
|
|
# PLUGIN_CATEGORY=authentication
|
2017-04-30 17:59:35 +02:00
|
|
|
# PLUGIN_DATE=2017-04-30
|
2015-10-08 22:36:20 +02:00
|
|
|
# PLUGIN_DESC=PAM
|
|
|
|
# PLUGIN_NAME=pam
|
|
|
|
# PLUGIN_PACKAGE=all
|
|
|
|
# PLUGIN_REQUIRED_TESTS=
|
2017-04-30 17:59:35 +02:00
|
|
|
# PLUGIN_VERSION=1.0.2
|
2015-10-08 22:36:20 +02:00
|
|
|
#-----------------------------------------------------
|
|
|
|
#########################################################################
|
|
|
|
#
|
2017-03-01 16:28:05 +01:00
|
|
|
# Variables
|
2017-03-01 16:07:45 +01:00
|
|
|
MAX_PASSWORD_RETRY=""
|
2017-03-01 16:28:05 +01:00
|
|
|
PAM_DIRECTORY="${ROOTDIR}etc/pam.d"
|
|
|
|
|
|
|
|
# Test : PLGN-0008
|
|
|
|
# Description : Check PAM configuration
|
|
|
|
FILE="${ROOTDIR}etc/security/pwquality.conf"
|
|
|
|
if [ -f ${FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
|
|
Register --test-no PLGN-0008 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PAM configuration (pwquality.conf)" --progress
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
for LINE in $(${GREPBINARY} -v "^#" ${FILE} | ${TRBINARY} -d " "); do
|
|
|
|
for I in ${LINE}; do
|
2017-04-30 17:59:35 +02:00
|
|
|
OPTION=$(echo ${I} | ${AWKBINARY} -F= '{ print $1 }')
|
|
|
|
VALUE=$(echo ${I} | ${AWKBINARY} -F= '{ print $2 }')
|
2017-03-01 16:28:05 +01:00
|
|
|
case ${OPTION} in
|
|
|
|
minlen)
|
|
|
|
DigitsOnly ${VALUE}
|
|
|
|
MIN_PASSWORD_LENGTH=${VALUE}
|
|
|
|
;;
|
|
|
|
retry)
|
|
|
|
DigitsOnly ${VALUE}
|
|
|
|
MAX_PASSWORD_RETRY=${VALUE}
|
|
|
|
;;
|
|
|
|
minclass)
|
|
|
|
MIN_PASSWORD_CLASS=${VALUE}
|
|
|
|
;;
|
|
|
|
dcredit)
|
|
|
|
CREDITS_D_PASSWORD=${VALUE}
|
|
|
|
;;
|
|
|
|
lcredit)
|
|
|
|
CREDITS_L_PASSWORD=${VALUE}
|
|
|
|
;;
|
|
|
|
ocredit)
|
|
|
|
CREDITS_O_PASSWORD=${VALUE}
|
|
|
|
;;
|
|
|
|
ucredit)
|
|
|
|
CREDITS_U_PASSWORD=${VALUE}
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
2017-03-01 16:07:45 +01:00
|
|
|
|
2015-10-08 22:36:20 +02:00
|
|
|
# Test : PLGN-0010
|
|
|
|
# Description : Check PAM configuration
|
2017-09-04 15:32:57 +02:00
|
|
|
if [ -f ${ROOTDIR}etc/pam.conf -o -d ${PAM_DIRECTORY} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
2015-10-08 22:36:20 +02:00
|
|
|
Register --test-no PLGN-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PAM configuration" --progress
|
|
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
FOUNDPROBLEM=0
|
|
|
|
# Check if the PAM directory structure exists
|
|
|
|
if [ -d ${PAM_DIRECTORY} ]; then
|
2017-09-04 15:32:57 +02:00
|
|
|
LogText "Result: ${PAM_DIRECTORY} exists"
|
|
|
|
if [ ! "${OS}" = "FreeBSD" -a ! "${OS}" = "NetBSD" ]; then
|
|
|
|
FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print)
|
|
|
|
else
|
|
|
|
if [ -f ${PAM_DIRECTORY}/README ]; then
|
|
|
|
LogText "Skipped checking ${OS} ${PAM_DIRECTORY}/README as a PAM file"
|
|
|
|
fi
|
|
|
|
FIND_FILES=$(find ${PAM_DIRECTORY} -type f -print | grep -v "README")
|
|
|
|
fi
|
2017-04-30 17:59:35 +02:00
|
|
|
|
2017-03-07 20:23:08 +01:00
|
|
|
for PAM_FILE in ${FIND_FILES}; do
|
|
|
|
LogText "Now checking PAM file ${PAM_FILE}"
|
|
|
|
while read line; do
|
|
|
|
# Strip empty lines, commented lines, tabs, line breaks (\), then finally remove all double spaces
|
|
|
|
LINE=$(echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//')
|
|
|
|
if [ ! "${LINE}" = "" ]; then
|
|
|
|
PAM_SERVICE=$(echo ${PAM_FILE} | awk -F/ '{ print $NF }')
|
|
|
|
PAM_CONTROL_FLAG="-"
|
|
|
|
PAM_CONTROL_OPTIONS="-"
|
|
|
|
PAM_MODULE="-"
|
|
|
|
PAM_MODULE_OPTIONS="-"
|
|
|
|
PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }')
|
|
|
|
PARSELINE=0
|
|
|
|
case ${PAM_TYPE} in
|
|
|
|
"@include")
|
|
|
|
FILE=$(echo ${LINE} | awk '{ print $2 }')
|
|
|
|
Debug "Result: Found @include in ${PAM_FILE}. Does include PAM settings from file ${FILE} (which is individually processed)"
|
|
|
|
;;
|
|
|
|
"account")
|
|
|
|
PARSELINE=1
|
|
|
|
;;
|
|
|
|
"auth")
|
|
|
|
PARSELINE=1
|
|
|
|
;;
|
|
|
|
"password")
|
|
|
|
PARSELINE=1
|
|
|
|
;;
|
|
|
|
"session")
|
|
|
|
PARSELINE=1
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
LogText "Exception: Unknown PAM type found (${PAM_TYPE})"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
if [ ${PARSELINE} -eq 1 ]; then
|
|
|
|
MULTIPLE_OPTIONS=$(echo ${LINE} | awk '$2 ~ /^\[/')
|
|
|
|
if [ ! "${MULTIPLE_OPTIONS}" = "" ]; then
|
|
|
|
# Needs more parsing, depending on the options found
|
|
|
|
PAM_CONTROL_OPTIONS=$(echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//")
|
|
|
|
LogText "Result: Found brackets in line, indicating multiple options for control flags: ${PAM_CONTROL_OPTIONS}"
|
|
|
|
LINE=$(echo ${LINE} | sed "s/ \[.*\] / other /")
|
|
|
|
fi
|
|
|
|
PAM_MODULE=$(echo ${LINE} | awk '{ print $3 }')
|
|
|
|
PAM_MODULE_OPTIONS=$(echo ${LINE} | cut -d ' ' -f 4-)
|
|
|
|
PAM_CONTROL_FLAG=$(echo ${LINE} | awk '{ print $2 }')
|
2017-09-04 15:32:57 +02:00
|
|
|
if [ ${PAM_CONTROL_FLAG} = "include" ]; then
|
|
|
|
FILE=$(echo ${LINE} | awk '{ print $3 }')
|
|
|
|
Debug "Result: Found include in ${PAM_FILE}. Does include PAM settings from file ${FILE} (which is individually processed)"
|
|
|
|
PARSELINE=0
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
if [ ${PARSELINE} -eq 1 ]; then
|
2017-03-07 20:23:08 +01:00
|
|
|
case ${PAM_CONTROL_FLAG} in
|
|
|
|
"optional"|"required"|"requisite"|"sufficient")
|
|
|
|
#Debug "Found a common control flag: ${PAM_CONTROL_FLAG} for ${PAM_MODULE}"
|
|
|
|
X=0 # do nothing
|
|
|
|
;;
|
|
|
|
"other")
|
|
|
|
LogText "Result: brackets used, ignoring control flags"
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
LogText "Unknown control flag found (${PAM_CONTROL_FLAG})"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
|
|
|
|
LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) with options ${PAM_MODULE_OPTIONS}"
|
|
|
|
else
|
|
|
|
PAM_MODULE_OPTIONS="-"
|
|
|
|
LogText "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) without options configured"
|
|
|
|
fi
|
|
|
|
|
|
|
|
PAM_MODULE_NAME=$(echo ${PAM_MODULE} | sed 's/.so$//')
|
|
|
|
#
|
|
|
|
# Specific PAMs are commonly seen on these platforms:
|
|
|
|
#
|
2017-09-04 15:32:57 +02:00
|
|
|
# FreeBSD Linux macOS NetBSD
|
|
|
|
# pam_access v
|
|
|
|
# pam_afpmount v
|
|
|
|
# pam_afslog v
|
|
|
|
# pam_deny v v v v
|
|
|
|
# pam_env v
|
|
|
|
# pam_chroot v v
|
|
|
|
# pam_echo v ? v
|
|
|
|
# pam_exec v ? v
|
|
|
|
# pam_ftpusers v
|
|
|
|
# pam_group v v v
|
|
|
|
# pam_guest v
|
|
|
|
# pam_krb5 v v v
|
|
|
|
# pam_ksu v v
|
|
|
|
# pam_lastlog v v
|
|
|
|
# pam_launchd v
|
|
|
|
# pam_login_access v v
|
|
|
|
# pam_mount v
|
|
|
|
# pam_nologin v v v
|
|
|
|
# pam_ntlm v
|
|
|
|
# pam_opendirectory v
|
|
|
|
# pam_opie v
|
|
|
|
# pam_opieaccess v
|
|
|
|
# pam_passwdqc v
|
|
|
|
# pam_permit v v v
|
|
|
|
# pam_radius v v
|
|
|
|
# pam_rhosts v v
|
|
|
|
# pam_rootok v v v
|
|
|
|
# pam_sacl v
|
|
|
|
# pam_securetty v v v
|
|
|
|
# pam_securityserver v
|
|
|
|
# pam_self v v
|
|
|
|
# pam_skey v
|
|
|
|
# pam_ssh v v
|
|
|
|
# pam_tacplus v
|
|
|
|
# pam_unix v v v
|
|
|
|
# pam_uwtmp v
|
|
|
|
# pam_wheel v
|
|
|
|
# pam_winbind v
|
2017-03-07 20:23:08 +01:00
|
|
|
|
|
|
|
case ${PAM_MODULE_NAME} in
|
|
|
|
pam_access) ;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_afpmount | pam_afslog) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
pam_cap) ;;
|
|
|
|
pam_debug | pam_deny) ;;
|
|
|
|
pam_echo| pam_env | pam_exec | pam_faildelay) ;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_filter | pam_ftp | pam_ftpusers) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
# Google Authenticator / YubiKey
|
|
|
|
# Common to find it only enabled for SSH
|
|
|
|
pam_google_authenticator | pam_yubico)
|
|
|
|
LogText "Result: found pam_google_authenticator"
|
|
|
|
if [ "${PAM_CONTROL_FLAG}" = "required" ]; then
|
|
|
|
PAM_2F_AUTH_ENABLED=1
|
|
|
|
PAM_2F_AUTH_REQUIRED=1
|
|
|
|
Report "authentication_2f_provider[]=${PAM_MODULE_NAME}"
|
|
|
|
Report "authentication_2f_service[]=${PAM_SERVICE}"
|
|
|
|
elif [ "${PAM_CONTROL_FLAG}" = "sufficient" ]; then
|
|
|
|
PAM_2F_AUTH_ENABLED=1
|
|
|
|
Report "authentication_2f_provider[]=${PAM_MODULE_NAME}"
|
|
|
|
Report "authentication_2f_service[]=${PAM_SERVICE}"
|
|
|
|
else
|
|
|
|
LogText "exception: found 2F authenticator enabled with uncommon control flag: ${PAM_CONTROL_FLAG}"
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
pam_group) ;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_guest) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
pam_issue) ;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_keyinit | pam_krb5 | pam_ksu) ;;
|
|
|
|
pam_launchd) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
pam_lastlog | pam_limits) ;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_login_access) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
# Log UID for auditd
|
|
|
|
pam_loginuid)
|
|
|
|
PAM_LOGINUID_FOUND=1
|
|
|
|
;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_listfile | pam_localuser) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
pam_mail | pam_mkhomedir | pam_motd) ;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_namespace | pam_nologin | pam_ntlm) ;;
|
|
|
|
pam_opendirectory) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
pam_permit) ;;
|
|
|
|
|
|
|
|
# Password history - Can be configured via pam_unix or pam_pwhistory
|
|
|
|
pam_pwhistory)
|
|
|
|
LogText "Result: found ${PAM_MODULE} module (password history)"
|
|
|
|
# set default for having pam_pwhistory enabled
|
|
|
|
PAM_PASSWORD_PWHISTORY_ENABLED=1
|
|
|
|
if [ "${PAM_PASSWORD_PWHISTORY_AMOUNT}" = "" ]; then PAM_PASSWORD_PWHISTORY_AMOUNT=10; fi
|
|
|
|
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
|
|
|
|
for I in ${PAM_MODULE_OPTIONS}; do
|
|
|
|
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
|
|
|
|
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
|
|
|
|
CREDITS_CONFIGURED=0
|
|
|
|
case ${OPTION} in
|
|
|
|
remember)
|
|
|
|
LogText "Result: password history (remember) configured for pam_pwhistory"
|
|
|
|
DigitsOnly ${VALUE}
|
|
|
|
PAM_PASSWORD_PWHISTORY_AMOUNT=${VALUE}
|
|
|
|
Debug "Found password history enabled with module ${PAM_MODULE_NAME} and password amount ${PAM_PASSWORD_PWHISTORY_AMOUNT}"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
fi
|
2015-10-08 22:36:20 +02:00
|
|
|
;;
|
2017-03-07 20:23:08 +01:00
|
|
|
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_radius) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
pam_rhosts) ;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_rootok) ;;
|
|
|
|
pam_sacl) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
pam_securetty) ;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_securityserver) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
pam_self) ;;
|
|
|
|
pam_shells) ;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_skey) ;;
|
|
|
|
pam_ssh)
|
|
|
|
LogText "Result: found ${PAM_MODULE} module (SSH authentication/session management)"
|
|
|
|
ReportWarning ${TEST_NO} "Potential security risks using of pam_ssh(8) module."
|
|
|
|
;;
|
2017-03-07 20:23:08 +01:00
|
|
|
pam_stress | pam_succeed_if | pam_systemd) ;;
|
|
|
|
pam_time | pam_timestamp) ;;
|
|
|
|
pam_umask) ;;
|
|
|
|
|
|
|
|
# Password history - Can be configured via pam_unix or pam_pwhistory
|
|
|
|
pam_unix)
|
|
|
|
LogText "Result: found ${PAM_MODULE} module (generic)"
|
|
|
|
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
|
|
|
|
for I in ${PAM_MODULE_OPTIONS}; do
|
|
|
|
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
|
|
|
|
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
|
|
|
|
CREDITS_CONFIGURED=0
|
|
|
|
case ${OPTION} in
|
|
|
|
remember)
|
|
|
|
LogText "Result: password history configured for pam_unix"
|
|
|
|
DigitsOnly ${VALUE}
|
|
|
|
PAM_PASSWORD_UXHISTORY_AMOUNT=${VALUE}
|
|
|
|
PAM_PASSWORD_UXHISTORY_ENABLED=1
|
|
|
|
Debug "Found password history enabled with module ${PAM_MODULE_NAME} and password amount ${PAM_PASSWORD_UXHISTORY_AMOUNT}"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
fi
|
2015-10-08 22:36:20 +02:00
|
|
|
;;
|
2017-03-07 20:23:08 +01:00
|
|
|
|
|
|
|
pam_unix_acct| pam_unix_auth | pam_unix_passwd | pam_unix_session | pam_unix2) ;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_uwtmp) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
pam_vbox) ;;
|
|
|
|
pam_warn | pam_wheel) ;;
|
2017-09-04 15:32:57 +02:00
|
|
|
pam_winbind) ;;
|
2017-03-07 20:23:08 +01:00
|
|
|
pam_xauth) ;;
|
|
|
|
|
|
|
|
# Password strength testing
|
|
|
|
pam_cracklib | pam_pwquality)
|
|
|
|
LogText "Result: found module ${PAM_MODULE} for password strength testing"
|
|
|
|
|
|
|
|
# Set default values
|
|
|
|
if [ "${CREDITS_D_PASSWORD}" = "" ]; then CREDITS_D_PASSWORD=1; fi
|
|
|
|
if [ "${CREDITS_L_PASSWORD}" = "" ]; then CREDITS_L_PASSWORD=1; fi
|
|
|
|
if [ "${CREDITS_O_PASSWORD}" = "" ]; then CREDITS_O_PASSWORD=1; fi
|
|
|
|
if [ "${CREDITS_U_PASSWORD}" = "" ]; then CREDITS_U_PASSWORD=1; fi
|
|
|
|
if [ "${MIN_PASSWORD_CLASS}" = "" ]; then MIN_PASSWORD_CLASS=0; fi
|
|
|
|
if [ "${MIN_PASSWORD_LENGTH}" = "" ]; then MIN_PASSWORD_LENGTH=6; fi
|
|
|
|
|
|
|
|
PAM_PASSWORD_STRENGTH_TESTED=1
|
|
|
|
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
|
|
|
|
Debug "Module options configured"
|
|
|
|
for I in ${PAM_MODULE_OPTIONS}; do
|
|
|
|
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
|
|
|
|
Debug ${OPTION}
|
|
|
|
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
|
|
|
|
CREDITS_CONFIGURED=0
|
|
|
|
case ${OPTION} in
|
|
|
|
minlen)
|
|
|
|
# Minimum length (remove 1 if credits are configured, at later stage in function)
|
|
|
|
LogText "Result: minlen configured"
|
|
|
|
DigitsOnly ${VALUE}
|
|
|
|
MIN_PASSWORD_LENGTH=${VALUE}
|
|
|
|
;;
|
|
|
|
retry)
|
|
|
|
# Maximum password retry
|
|
|
|
LogText "Result: Max password Retry configured"
|
|
|
|
DigitsOnly ${VALUE}
|
|
|
|
MAX_PASSWORD_RETRY=${VALUE}
|
|
|
|
;;
|
|
|
|
minclass)
|
|
|
|
# Minimum number of class required out of upper, lower, digit and others
|
|
|
|
LogText "Result: Min number of password class is configured"
|
|
|
|
MIN_PASSWORD_CLASS=${VALUE}
|
|
|
|
;;
|
|
|
|
dcredit)
|
|
|
|
CREDITS_D_PASSWORD=${VALUE}
|
|
|
|
;;
|
|
|
|
lcredit)
|
|
|
|
CREDITS_L_PASSWORD=${VALUE}
|
|
|
|
;;
|
|
|
|
ocredit)
|
|
|
|
CREDITS_O_PASSWORD=${VALUE}
|
|
|
|
;;
|
|
|
|
ucredit)
|
|
|
|
CREDITS_U_PASSWORD=${VALUE}
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
LogText "Result: unknown option found: ${OPTION} with value ${VALUE}"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
fi
|
2015-10-08 22:36:20 +02:00
|
|
|
;;
|
2017-03-07 20:23:08 +01:00
|
|
|
|
|
|
|
pam_tally | pam_tally2)
|
|
|
|
if [ "${PAM_CONTROL_FLAG}" = "required" ]; then
|
|
|
|
LogText "Result: found a required module for countering brute force cracking attempts"
|
|
|
|
Report "pam_auth_brute_force_protection_module[]=${PAM_MODULE_NAME}"
|
|
|
|
PAM_AUTH_BRUTE_FORCE_PROTECTION=1
|
|
|
|
fi
|
|
|
|
if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then
|
|
|
|
for I in ${PAM_MODULE_OPTIONS}; do
|
|
|
|
OPTION=$(echo ${I} | awk -F= '{ print $1 }')
|
|
|
|
VALUE=$(echo ${I} | awk -F= '{ print $2 }')
|
|
|
|
case ${OPTION} in
|
|
|
|
deny)
|
|
|
|
AUTH_BLOCK_BAD_LOGIN_ATTEMPTS="${VALUE}"
|
|
|
|
;;
|
|
|
|
unlock_time)
|
|
|
|
AUTH_UNLOCK_TIME="${VALUE}"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
fi
|
2015-10-08 22:36:20 +02:00
|
|
|
;;
|
2017-03-07 20:23:08 +01:00
|
|
|
"-")
|
|
|
|
LogText "NOTE: this module is not parsed, as it uses an unknown control flag or type"
|
2015-10-08 22:36:20 +02:00
|
|
|
;;
|
|
|
|
*)
|
2017-03-07 20:23:08 +01:00
|
|
|
LogText "Result: found pluggable authentication module ${PAM_MODULE}, which is unknown"
|
2015-10-08 22:36:20 +02:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
fi
|
2017-03-07 20:23:08 +01:00
|
|
|
#Debug "Service: ${PAM_SERVICE}"
|
|
|
|
#Debug "Type: ${PAM_TYPE}"
|
|
|
|
#Debug "Control: ${PAM_CONTROL_FLAG}"
|
|
|
|
#Debug "Control options: ${PAM_CONTROL_OPTIONS}"
|
|
|
|
#Debug "Module: ${PAM_MODULE_NAME}"
|
|
|
|
#Debug "Module options: ${PAM_MODULE_OPTIONS}"
|
|
|
|
fi
|
|
|
|
done < ${PAM_FILE}
|
|
|
|
#ParsePAMLine ${J}
|
|
|
|
#StoreSetting "pam" "
|
|
|
|
done
|
2015-10-08 22:36:20 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
#
|
|
|
|
#################################################################################
|
|
|
|
#
|
|
|
|
|
|
|
|
# /etc/security/opasswd should exist when:
|
|
|
|
# password history is enabled via pam_unix
|
|
|
|
# pam_cracklib or pam_pwquality is used
|
|
|
|
# In that case, the file should be owned by root, with 440/640/660 permissions
|
|
|
|
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] PAM 2F authentication enabled: ${PAM_2F_AUTH_ENABLED}"
|
|
|
|
Report "authentication_two_factor_enabled=${PAM_2F_AUTH_ENABLED}"
|
2015-10-08 22:36:20 +02:00
|
|
|
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] PAM 2F authentication required: ${PAM_2F_AUTH_REQUIRED}"
|
2017-12-14 08:54:28 +01:00
|
|
|
Report "authentication_two_factor_required=${PAM_2F_AUTH_REQUIRED}"
|
2015-10-08 22:36:20 +02:00
|
|
|
|
2015-10-15 19:54:58 +02:00
|
|
|
if [ ! "${AUTH_UNLOCK_TIME}" = "-1" ]; then
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Authentication unlock time: ${AUTH_UNLOCK_TIME}"
|
|
|
|
Report "authentication_unlock_time=${AUTH_UNLOCK_TIME}"
|
2017-04-30 17:59:35 +02:00
|
|
|
else
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Authentication unlock time: not configured"
|
2015-10-08 22:36:20 +02:00
|
|
|
fi
|
|
|
|
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Password brute force protection: ${PAM_AUTH_BRUTE_FORCE_PROTECTION}"
|
2015-10-08 22:36:20 +02:00
|
|
|
|
|
|
|
if [ ${PAM_AUTH_BRUTE_FORCE_PROTECTION} -eq 1 ]; then
|
2016-04-28 12:59:13 +02:00
|
|
|
Report "authentication_brute_force_protection=1"
|
2015-10-08 22:36:20 +02:00
|
|
|
fi
|
|
|
|
|
2015-10-15 19:54:58 +02:00
|
|
|
if [ ! "${MIN_PASSWORD_LENGTH}" = "-1" ]; then
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Minimum password length: ${MIN_PASSWORD_LENGTH}"
|
|
|
|
Report "minimum_password_length=${MIN_PASSWORD_LENGTH}"
|
2017-04-30 17:59:35 +02:00
|
|
|
else
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Minimum password length: not configured"
|
2015-10-08 22:36:20 +02:00
|
|
|
fi
|
|
|
|
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Password strength testing enabled: ${PAM_PASSWORD_STRENGTH_TESTED}"
|
2015-10-21 21:44:58 +02:00
|
|
|
if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then
|
2016-04-28 12:59:13 +02:00
|
|
|
Report "password_strength_tested=1"
|
2015-10-21 21:44:58 +02:00
|
|
|
|
2017-03-07 20:23:08 +01:00
|
|
|
if [ ${CREDITS_D_PASSWORD} -ge 1 -a ${CREDITS_L_PASSWORD} -ge 1 -a ${CREDITS_O_PASSWORD} -ge 1 -a ${CREDITS_U_PASSWORD} -ge 1 ]; then
|
|
|
|
# Show how many password class are required out of 4
|
|
|
|
LogText "[PAM] Minimum password class out of 4: ${MIN_PASSWORD_CLASS}"
|
|
|
|
Report "min_password_class=${MIN_PASSWORD_CLASS}"
|
2017-04-30 17:59:35 +02:00
|
|
|
else
|
2017-03-07 20:23:08 +01:00
|
|
|
LogText "[PAM] Minimum password class setting of ${MIN_PASSWORD_CLASS} out of 4 is ignored since at least 1 class are forced"
|
|
|
|
Report "min_password_class=ignored"
|
|
|
|
fi
|
2015-10-21 21:44:58 +02:00
|
|
|
|
2017-03-07 20:23:08 +01:00
|
|
|
# Digits
|
|
|
|
if [ ${CREDITS_D_PASSWORD} -lt 0 ]; then
|
|
|
|
CREDITS_D_PASSWORD=$(echo ${CREDITS_D_PASSWORD} | cut -b 2-)
|
|
|
|
LogText "[PAM] Minimum number of Digital characters required: ${CREDITS_D_PASSWORD}"
|
|
|
|
Report "password_min_digital_required=${CREDITS_D_PASSWORD}"
|
|
|
|
elif [ ${CREDITS_D_PASSWORD} -ge 0 ]; then
|
|
|
|
LogText "[PAM] Maximum credit for Digital characters: ${CREDITS_D_PASSWORD}"
|
|
|
|
Report "password_max_digital_credit=${CREDITS_D_PASSWORD}"
|
|
|
|
fi
|
2015-10-21 21:44:58 +02:00
|
|
|
|
2017-03-07 20:23:08 +01:00
|
|
|
# Lowercase
|
|
|
|
if [ ${CREDITS_L_PASSWORD} -lt 0 ]; then
|
|
|
|
CREDITS_L_PASSWORD=$(echo ${CREDITS_L_PASSWORD} | cut -b 2-)
|
|
|
|
LogText "[PAM] Minimum number of Lowercase characters required: ${CREDITS_L_PASSWORD}"
|
|
|
|
Report "password_min_l_required=${CREDITS_L_PASSWORD}"
|
|
|
|
elif [ ${CREDITS_L_PASSWORD} -ge 0 ]; then
|
|
|
|
LogText "[PAM] Maximum credit for Lowercase characters: ${CREDITS_L_PASSWORD}"
|
|
|
|
Report "password_max_l_credit=${CREDITS_L_PASSWORD}"
|
|
|
|
fi
|
2015-10-21 21:44:58 +02:00
|
|
|
|
2017-03-07 20:23:08 +01:00
|
|
|
# Other characters
|
|
|
|
if [ ${CREDITS_O_PASSWORD} -lt 0 ]; then
|
|
|
|
CREDITS_O_PASSWORD=$(echo ${CREDITS_O_PASSWORD} | cut -b 2-)
|
|
|
|
LogText "[PAM] Minimum number of Other characters required: ${CREDITS_O_PASSWORD}"
|
|
|
|
Report "password_min_other_required=${CREDITS_O_PASSWORD}"
|
|
|
|
elif [ ${CREDITS_O_PASSWORD} -ge 0 ]; then
|
|
|
|
LogText "[PAM] Maximum credit for Other characters: ${CREDITS_O_PASSWORD}"
|
|
|
|
Report "password_max_other_credit=${CREDITS_O_PASSWORD}"
|
|
|
|
fi
|
2015-10-21 21:44:58 +02:00
|
|
|
|
2017-03-07 20:23:08 +01:00
|
|
|
# Uppercase
|
|
|
|
if [ ${CREDITS_U_PASSWORD} -lt 0 ]; then
|
|
|
|
CREDITS_U_PASSWORD=$(echo ${CREDITS_U_PASSWORD} | cut -b 2-)
|
|
|
|
LogText "[PAM] Minimum number of Uppercase characters required: ${CREDITS_U_PASSWORD}"
|
|
|
|
Report "password_min_u_required=${CREDITS_U_PASSWORD}"
|
|
|
|
elif [ ${CREDITS_U_PASSWORD} -ge 0 ]; then
|
|
|
|
LogText "[PAM] Maximum credit for Uppercase characters: ${CREDITS_U_PASSWORD}"
|
|
|
|
Report "password_max_u_credit=${CREDITS_U_PASSWORD}"
|
|
|
|
fi
|
2015-10-21 21:44:58 +02:00
|
|
|
fi
|
|
|
|
|
2015-10-21 23:11:03 +02:00
|
|
|
# Show how many retries are allowed to change password
|
2017-03-01 16:07:45 +01:00
|
|
|
if [ ! -z "${MAX_PASSWORD_RETRY}" ]; then
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Password maximum retry: ${MAX_PASSWORD_RETRY}"
|
|
|
|
Report "max_password_retry=${MAX_PASSWORD_RETRY}"
|
2017-04-30 17:59:35 +02:00
|
|
|
else
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Password maximum retry: Not configured"
|
2015-10-22 15:55:14 +02:00
|
|
|
fi
|
2015-10-21 23:11:03 +02:00
|
|
|
|
|
|
|
# If auditd is running, but pam_loginuid not, events might not be properly logged
|
|
|
|
if [ ${AUDITD_RUNNING} -eq 1 ]; then
|
|
|
|
if [ ${PAM_LOGINUID_FOUND} -eq 0 ]; then
|
2016-04-28 12:59:13 +02:00
|
|
|
Report "pam_issue[]=pam_loginuid is missing"
|
2015-10-21 23:11:03 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2015-10-22 15:55:14 +02:00
|
|
|
if [ ${PAM_PASSWORD_PWHISTORY_ENABLED} -eq 1 ]; then
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Password history with pam_pwhistory enabled: ${PAM_PASSWORD_PWHISTORY_ENABLED}"
|
|
|
|
LogText "[PAM] Password history with pam_pwhistory amount: ${PAM_PASSWORD_PWHISTORY_AMOUNT}"
|
|
|
|
Report "password_history_amount=${PAM_PASSWORD_PWHISTORY_AMOUNT}"
|
2017-04-30 17:59:35 +02:00
|
|
|
else
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Password history with pam_pwhistory IS NOT enabled"
|
2015-10-22 15:55:14 +02:00
|
|
|
fi
|
|
|
|
|
|
|
|
if [ ${PAM_PASSWORD_UXHISTORY_ENABLED} -eq 1 ]; then
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Password history with pam_unix enabled: ${PAM_PASSWORD_UXHISTORY_ENABLED}"
|
|
|
|
LogText "[PAM] Password history with pam_unix amount: ${PAM_PASSWORD_UXHISTORY_AMOUNT}"
|
|
|
|
Report "password_history_amount=${PAM_PASSWORD_UXHISTORY_AMOUNT}"
|
2017-04-30 17:59:35 +02:00
|
|
|
else
|
2016-04-28 12:59:13 +02:00
|
|
|
LogText "[PAM] Password history with pam_unix IS NOT enabled"
|
2015-10-22 15:55:14 +02:00
|
|
|
fi
|
|
|
|
|
2015-10-21 23:11:03 +02:00
|
|
|
|
|
|
|
|
2015-10-08 22:36:20 +02:00
|
|
|
#EOF
|