Merge pull request #874 from topimiettinen/check-password-hashing-methods

Check password hashing methods

db/tests.db

@@ -22,6 +22,7 @@ AUTH-9218:test:security:authentication:FreeBSD:Check harmful login shells:
 AUTH-9222:test:security:authentication::Check for non unique groups:
 AUTH-9226:test:security:authentication::Check non unique group names:
 AUTH-9228:test:security:authentication::Check password file consistency with pwck:
+AUTH-9229:test:security:authentication::Check password hashing methods:
 AUTH-9234:test:security:authentication::Query user accounts:
 AUTH-9240:test:security:authentication::Query NIS+ authentication support:
 AUTH-9242:test:security:authentication::Query NIS authentication support:

include/binaries

@@ -310,6 +310,7 @@
 
         # Test if the basic system tools are defined. These will be used during the audit.
         [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found"
+        [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found"
         [ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found"
         [ "${EGREPBINARY:-}" ] || ExitFatal "grep binary not found"
         [ "${FINDBINARY:-}" ] || ExitFatal "find binary not found"

include/tests_authentication

@@ -325,6 +325,67 @@
     fi
 #
 #################################################################################
+#
+    # Test        : AUTH-9229
+    # Description : Check password hashing methods vs. recommendations in crypt(5)
+    # Notes       : Applicable to all Unix-like OS
+    Register --test-no AUTH-9229 --weight L --network NO --category security --description "Check password hashing methods"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: Checking password hashing methods"
+	if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW=${ROOTDIR}etc/shadow; else SHADOW=""; fi
+	FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do
+	    case ${METHOD} in
+		1:\* | 1:x | 0: | *:!*)
+		    # disabled | shadowed | no password | locked account
+		    ;;
+		*:\$5\$*| *:\$6\$*)
+		    # sha256crypt | sha512crypt: check number of rounds, should be >5000
+		    ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp')
+		    if [ -z "${ROUNDS}" ]; then
+		        echo 'sha256crypt/sha512crypt(default<=5000rounds)'
+		    elif [ "${ROUNDS}" -le 5000 ]; then
+		        echo 'sha256crypt/sha512crypt(<=5000rounds)'
+		    fi
+		    ;;
+		*:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*)
+		    # yescrypt | gost-yescrypt | bcrypt | scrypt
+		    ;;
+		*:_*)
+		    echo bsdicrypt
+		    ;;
+		*:\$1\$*)
+		    echo md5crypt
+		    ;;
+		*:\$3\$*)
+		    echo NT
+		    ;;
+		*:\$md5*)
+		    echo SunMD5
+		    ;;
+		*:\$sha1*)
+		    echo sha1crypt
+		    ;;
+		13:* | 178:*)
+		    echo bigcrypt/descrypt
+		    ;;
+                *)
+                    echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com"
+                    ;;
+	    esac
+	done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ')
+        if [ -z "${FIND}" ]; then
+            Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN
+            LogText "Result: no poor password hashing methods found"
+            AddHP 2 2
+        else
+            Display --indent 2 --text "- Password hashing methods" --result "${STATUS_SUGGESTION}" --color YELLOW
+            LogText "Result: poor password hashing methods found: ${FIND}"
+            ReportSuggestion "${TEST_NO}" "Change ${ROOTDIR}etc/login.defs password ENCRYPT_METHOD and SHA_CRYPT_MIN_ROUNDS to more secure values, check also PAM configuration, expire passwords to encrypt with new values"
+            AddHP 0 2
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : AUTH-9234
     # Description : Query user accounts