diff --git a/db/tests.db b/db/tests.db index 76884a45..6c7168fe 100644 --- a/db/tests.db +++ b/db/tests.db @@ -22,6 +22,7 @@ AUTH-9218:test:security:authentication:FreeBSD:Check harmful login shells: AUTH-9222:test:security:authentication::Check for non unique groups: AUTH-9226:test:security:authentication::Check non unique group names: AUTH-9228:test:security:authentication::Check password file consistency with pwck: +AUTH-9229:test:security:authentication::Check password hashing methods: AUTH-9234:test:security:authentication::Query user accounts: AUTH-9240:test:security:authentication::Query NIS+ authentication support: AUTH-9242:test:security:authentication::Query NIS authentication support: diff --git a/include/binaries b/include/binaries index 89e2fddd..af5882a5 100644 --- a/include/binaries +++ b/include/binaries @@ -310,6 +310,7 @@ # Test if the basic system tools are defined. These will be used during the audit. [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found" + [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found" [ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found" [ "${EGREPBINARY:-}" ] || ExitFatal "grep binary not found" [ "${FINDBINARY:-}" ] || ExitFatal "find binary not found" diff --git a/include/tests_authentication b/include/tests_authentication index d3f9d3aa..0cc831ad 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -325,6 +325,67 @@ fi # ################################################################################# +# + # Test : AUTH-9229 + # Description : Check password hashing methods vs. recommendations in crypt(5) + # Notes : Applicable to all Unix-like OS + Register --test-no AUTH-9229 --weight L --network NO --category security --description "Check password hashing methods" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking password hashing methods" + if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW=${ROOTDIR}etc/shadow; else SHADOW=""; fi + FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do + case ${METHOD} in + 1:\* | 1:x | 0: | *:!*) + # disabled | shadowed | no password | locked account + ;; + *:\$5\$*| *:\$6\$*) + # sha256crypt | sha512crypt: check number of rounds, should be >5000 + ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') + if [ -z "${ROUNDS}" ]; then + echo 'sha256crypt/sha512crypt(default<=5000rounds)' + elif [ "${ROUNDS}" -le 5000 ]; then + echo 'sha256crypt/sha512crypt(<=5000rounds)' + fi + ;; + *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) + # yescrypt | gost-yescrypt | bcrypt | scrypt + ;; + *:_*) + echo bsdicrypt + ;; + *:\$1\$*) + echo md5crypt + ;; + *:\$3\$*) + echo NT + ;; + *:\$md5*) + echo SunMD5 + ;; + *:\$sha1*) + echo sha1crypt + ;; + 13:* | 178:*) + echo bigcrypt/descrypt + ;; + *) + echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" + ;; + esac + done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ') + if [ -z "${FIND}" ]; then + Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN + LogText "Result: no poor password hashing methods found" + AddHP 2 2 + else + Display --indent 2 --text "- Password hashing methods" --result "${STATUS_SUGGESTION}" --color YELLOW + LogText "Result: poor password hashing methods found: ${FIND}" + ReportSuggestion "${TEST_NO}" "Change ${ROOTDIR}etc/login.defs password ENCRYPT_METHOD and SHA_CRYPT_MIN_ROUNDS to more secure values, check also PAM configuration, expire passwords to encrypt with new values" + AddHP 0 2 + fi + fi +# +################################################################################# # # Test : AUTH-9234 # Description : Query user accounts