[AUTH-9229] make test only available for root

2020-03-23 13:19:10 +01:00 · 2020-03-23 13:19:10 +01:00 · 17bbaa8f7a
parent 4e35b91ab2
commit 17bbaa8f7a
1 changed files with 41 additions and 39 deletions
--- a/include/tests_authentication
+++ b/include/tests_authentication
@ -329,50 +329,52 @@
    # Test        : AUTH-9229
    # Description : Check password hashing methods vs. recommendations in crypt(5)
    # Notes       : Applicable to all Unix-like OS
-    Register --test-no AUTH-9229 --weight L --network NO --category security --description "Check password hashing methods"
+    #               Requires read access to /etc/shadow (if it exists)
+    Register --test-no AUTH-9229 --root-only YES --weight L --network NO --category security --description "Check password hashing methods"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking password hashing methods"
-	if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW=${ROOTDIR}etc/shadow; else SHADOW=""; fi
-	FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do
-	    case ${METHOD} in
-		1:\* | 1:x | 0: | *:!*)
-		    # disabled | shadowed | no password | locked account
-		    ;;
-		*:\$5\$*| *:\$6\$*)
-		    # sha256crypt | sha512crypt: check number of rounds, should be >5000
-		    ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp')
-		    if [ -z "${ROUNDS}" ]; then
-		        echo 'sha256crypt/sha512crypt(default<=5000rounds)'
-		    elif [ "${ROUNDS}" -le 5000 ]; then
-		        echo 'sha256crypt/sha512crypt(<=5000rounds)'
-		    fi
-		    ;;
-		*:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*)
-		    # yescrypt | gost-yescrypt | bcrypt | scrypt
-		    ;;
-		*:_*)
-		    echo bsdicrypt
-		    ;;
-		*:\$1\$*)
-		    echo md5crypt
-		    ;;
-		*:\$3\$*)
-		    echo NT
-		    ;;
-		*:\$md5*)
-		    echo SunMD5
-		    ;;
-		*:\$sha1*)
-		    echo sha1crypt
-		    ;;
-		13:* | 178:*)
-		    echo bigcrypt/descrypt
-		    ;;
+        SHADOW="";
+        if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi
+        FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do
+            case ${METHOD} in
+                1:\* | 1:x | 0: | *:!*)
+                    # disabled | shadowed | no password | locked account
+                    ;;
+                *:\$5\$*| *:\$6\$*)
+                    # sha256crypt | sha512crypt: check number of rounds, should be >5000
+                    ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp')
+                    if [ -z "${ROUNDS}" ]; then
+                        echo 'sha256crypt/sha512crypt(default<=5000rounds)'
+                    elif [ "${ROUNDS}" -le 5000 ]; then
+                        echo 'sha256crypt/sha512crypt(<=5000rounds)'
+                    fi
+                    ;;
+                *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*)
+                    # yescrypt | gost-yescrypt | bcrypt | scrypt
+                    ;;
+                *:_*)
+                    echo bsdicrypt
+                    ;;
+                *:\$1\$*)
+                    echo md5crypt
+                    ;;
+                *:\$3\$*)
+                    echo NT
+                    ;;
+                *:\$md5*)
+                    echo SunMD5
+                    ;;
+                *:\$sha1*)
+                    echo sha1crypt
+                    ;;
+                13:* | 178:*)
+                    echo bigcrypt/descrypt
+                    ;;
                *)
                    echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com"
                    ;;
-	    esac
-	done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ')
+            esac
+        done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ')
        if [ -z "${FIND}" ]; then
            Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN
            LogText "Result: no poor password hashing methods found"