tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[AUTH-9229] make test only available for root

This commit is contained in:
Michael Boelen 2020-03-23 13:19:10 +01:00
parent 4e35b91ab2
commit 17bbaa8f7a
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 41 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
include/tests_authentication
View File

@ -329,50 +329,52 @@
# Test : AUTH-9229 # Test : AUTH-9229
# Description : Check password hashing methods vs. recommendations in crypt(5) # Description : Check password hashing methods vs. recommendations in crypt(5)
# Notes : Applicable to all Unix-like OS # Notes : Applicable to all Unix-like OS
Register --test-no AUTH-9229 --weight L --network NO --category security --description "Check password hashing methods" # Requires read access to /etc/shadow (if it exists)
Register --test-no AUTH-9229 --root-only YES --weight L --network NO --category security --description "Check password hashing methods"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking password hashing methods" LogText "Test: Checking password hashing methods"
if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW=${ROOTDIR}etc/shadow; else SHADOW=""; fi SHADOW="";
FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi
case ${METHOD} in FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do
1:\* | 1:x | 0: | *:!*) case ${METHOD} in
# disabled | shadowed | no password | locked account 1:\* | 1:x | 0: | *:!*)
;; # disabled | shadowed | no password | locked account
*:\$5\$*| *:\$6\$*) ;;
# sha256crypt | sha512crypt: check number of rounds, should be >5000 *:\$5\$*| *:\$6\$*)
ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') # sha256crypt | sha512crypt: check number of rounds, should be >5000
if [ -z "${ROUNDS}" ]; then ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp')
echo 'sha256crypt/sha512crypt(default<=5000rounds)' if [ -z "${ROUNDS}" ]; then
elif [ "${ROUNDS}" -le 5000 ]; then echo 'sha256crypt/sha512crypt(default<=5000rounds)'
echo 'sha256crypt/sha512crypt(<=5000rounds)' elif [ "${ROUNDS}" -le 5000 ]; then
fi echo 'sha256crypt/sha512crypt(<=5000rounds)'
;; fi
*:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) ;;
# yescrypt | gost-yescrypt | bcrypt | scrypt *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*)
;; # yescrypt | gost-yescrypt | bcrypt | scrypt
*:_*) ;;
echo bsdicrypt *:_*)
;; echo bsdicrypt
*:\$1\$*) ;;
echo md5crypt *:\$1\$*)
;; echo md5crypt
*:\$3\$*) ;;
echo NT *:\$3\$*)
;; echo NT
*:\$md5*) ;;
echo SunMD5 *:\$md5*)
;; echo SunMD5
*:\$sha1*) ;;
echo sha1crypt *:\$sha1*)
;; echo sha1crypt
13:* | 178:*) ;;
echo bigcrypt/descrypt 13:* | 178:*)
;; echo bigcrypt/descrypt
;;
*) *)
echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com"
;; ;;
esac esac
done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ') done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ')
if [ -z "${FIND}" ]; then if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN
LogText "Result: no poor password hashing methods found" LogText "Result: no poor password hashing methods found"