From 109d01a4785feff17dd654c41ef96080edbf9a34 Mon Sep 17 00:00:00 2001 From: Maik Stuebner Date: Wed, 21 Jul 2021 14:27:18 +0200 Subject: [PATCH 1/3] Check Configuration of password remember and set default to 60 see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46 Signed-off-by: Maik Stuebner --- controls/os_spec.rb | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/controls/os_spec.rb b/controls/os_spec.rb index ec2bbf9..2c884d2 100644 --- a/controls/os_spec.rb +++ b/controls/os_spec.rb @@ -282,3 +282,25 @@ end end end + +control 'os-14' do + impact 1.0 + title 'Check pam config - RedHat specific' + desc 'Check config of files in /etc/pam.d.' + + pam_files = ['/etc/pam.d/system-auth', '/etc/pam.d/password-auth'] + + pam_files.each do |pam_file| + describe file(pam_file) do + it { should exist } + it { should be_owned_by 'root' } + its('group') { should eq 'root' } + its(:content) { should match /^password requisite pam_pwhistory.so remember=60 use_authtok$/ } + its(:content) { should match /^password requisite pam_pwquality.so try_first_pass retry=3 authtok_type=$/ } + its(:content) { should match /^auth required pam_faillock.so preauth silent audit even_deny_root deny=5 unlock_time=15$/ } + its(:content) { should match /^auth required pam_faillock.so authfail audit even_deny_root deny=5 unlock_time=15$/ } + its(:content) { should match /^account required pam_faillock.so$/ } + end + end + only_if { os.redhat? } +end From 330b86cfb10eda73963ec7f2e6c1a9604aff6ca2 Mon Sep 17 00:00:00 2001 From: Maik Stuebner Date: Thu, 22 Jul 2021 09:36:37 +0200 Subject: [PATCH 2/3] set default for password remember back to 5 Signed-off-by: Maik Stuebner --- controls/os_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/os_spec.rb b/controls/os_spec.rb index 2c884d2..72a19ae 100644 --- a/controls/os_spec.rb +++ b/controls/os_spec.rb @@ -295,7 +295,7 @@ it { should exist } it { should be_owned_by 'root' } its('group') { should eq 'root' } - its(:content) { should match /^password requisite pam_pwhistory.so remember=60 use_authtok$/ } + its(:content) { should match /^password requisite pam_pwhistory.so remember=5 use_authtok$/ } its(:content) { should match /^password requisite pam_pwquality.so try_first_pass retry=3 authtok_type=$/ } its(:content) { should match /^auth required pam_faillock.so preauth silent audit even_deny_root deny=5 unlock_time=15$/ } its(:content) { should match /^auth required pam_faillock.so authfail audit even_deny_root deny=5 unlock_time=15$/ } From 5514245170040d70989a90becb9bbfe1b30f90f0 Mon Sep 17 00:00:00 2001 From: Maik Stuebner Date: Mon, 26 Jul 2021 06:37:33 +0200 Subject: [PATCH 3/3] fix typo of pam checks Signed-off-by: Maik Stuebner --- controls/os_spec.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/controls/os_spec.rb b/controls/os_spec.rb index 72a19ae..2e2e9a0 100644 --- a/controls/os_spec.rb +++ b/controls/os_spec.rb @@ -295,11 +295,11 @@ it { should exist } it { should be_owned_by 'root' } its('group') { should eq 'root' } - its(:content) { should match /^password requisite pam_pwhistory.so remember=5 use_authtok$/ } - its(:content) { should match /^password requisite pam_pwquality.so try_first_pass retry=3 authtok_type=$/ } - its(:content) { should match /^auth required pam_faillock.so preauth silent audit even_deny_root deny=5 unlock_time=15$/ } - its(:content) { should match /^auth required pam_faillock.so authfail audit even_deny_root deny=5 unlock_time=15$/ } - its(:content) { should match /^account required pam_faillock.so$/ } + its(:content) { should match(/^password\s*requisite\s*pam_pwhistory.so remember=5 use_authtok$/) } + its(:content) { should match(/^password\s*requisite\s*pam_pwquality.so try_first_pass retry=3 authtok_type=$/) } + its(:content) { should match(/^auth\s*required\s*pam_faillock.so preauth silent audit even_deny_root deny=5 unlock_time=15$/) } + its(:content) { should match(/^auth\s*required\s*pam_faillock.so authfail audit even_deny_root deny=5 unlock_time=15$/) } + its(:content) { should match(/^account\s*required\s*pam_faillock.so$/) } end end only_if { os.redhat? }