diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-21 13:50:38 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2020-03-21 13:50:38 +0300 |
| commit | 4a51ad031b371dd60ed79f125fa68b787d31a840 (patch) | |
| tree | 6d6398dff8a012619f8a8d33dd4209f2be23d525 | |
| parent | 6356b3adb180d05f71514ea91455d513586ae71e (diff) | |
Check password hashing methods
Manual page crypt(5) gives recommendations for choosing password
hashing methods, so let's check if there are weakly encrypted
passwords in the system.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
| -rw-r--r-- | db/tests.db | 1 | ||||
| -rw-r--r-- | include/binaries | 1 | ||||
| -rw-r--r-- | include/tests_authentication | 61 |
3 files changed, 63 insertions, 0 deletions
diff --git a/db/tests.db b/db/tests.db index d051c77d..fce9a691 100644 --- a/db/tests.db +++ b/db/tests.db @@ -22,6 +22,7 @@ AUTH-9218:test:security:authentication:FreeBSD:Check harmful login shells: AUTH-9222:test:security:authentication::Check for non unique groups: AUTH-9226:test:security:authentication::Check non unique group names: AUTH-9228:test:security:authentication::Check password file consistency with pwck: +AUTH-9229:test:security:authentication::Check password hashing methods: AUTH-9234:test:security:authentication::Query user accounts: AUTH-9240:test:security:authentication::Query NIS+ authentication support: AUTH-9242:test:security:authentication::Query NIS authentication support: diff --git a/include/binaries b/include/binaries index 89e2fddd..af5882a5 100644 --- a/include/binaries +++ b/include/binaries @@ -310,6 +310,7 @@ # Test if the basic system tools are defined. These will be used during the audit. [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found" + [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found" [ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found" [ "${EGREPBINARY:-}" ] || ExitFatal "grep binary not found" [ "${FINDBINARY:-}" ] || ExitFatal "find binary not found" diff --git a/include/tests_authentication b/include/tests_authentication index 02a3bb74..9d992d49 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -326,6 +326,67 @@ # ################################################################################# # + # Test : AUTH-9229 + # Description : Check password hashing methods vs. recommendations in crypt(5) + # Notes : Applicable to all Unix-like OS + Register --test-no AUTH-9229 --weight L --network NO --category security --description "Check password hashing methods" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking password hashing methods" + if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW=${ROOTDIR}etc/shadow; else SHADOW=""; fi + FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do + case ${METHOD} in + 1:\* | 1:x | 0: | *:!*) + # disabled | shadowed | no password | locked account + ;; + *:\$5\$*| *:\$6\$*) + # sha256crypt | sha512crypt: check number of rounds, should be >5000 + ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') + if [ -z "${ROUNDS}" ]; then + echo 'sha256crypt/sha512crypt(default<=5000rounds)' + elif [ "${ROUNDS}" -le 5000 ]; then + echo 'sha256crypt/sha512crypt(<=5000rounds)' + fi + ;; + *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) + # yescrypt | gost-yescrypt | bcrypt | scrypt + ;; + *:_*) + echo bsdicrypt + ;; + *:\$1\$*) + echo md5crypt + ;; + *:\$3\$*) + echo NT + ;; + *:\$md5*) + echo SunMD5 + ;; + *:\$sha1*) + echo sha1crypt + ;; + 13:* | 178:*) + echo bigcrypt/descrypt + ;; + *) + echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" + ;; + esac + done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ') + if [ -z "${FIND}" ]; then + Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN + LogText "Result: no poor password hashing methods found" + AddHP 2 2 + else + Display --indent 2 --text "- Password hashing methods" --result "${STATUS_SUGGESTION}" --color YELLOW + LogText "Result: poor password hashing methods found: ${FIND}" + ReportSuggestion "${TEST_NO}" "Change ${ROOTDIR}etc/login.defs password ENCRYPT_METHOD and SHA_CRYPT_MIN_ROUNDS to more secure values, check also PAM configuration, expire passwords to encrypt with new values" + AddHP 0 2 + fi + fi +# +################################################################################# +# # Test : AUTH-9234 # Description : Query user accounts # Notes : AIX: 100+ |