diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-03-21 13:50:38 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2020-03-21 13:50:38 +0300 |
commit | 4a51ad031b371dd60ed79f125fa68b787d31a840 (patch) | |
tree | 6d6398dff8a012619f8a8d33dd4209f2be23d525 /include/tests_authentication | |
parent | 6356b3adb180d05f71514ea91455d513586ae71e (diff) |
Check password hashing methods
Manual page crypt(5) gives recommendations for choosing password
hashing methods, so let's check if there are weakly encrypted
passwords in the system.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'include/tests_authentication')
-rw-r--r-- | include/tests_authentication | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/include/tests_authentication b/include/tests_authentication index 02a3bb74..9d992d49 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -326,6 +326,67 @@ # ################################################################################# # + # Test : AUTH-9229 + # Description : Check password hashing methods vs. recommendations in crypt(5) + # Notes : Applicable to all Unix-like OS + Register --test-no AUTH-9229 --weight L --network NO --category security --description "Check password hashing methods" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking password hashing methods" + if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW=${ROOTDIR}etc/shadow; else SHADOW=""; fi + FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do + case ${METHOD} in + 1:\* | 1:x | 0: | *:!*) + # disabled | shadowed | no password | locked account + ;; + *:\$5\$*| *:\$6\$*) + # sha256crypt | sha512crypt: check number of rounds, should be >5000 + ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') + if [ -z "${ROUNDS}" ]; then + echo 'sha256crypt/sha512crypt(default<=5000rounds)' + elif [ "${ROUNDS}" -le 5000 ]; then + echo 'sha256crypt/sha512crypt(<=5000rounds)' + fi + ;; + *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) + # yescrypt | gost-yescrypt | bcrypt | scrypt + ;; + *:_*) + echo bsdicrypt + ;; + *:\$1\$*) + echo md5crypt + ;; + *:\$3\$*) + echo NT + ;; + *:\$md5*) + echo SunMD5 + ;; + *:\$sha1*) + echo sha1crypt + ;; + 13:* | 178:*) + echo bigcrypt/descrypt + ;; + *) + echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" + ;; + esac + done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ') + if [ -z "${FIND}" ]; then + Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN + LogText "Result: no poor password hashing methods found" + AddHP 2 2 + else + Display --indent 2 --text "- Password hashing methods" --result "${STATUS_SUGGESTION}" --color YELLOW + LogText "Result: poor password hashing methods found: ${FIND}" + ReportSuggestion "${TEST_NO}" "Change ${ROOTDIR}etc/login.defs password ENCRYPT_METHOD and SHA_CRYPT_MIN_ROUNDS to more secure values, check also PAM configuration, expire passwords to encrypt with new values" + AddHP 0 2 + fi + fi +# +################################################################################# +# # Test : AUTH-9234 # Description : Query user accounts # Notes : AIX: 100+ |