diff options
| author | mboelen <michael@cisofy.com> | 2015-10-22 00:26:41 +0300 |
|---|---|---|
| committer | mboelen <michael@cisofy.com> | 2015-10-22 00:26:41 +0300 |
| commit | 2f9b793b785c868388cf71c59cfccb42cffa7f58 (patch) | |
| tree | 00cb5ffe3be022e2caff17c9eaa4f3a510ebab61 /plugins | |
| parent | 8cddc58c85e2853287c8b36ca9113d8bde213cee (diff) | |
Added logging of maximum password retries
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/plugin_pam_phase1 | 393 |
1 files changed, 1 insertions, 392 deletions
diff --git a/plugins/plugin_pam_phase1 b/plugins/plugin_pam_phase1 index 06370b5d..57ca365d 100644 --- a/plugins/plugin_pam_phase1 +++ b/plugins/plugin_pam_phase1 @@ -6,7 +6,7 @@ #----------------------------------------------------- # PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com> # PLUGIN_CATEGORY=authentication -# PLUGIN_DATE=2015-10-01 +# PLUGIN_DATE=2015-10-21 # PLUGIN_DESC=PAM # PLUGIN_NAME=pam # PLUGIN_PACKAGE=all @@ -376,384 +376,6 @@ if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then fi fi -#!/bin/sh - -######################################################################### -# -# * DO NOT REMOVE * -#----------------------------------------------------- -# PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com> -# PLUGIN_CATEGORY=authentication -# PLUGIN_DATE=2015-10-01 -# PLUGIN_DESC=PAM -# PLUGIN_NAME=pam -# PLUGIN_PACKAGE=all -# PLUGIN_REQUIRED_TESTS= -# PLUGIN_VERSION=1.0.0 -#----------------------------------------------------- -######################################################################### -# - PAM_DIRECTORY="/etc/pam.d" - # Test : PLGN-0010 - # Description : Check PAM configuration - if [ -f /etc/pam.conf -o -d /etc/pam.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PLGN-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PAM configuration" --progress - if [ ${SKIPTEST} -eq 0 ]; then - FOUNDPROBLEM=0 - # Check if the PAM directory structure exists - if [ -d ${PAM_DIRECTORY} ]; then - logtext "Result: /etc/pam.d exists" - FIND_FILES=`find ${PAM_DIRECTORY} -type f -print` - # First check /etc/pam.conf if it exists. - #if [ -f /etc/pam.conf ]; then FIND="/etc/pam.conf ${FIND}"; fi - for PAM_FILE in ${FIND_FILES}; do - #echo "" - logtext "Now checking PAM file ${PAM_FILE}" - while read line; do - # Strip empty lines, commented lines, tabs, line breaks (\), then finally remove all double spaces - LINE=`echo $line | grep -v "^#" | grep -v "^$" | tr '\011' ' ' | sed 's/\\\n/ /' | sed 's/ / /g' | sed 's/ #\(.*\)$//'` - if [ ! "${LINE}" = "" ]; then - PAM_SERVICE=`echo ${PAM_FILE} | awk -F/ '{ print $NF }'` - PAM_CONTROL_FLAG="-" - PAM_CONTROL_OPTIONS="-" - PAM_MODULE="-" - PAM_MODULE_OPTIONS="-" - PAM_TYPE=`echo ${LINE} | awk '{ print $1 }'` - PARSELINE=0 - case ${PAM_TYPE} in - "@include") - FILE=`echo ${LINE} | awk '{ print $2 }'` - logtext "Result: Found @include. Does include PAM settings from file ${FILE} (which is individually processed)" - ;; - "account") - PARSELINE=1 - ;; - "auth") - PARSELINE=1 - ;; - "password") - PARSELINE=1 - ;; - "session") - PARSELINE=1 - ;; - *) - logtext "Exception: Unknown PAM type found" - ;; - esac - if [ ${PARSELINE} -eq 1 ]; then - MULTIPLE_OPTIONS=`echo ${LINE} | awk '$2 ~ /^\[/'` - if [ ! "${MULTIPLE_OPTIONS}" = "" ]; then - # Needs more parsing, depending on the options found - PAM_CONTROL_OPTIONS=`echo ${LINE} | sed "s/^.*\[//" | sed "s/\].*$//"` - logtext "Result: Found brackets in line, indicating multiple options for control flags: ${PAM_CONTROL_OPTIONS}" - LINE=`echo ${LINE} | sed "s/ \[.*\] / other /"` - fi - PAM_MODULE=`echo ${LINE} | awk '{ print $3 }'` - PAM_MODULE_OPTIONS=`echo ${LINE} | cut -d ' ' -f 4-` - PAM_CONTROL_FLAG=`echo ${LINE} | awk '{ print $2 }'` - case ${PAM_CONTROL_FLAG} in - "optional"|"required"|"requisite"|"sufficient") - Debug "Found a common control flag: ${PAM_CONTROL_FLAG} for ${PAM_MODULE}" - ;; - "other") - logtext "Result: brackets used, ignoring control flags" - ;; - *) - logtext "Unknown control flag found (${PAM_CONTROL_FLAG})" - ;; - esac - if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then - logtext "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) with options ${PAM_MODULE_OPTIONS}" - else - PAM_MODULE_OPTIONS="-" - logtext "Result: using module ${PAM_MODULE} (${PAM_CONTROL_FLAG}) without options configured" - fi - - PAM_MODULE_NAME=`echo ${PAM_MODULE} | sed 's/.so$//'` - # - # Specific PAMs are commonly seen on these platforms: - # - # FreeBSD Linux - # pam_access v - # pam_deny v v - # pam_group v - # pam_krb5 v - # pam_lastlog v - # pam_login_access v - # pam_nologin v - # pam_opie v - # pam_opieaccess v - # pam_passwdqc v - # pam_permit v - # pam_rhosts v - # pam_rootok v - # pam_securetty v - # pam_self v - # pam_ssh v - # pam_unix v - - case ${PAM_MODULE_NAME} in - pam_access) ;; - pam_cap) ;; - pam_debug | pam_deny) ;; - pam_echo| pam_env | pam_exec | pam_faildelay) ;; - pam_filter | pam_ftp) ;; - # Google Authenticator / YubiKey - # Common to find it only enabled for SSH - pam_google_authenticator | pam_yubico) - logtext "Result: found pam_google_authenticator" - if [ "${PAM_CONTROL_FLAG}" = "required" ]; then - PAM_2F_AUTH_ENABLED=1 - PAM_2F_AUTH_REQUIRED=1 - report "authentication_2f_provider[]=${PAM_MODULE_NAME}" - report "authentication_2f_service[]=${PAM_SERVICE}" - elif -o "${PAM_CONTROL_FLAG}" = "sufficient" ]; then - PAM_2F_AUTH_ENABLED=1 - report "authentication_2f_provider[]=${PAM_MODULE_NAME}" - report "authentication_2f_service[]=${PAM_SERVICE}" - else - logtext "exception: found 2F authenticator enabled with uncommon control flag: ${PAM_CONTROL_FLAG}" - fi - ;; - pam_group) ;; - pam_issue) ;; - pam_keyinit | pam_krb5) ;; - pam_lastlog | pam_limits) ;; - # Log UID for auditd - pam_loginuid) - PAM_LOGINUID_FOUND=1 - ;; - pam_listfile | pam_localuser) ;; - pam_mail | pam_mkhomedir | pam_motd) ;; - pam_namespace | pam_nologin) ;; - pam_permit) ;; - pam_rootok) ;; - pam_rhosts) ;; - pam_securetty) ;; - pam_self) ;; - pam_shells) ;; - pam_stress | pam_succeed_if | pam_systemd) ;; - pam_time | pam_timestamp) ;; - pam_umask) ;; - # Password history - # Can be configured via pam_unix or pam_pwhistory - pam_unix | pam_pwhistory) - logtext "Result: found ${PAM_MODULE} module (generic)" - if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then - for I in ${PAM_MODULE_OPTIONS}; do - OPTION=`echo ${I} | awk -F= '{ print $1 }'` - VALUE=`echo ${I} | awk -F= '{ print $2 }'` - CREDITS_CONFIGURED=0 - case ${OPTION} in - # pam_pwhistory / pam_unix - remember) - # Minimum length (remove 1 if credits are configured, at later stage in function) - logtext "Result: password history configured" - DigitsOnly ${VALUE} - PAM_PASSWORD_HISTORY_AMOUNT=${VALUE} - PAM_PASSWORD_HISTORY_ENABLED=1 - Debug "Found password history enabled with module ${PAM_MODULE_NAME} and password amount ${PAM_PASSWORD_HISTORY_AMOUNT}" - ;; - esac - done - fi - ;; - pam_unix_acct| pam_unix_auth | pam_unix_passwd | pam_unix_session | pam_unix2) ;; - pam_vbox) ;; - pam_warn | pam_wheel) ;; - pam_xauth) ;; - - # Password strength testing - pam_cracklib | pam_pwquality) - logtext "Result: found module ${PAM_MODULE} for password strength testing" - - # Set default values - if [ "${CREDITS_D_PASSWORD}" = "" ]; then CREDITS_D_PASSWORD=1; fi - if [ "${CREDITS_L_PASSWORD}" = "" ]; then CREDITS_L_PASSWORD=1; fi - if [ "${CREDITS_O_PASSWORD}" = "" ]; then CREDITS_O_PASSWORD=1; fi - if [ "${CREDITS_U_PASSWORD}" = "" ]; then CREDITS_U_PASSWORD=1; fi - if [ "${MAX_PASSWORD_RETRY}" = "" ]; then MAX_PASSWORD_RETRY=1; fi - if [ "${MIN_PASSWORD_CLASS}" = "" ]; then MIN_PASSWORD_CLASS=0; fi - if [ "${MIN_PASSWORD_LENGTH}" = "" ]; then MIN_PASSWORD_LENGTH=6; fi - - PAM_PASSWORD_STRENGTH_TESTED=1 - if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then - Debug "Module options configured" - for I in ${PAM_MODULE_OPTIONS}; do - OPTION=`echo ${I} | awk -F= '{ print $1 }'` - Debug ${OPTION} - VALUE=`echo ${I} | awk -F= '{ print $2 }'` - CREDITS_CONFIGURED=0 - case ${OPTION} in - minlen) - # Minimum length (remove 1 if credits are configured, at later stage in function) - logtext "Result: minlen configured" - DigitsOnly ${VALUE} - MIN_PASSWORD_LENGTH=${VALUE} - ;; - retry) - # Maximum password retry - logtext "Result: Max password Retry configured" - DigitsOnly ${VALUE} - MAX_PASSWORD_RETRY=${VALUE} - ;; - minclass) - # Minimum number of class required out of upper, lower, digit and oters - logtext "Result: Min number of password class is configured" - MIN_PASSWORD_CLASS=${VALUE} - ;; - dcredit) - CREDITS_D_PASSWORD=${VALUE} - ;; - lcredit) - CREDITS_L_PASSWORD=${VALUE} - ;; - ocredit) - CREDITS_O_PASSWORD=${VALUE} - ;; - ucredit) - CREDITS_U_PASSWORD=${VALUE} - ;; - *) - logtext "Result: unknown option found: ${OPTION} with value ${VALUE}" - ;; - esac - done - fi - ;; - - pam_tally | pam_tally2) - if [ "${PAM_CONTROL_FLAG}" = "required" ]; then - logtext "Result: found a required module for countering brute force cracking attempts" - report "pam_auth_brute_force_protection_module[]=${PAM_MODULE_NAME}" - PAM_AUTH_BRUTE_FORCE_PROTECTION=1 - fi - if [ ! "${PAM_MODULE_OPTIONS}" = "" ]; then - for I in ${PAM_MODULE_OPTIONS}; do - OPTION=`echo ${I} | awk -F= '{ print $1 }'` - VALUE=`echo ${I} | awk -F= '{ print $2 }'` - case ${OPTION} in - deny) - AUTH_BLOCK_BAD_LOGIN_ATTEMPTS="${VALUE}" - ;; - unlock_time) - AUTH_UNLOCK_TIME="${VALUE}" - ;; - esac - done - fi - ;; - "-") - logtext "NOTE: this module is not parsed, as it uses an unknown control flag or type" - ;; - *) - logtext "Result: found pluggable authentication module ${PAM_MODULE}, which is unknown" - ;; - esac - fi - #Debug "Service: ${PAM_SERVICE}" - #Debug "Type: ${PAM_TYPE}" - #Debug "Control: ${PAM_CONTROL_FLAG}" - #Debug "Control options: ${PAM_CONTROL_OPTIONS}" - #Debug "Module: ${PAM_MODULE_NAME}" - #Debug "Module options: ${PAM_MODULE_OPTIONS}" - fi - done < ${PAM_FILE} - #ParsePAMLine ${J} - #StoreSetting "pam" " - done - fi - fi -# -################################################################################# -# - -# /etc/security/opasswd should exist when: -# password history is enabled via pam_unix -# pam_cracklib or pam_pwquality is used -# In that case, the file should be owned by root, with 440/640/660 permissions - -logtext "[PAM] PAM 2F authentication enabled: ${PAM_2F_AUTH_ENABLED}" -report "authentication_two_factor_enabled=${PAM_2F_AUTH_ENABLED}" - -logtext "[PAM] PAM 2F authentication required: ${PAM_2F_AUTH_REQUIRED}" -report "authentication_two_factor_required=${PAM_2F_AUTH_ENABLED}" - -if [ ! "${AUTH_UNLOCK_TIME}" = "-1" ]; then - logtext "[PAM] Authentication unlock time: ${AUTH_UNLOCK_TIME}" - report "authentication_unlock_time=${AUTH_UNLOCK_TIME}" - else - logtext "[PAM] Authentication unlock time: not configured" -fi - -logtext "[PAM] Password brute force protection: ${PAM_AUTH_BRUTE_FORCE_PROTECTION}" - -if [ ${PAM_AUTH_BRUTE_FORCE_PROTECTION} -eq 1 ]; then - report "authentication_brute_force_protection=1" -fi - -if [ ! "${MIN_PASSWORD_LENGTH}" = "-1" ]; then - logtext "[PAM] Minimum password length: ${MIN_PASSWORD_LENGTH}" - report "minimum_password_length=${MIN_PASSWORD_LENGTH}" - else - logtext "[PAM] Minimum password length: not configured" -fi - -logtext "[PAM] Password strength testing enabled: ${PAM_PASSWORD_STRENGTH_TESTED}" -if [ ${PAM_PASSWORD_STRENGTH_TESTED} -eq 1 ]; then - report "password_strength_tested=1" - - if [ ${CREDITS_D_PASSWORD} -ge 1 ] && [ ${CREDITS_L_PASSWORD} -ge 1 ] && [ ${CREDITS_O_PASSWORD} -ge 1 ] && [ ${CREDITS_U_PASSWORD} -ge 1 ]; then - # Show how many password class are required out of 4 - logtext "[PAM] Minimum password class out of 4: ${MIN_PASSWORD_CLASS}" - report "min_password_class=${MIN_PASSWORD_CLASS}" - else - logtext "[PAM] Minimum password class setting of ${MIN_PASSWORD_CLASS} out of 4 is ignored since at least 1 class are forced " - report "min_password_class=ignored" - fi - - # Digits - if [ ${CREDITS_D_PASSWORD} -lt 0 ]; then - CREDITS_D_PASSWORD=`echo ${CREDITS_D_PASSWORD} | cut -b 2-` - logtext "[PAM] Minimum number of Digital characters required: ${CREDITS_D_PASSWORD}" - report "password_min_digital_required=${CREDITS_D_PASSWORD}" - elif [ ${CREDITS_D_PASSWORD} -ge 0 ]; then - logtext "[PAM] Maximum credit for Digital characters: ${CREDITS_D_PASSWORD}" - report "password_max_digital_credit=${CREDITS_D_PASSWORD}" - fi - - # Lowercase - if [ ${CREDITS_L_PASSWORD} -lt 0 ]; then - CREDITS_L_PASSWORD=`echo ${CREDITS_L_PASSWORD} | cut -b 2-` - logtext "[PAM] Minimum number of Lowercase characters required: ${CREDITS_L_PASSWORD}" - report "password_min_l_required=${CREDITS_L_PASSWORD}" - elif [ ${CREDITS_L_PASSWORD} -ge 0 ]; then - logtext "[PAM] Maximum credit for Lowercase characters: ${CREDITS_L_PASSWORD}" - report "password_max_l_credit=${CREDITS_L_PASSWORD}" - fi - - # Other characters - if [ ${CREDITS_O_PASSWORD} -lt 0 ]; then - CREDITS_O_PASSWORD=`echo ${CREDITS_O_PASSWORD} | cut -b 2-` - logtext "[PAM] Minimum number of Other characters required: ${CREDITS_O_PASSWORD}" - report "password_min_other_required=${CREDITS_O_PASSWORD}" - elif [ ${CREDITS_O_PASSWORD} -ge 0 ]; then - logtext "[PAM] Maximum credit for Other characters: ${CREDITS_O_PASSWORD}" - report "password_max_other_credit=${CREDITS_O_PASSWORD}" - fi - - # Uppercase - if [ ${CREDITS_U_PASSWORD} -lt 0 ]; then - CREDITS_U_PASSWORD=`echo ${CREDITS_U_PASSWORD} | cut -b 2-` - logtext "[PAM] Minimum number of Uppercase characters required: ${CREDITS_U_PASSWORD}" - report "password_min_u_required=${CREDITS_U_PASSWORD}" - elif [ ${CREDITS_U_PASSWORD} -ge 0 ]; then - logtext "[PAM] Maximum credit for Uppercase characters: ${CREDITS_U_PASSWORD}" - report "password_max_u_credit=${CREDITS_U_PASSWORD}" - fi -fi - # Show how many retries are allowed to change password logtext "[PAM] Password maximum retry: ${MAX_PASSWORD_RETRY}" report "max_password_retry=${MAX_PASSWORD_RETRY}" @@ -770,16 +392,3 @@ logtext "[PAM] Password history amount: ${PAM_PASSWORD_HISTORY_AMOUNT}" #EOF - -# If auditd is running, but pam_loginuid not, events might not be properly logged -if [ ${AUDITD_RUNNING} -eq 1 ]; then - if [ ${PAM_LOGINUID_FOUND} -eq 0 ]; then - report "pam_issue[]=pam_loginuid is missing" - fi -fi - -logtext "[PAM] Password history enabled: ${PAM_PASSWORD_HISTORY_ENABLED}" -logtext "[PAM] Password history amount: ${PAM_PASSWORD_HISTORY_AMOUNT}" - - -#EOF |