From 6818db5e127e732db432a119c9894c663995ed5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 24 Mar 2020 11:43:34 +0100 Subject: add AUTH-9230 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- db/tests.db | 1 + 1 file changed, 1 insertion(+) diff --git a/db/tests.db b/db/tests.db index 79cfe6ce..220d76e1 100644 --- a/db/tests.db +++ b/db/tests.db @@ -23,6 +23,7 @@ AUTH-9222:test:security:authentication::Check for non unique groups: AUTH-9226:test:security:authentication::Check non unique group names: AUTH-9228:test:security:authentication::Check password file consistency with pwck: AUTH-9229:test:security:authentication::Check password hashing methods: +AUTH-9230:test:security:authentication::Check group password hashing rounds: AUTH-9234:test:security:authentication::Query user accounts: AUTH-9240:test:security:authentication::Query NIS+ authentication support: AUTH-9242:test:security:authentication::Query NIS authentication support: -- cgit v1.2.3 From 5341fa7b29dbd32db32a11934d1b2eef3c022d72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 24 Mar 2020 11:44:14 +0100 Subject: AUTH-9229 isnt related to login.defs, add AUTH-9230 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_authentication | 52 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index d8efe6e2..c5c71eee 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -382,12 +382,62 @@ else Display --indent 2 --text "- Password hashing methods" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: poor password hashing methods found: ${FIND}" - ReportSuggestion "${TEST_NO}" "Change ${ROOTDIR}etc/login.defs password ENCRYPT_METHOD and SHA_CRYPT_MIN_ROUNDS to more secure values, check also PAM configuration, expire passwords to encrypt with new values" + ReportSuggestion "${TEST_NO}" "Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values" AddHP 0 2 fi fi # ################################################################################# +# + # Test : AUTH-9230 + # Description : Check group password hashing rounds in login.defs + # Notes : Applicable to all Unix-like OS + PREQS_MET="NO" + if [ -f ${ROOTDIR}etc/login.defs ]; then + PREQS_MET="YES" + fi + Register --test-no AUTH-9230 --root-only NO --weight L --network NO --category security --description "Check group password hashing rounds" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking SHA_CRYPT_MIN_ROUNDS option in ${ROOTDIR}etc/login.defs" + FIND=$(${GREPBINARY} "^SHA_CRYPT_MIN_ROUNDS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MIN_ROUNDS") { print $2 } }') + if [ -z "${FIND}" -o "${FIND}" = "0" ]; then + LogText "Result: number of minimum rounds used by the encryption algorithm is not configured" + Display --indent 2 --text "- Checking minimum group password hashing rounds" --result "${STATUS_DISABLED}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Configure minimum encryption algorithm rounds in /etc/login.defs" + AddHP 0 2 + elif [ "${FIND}" -lt 5000 ]; then + LogText "Result: low number of minimum encryption algorithm rounds found: ${FIND}" + PASSWORD_MINIMUM_ROUNDS=${FIND} + Display --indent 2 --text "- Group password hashing rounds (minimum)" --result "${STATUS_SUGGESTION}" --color YELLOW + AddHP 1 2 + else + LogText "Result: number of encryption algorithm rounds is ${FIND}" + PASSWORD_MINIMUM_ROUNDS=${FIND} + Display --indent 2 --text "- Group password hashing rounds (minimum)" --result CONFIGURED --color GREEN + AddHP 2 2 + fi + + LogText "Test: Checking SHA_CRYPT_MAX_ROUNDS option in ${ROOTDIR}etc/login.defs" + FIND=$(${GREPBINARY} "^SHA_CRYPT_MAX_ROUNDS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MAX_ROUNDS") { print $2 } }') + if [ -z "${FIND}" -o "${FIND}" = "0" ]; then + LogText "Result: number of maximum rounds used by the encryption algorithm is not configured" + Display --indent 2 --text "- Checking maximum group password hashing rounds" --result "${STATUS_DISABLED}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Configure maximum encryption algorithm rounds in /etc/login.defs" + AddHP 0 2 + elif [ "${FIND}" -lt 10000 ]; then + LogText "Result: low number of maximum encryption algorithm rounds found: ${FIND}" + PASSWORD_MINIMUM_ROUNDS=${FIND} + Display --indent 2 --text "- Group password hashing rounds (maximum)" --result "${STATUS_SUGGESTION}" --color YELLOW + AddHP 1 2 + else + LogText "Result: number of encryption algorithm rounds is ${FIND}" + PASSWORD_MINIMUM_ROUNDS=${FIND} + Display --indent 2 --text "- Group password hashing rounds (maximum)" --result CONFIGURED --color GREEN + AddHP 2 2 + fi + fi +# +################################################################################# # # Test : AUTH-9234 # Description : Query user accounts -- cgit v1.2.3 From 0b9e2d85d6a593bc4f71565d9756d129a1859e27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 24 Mar 2020 11:44:54 +0100 Subject: fix tabs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_authentication | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index c5c71eee..c3c072f5 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -488,15 +488,15 @@ "NetBSD"|"OpenBSD") if [ -f ${ROOTDIR}etc/usermgmt.conf ]; then - UID_RANGE=$(${GREPBINARY} "^range" ${ROOTDIR}etc/usermgmt.conf | ${AWKBINARY} '{ sub(/\.\./, "-", $2); print $2 }') + UID_RANGE=$(${GREPBINARY} "^range" ${ROOTDIR}etc/usermgmt.conf | ${AWKBINARY} '{ sub(/\.\./, "-", $2); print $2 }') fi - if [ -n "${UID_RANGE}" ]; then + if [ -n "${UID_RANGE}" ]; then LogText "Result: found configured user id range specified: ${UID_RANGE}" UID_MIN=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $1 }') UID_MAX=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $2 }') else UID_MIN=1000 - UID_MAX=60000 + UID_MAX=60000 LogText "Result: no configured user id range specified; using default ${UID_MIN}-${UID_MAX}" fi LogText "${OS} real users output (ID = 0, or ${UID_MIN}-${UID_MAX}, but not 32767):" -- cgit v1.2.3 From bc09f921f0a8d28f2ff19df8c359f5be71c064f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 24 Mar 2020 11:53:50 +0100 Subject: fix indentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index c3c072f5..ce821fba 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -410,7 +410,7 @@ PASSWORD_MINIMUM_ROUNDS=${FIND} Display --indent 2 --text "- Group password hashing rounds (minimum)" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 1 2 - else + else LogText "Result: number of encryption algorithm rounds is ${FIND}" PASSWORD_MINIMUM_ROUNDS=${FIND} Display --indent 2 --text "- Group password hashing rounds (minimum)" --result CONFIGURED --color GREEN -- cgit v1.2.3