From 4a51ad031b371dd60ed79f125fa68b787d31a840 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 21 Mar 2020 12:50:38 +0200
Subject: Check password hashing methods

Manual page crypt(5) gives recommendations for choosing password
hashing methods, so let's check if there are weakly encrypted
passwords in the system.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 db/tests.db                  |  1 +
 include/binaries             |  1 +
 include/tests_authentication | 61 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+)

diff --git a/db/tests.db b/db/tests.db
index d051c77d..fce9a691 100644
--- a/db/tests.db
+++ b/db/tests.db
@@ -22,6 +22,7 @@ AUTH-9218:test:security:authentication:FreeBSD:Check harmful login shells:
 AUTH-9222:test:security:authentication::Check for non unique groups:
 AUTH-9226:test:security:authentication::Check non unique group names:
 AUTH-9228:test:security:authentication::Check password file consistency with pwck:
+AUTH-9229:test:security:authentication::Check password hashing methods:
 AUTH-9234:test:security:authentication::Query user accounts:
 AUTH-9240:test:security:authentication::Query NIS+ authentication support:
 AUTH-9242:test:security:authentication::Query NIS authentication support:
diff --git a/include/binaries b/include/binaries
index 89e2fddd..af5882a5 100644
--- a/include/binaries
+++ b/include/binaries
@@ -310,6 +310,7 @@
 
         # Test if the basic system tools are defined. These will be used during the audit.
         [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found"
+        [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found"
         [ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found"
         [ "${EGREPBINARY:-}" ] || ExitFatal "grep binary not found"
         [ "${FINDBINARY:-}" ] || ExitFatal "find binary not found"
diff --git a/include/tests_authentication b/include/tests_authentication
index 02a3bb74..9d992d49 100644
--- a/include/tests_authentication
+++ b/include/tests_authentication
@@ -325,6 +325,67 @@
     fi
 #
 #################################################################################
+#
+    # Test        : AUTH-9229
+    # Description : Check password hashing methods vs. recommendations in crypt(5)
+    # Notes       : Applicable to all Unix-like OS
+    Register --test-no AUTH-9229 --weight L --network NO --category security --description "Check password hashing methods"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: Checking password hashing methods"
+	if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW=${ROOTDIR}etc/shadow; else SHADOW=""; fi
+	FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do
+	    case ${METHOD} in
+		1:\* | 1:x | 0: | *:!*)
+		    # disabled | shadowed | no password | locked account
+		    ;;
+		*:\$5\$*| *:\$6\$*)
+		    # sha256crypt | sha512crypt: check number of rounds, should be >5000
+		    ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp')
+		    if [ -z "${ROUNDS}" ]; then
+		        echo 'sha256crypt/sha512crypt(default<=5000rounds)'
+		    elif [ "${ROUNDS}" -le 5000 ]; then
+		        echo 'sha256crypt/sha512crypt(<=5000rounds)'
+		    fi
+		    ;;
+		*:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*)
+		    # yescrypt | gost-yescrypt | bcrypt | scrypt
+		    ;;
+		*:_*)
+		    echo bsdicrypt
+		    ;;
+		*:\$1\$*)
+		    echo md5crypt
+		    ;;
+		*:\$3\$*)
+		    echo NT
+		    ;;
+		*:\$md5*)
+		    echo SunMD5
+		    ;;
+		*:\$sha1*)
+		    echo sha1crypt
+		    ;;
+		13:* | 178:*)
+		    echo bigcrypt/descrypt
+		    ;;
+                *)
+                    echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com"
+                    ;;
+	    esac
+	done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ')
+        if [ -z "${FIND}" ]; then
+            Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN
+            LogText "Result: no poor password hashing methods found"
+            AddHP 2 2
+        else
+            Display --indent 2 --text "- Password hashing methods" --result "${STATUS_SUGGESTION}" --color YELLOW
+            LogText "Result: poor password hashing methods found: ${FIND}"
+            ReportSuggestion "${TEST_NO}" "Change ${ROOTDIR}etc/login.defs password ENCRYPT_METHOD and SHA_CRYPT_MIN_ROUNDS to more secure values, check also PAM configuration, expire passwords to encrypt with new values"
+            AddHP 0 2
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : AUTH-9234
     # Description : Query user accounts
-- 
cgit v1.2.3