From 17bbaa8f7a54b30fdda8cf367593964a31ddcda6 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 23 Mar 2020 13:19:10 +0100 Subject: [AUTH-9229] make test only available for root --- include/tests_authentication | 80 +++++++++++++++++++++++--------------------- 1 file changed, 41 insertions(+), 39 deletions(-) (limited to 'include/tests_authentication') diff --git a/include/tests_authentication b/include/tests_authentication index 0cc831ad..d8efe6e2 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -329,50 +329,52 @@ # Test : AUTH-9229 # Description : Check password hashing methods vs. recommendations in crypt(5) # Notes : Applicable to all Unix-like OS - Register --test-no AUTH-9229 --weight L --network NO --category security --description "Check password hashing methods" + # Requires read access to /etc/shadow (if it exists) + Register --test-no AUTH-9229 --root-only YES --weight L --network NO --category security --description "Check password hashing methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking password hashing methods" - if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW=${ROOTDIR}etc/shadow; else SHADOW=""; fi - FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do - case ${METHOD} in - 1:\* | 1:x | 0: | *:!*) - # disabled | shadowed | no password | locked account - ;; - *:\$5\$*| *:\$6\$*) - # sha256crypt | sha512crypt: check number of rounds, should be >5000 - ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') - if [ -z "${ROUNDS}" ]; then - echo 'sha256crypt/sha512crypt(default<=5000rounds)' - elif [ "${ROUNDS}" -le 5000 ]; then - echo 'sha256crypt/sha512crypt(<=5000rounds)' - fi - ;; - *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) - # yescrypt | gost-yescrypt | bcrypt | scrypt - ;; - *:_*) - echo bsdicrypt - ;; - *:\$1\$*) - echo md5crypt - ;; - *:\$3\$*) - echo NT - ;; - *:\$md5*) - echo SunMD5 - ;; - *:\$sha1*) - echo sha1crypt - ;; - 13:* | 178:*) - echo bigcrypt/descrypt - ;; + SHADOW=""; + if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi + FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do + case ${METHOD} in + 1:\* | 1:x | 0: | *:!*) + # disabled | shadowed | no password | locked account + ;; + *:\$5\$*| *:\$6\$*) + # sha256crypt | sha512crypt: check number of rounds, should be >5000 + ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') + if [ -z "${ROUNDS}" ]; then + echo 'sha256crypt/sha512crypt(default<=5000rounds)' + elif [ "${ROUNDS}" -le 5000 ]; then + echo 'sha256crypt/sha512crypt(<=5000rounds)' + fi + ;; + *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) + # yescrypt | gost-yescrypt | bcrypt | scrypt + ;; + *:_*) + echo bsdicrypt + ;; + *:\$1\$*) + echo md5crypt + ;; + *:\$3\$*) + echo NT + ;; + *:\$md5*) + echo SunMD5 + ;; + *:\$sha1*) + echo sha1crypt + ;; + 13:* | 178:*) + echo bigcrypt/descrypt + ;; *) echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" ;; - esac - done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ') + esac + done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN LogText "Result: no poor password hashing methods found" -- cgit v1.2.3