Merge pull request #10567 from rumch-se/fix_accounts_passwords_pam_tally2_deny_root

Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root

Author: marcusburghardt

controls/anssi.yml

@@ -755,6 +755,8 @@ controls:
     - var_accounts_passwords_pam_faillock_deny=3
     - accounts_passwords_pam_faillock_deny
     - accounts_passwords_pam_faillock_deny_root
+    # same as above but for pam_tally2 module
+    - accounts_passwords_pam_tally2_deny_root
     # Automatically unlock users after 15 min to prevent DoS
     - var_accounts_passwords_pam_faillock_unlock_time=900
     - accounts_passwords_pam_faillock_unlock_time

controls/cis_sle12.yml

@@ -1771,6 +1771,7 @@ controls:
     rules:
       - accounts_passwords_pam_tally2
       - var_password_pam_tally2=5
+      - accounts_passwords_pam_tally2_deny_root
 
   - id: 5.3.3
     title: Ensure password reuse is limited (Automated)

controls/cis_sle15.yml

@@ -1965,6 +1965,7 @@ controls:
     rules:
       - accounts_passwords_pam_tally2
       - var_password_pam_tally2=5
+      - accounts_passwords_pam_tally2_deny_root
 
   - id: 5.3.3
     title: Ensure password reuse is limited (Automated)

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml

@@ -1,9 +1,9 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low
 # disruption = low
 
-{{{ ansible_ensure_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-
+{{{ ansible_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
+{{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh

@@ -1,9 +1,9 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low
 # disruption = low
 
-{{{ bash_ensure_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-
+{{{ bash_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
+{{{ bash_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml

@@ -17,9 +17,9 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_accounts_passwords_pam_tally2_even_deny_root" comment="Check even deny root configuration of pam_tally2" version="1">
-    <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*auth\s+required\s+pam_tally2\.so\s+[^\n]*deny=[[4-9]|[1-9][0-9]]+([\s+\S+]*)even_deny_root([\s+\S+])*\s*(\\)*$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    <ind:filepath>/etc/pam.d/login</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*auth(?:(?!\n)\s)+required(?:(?!\n)\s)+pam_tally2.so(?:(?!\n)\s)+(?:(?:(?:(?!\n)\s)?[^\n]+)?onerr=fail(?:(?:(?!\n)\s)+[^\n]+)?(?:(?!\n)\s)+deny=(\d+)(?:(?:\s+\S+)*\s*$))|(?:(?:(?:(?!\n)\s)?[^\n]+)?deny=(\d+)(?:(?:(?!\n)\s)+[^\n]+)?(?:(?!\n)\s)+even_deny_root(?:(?:\s+\S+)*\s*$))</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>    
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_test id="test_accounts_passwords_pam_tally2_even_deny_root_account"

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/rule.yml

@@ -22,6 +22,8 @@ identifiers:
 references:
     anssi: BP28(R18)
     cis-csc: 1,12,15,16
+    cis@sle12: 5.3.2
+    cis@sle15: 5.3.2
     cobit5: DSS05.04,DSS05.10,DSS06.10
     disa: CCI-002238,CCI-000044
     isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
@@ -38,17 +40,17 @@ ocil_clause: 'limiting the number of failed logon attempts for the root user is
 ocil: |-
     To ensure that even the <tt>root</tt> account is locked after a defined number of failed password
     attempts, run the following command:
-    <pre>$ grep even_deny_root /etc/pam.d/common-auth</pre>
+    <pre>$ grep even_deny_root /etc/pam.d/login</pre>
     The output should show <tt>even_deny_root</tt>.
 
 fixtext: |-
     To configure the system to lock out the <tt>root</tt> account after a number of incorrect login
-    attempts using <tt>pam_tally2.so</tt>, modify the content of both <tt>/etc/pam.d/common-auth</tt> and
+    attempts using <tt>pam_tally2.so</tt>, modify the content of both <tt>/etc/pam.d/login</tt> and
     <tt>/etc/pam.d/common-account</tt> as follows:
     <br /><br />
     <ul>
     <li> add or modify the <tt>pam_tally2.so</tt> module line in
-    <tt>/etc/pam.d/common-auth</tt> to ensure  <tt>even_deny_root</tt> is present. For example:
+    <tt>/etc/pam.d/login</tt> to ensure  <tt>even_deny_root</tt> is present. For example:
     <pre>auth     required       pam_tally2.so deny=4 even_deny_root unlock_time=1200</pre>
     <li> add or modify the following line in <tt>/etc/pam.d/common-account</tt>:
     <pre>account required pam_tally2.so</pre></li>

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_absent_account_config.fail.sh

@@ -1,13 +1,13 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle
 
 cat >/etc/pam.d/common-account <<CAPTA
 account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
 account	requisite			pam_deny.so
 account	required			pam_permit.so
 CAPTA
 
-cat >/etc/pam.d/common-auth <<CAPTEDRC
+cat >/etc/pam.d/login <<CAPTEDRC
 auth required pam_tally2.so onerr=fail audit silent deny=3 even_deny_root unlock_time=900
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
 auth	requisite			pam_deny.so

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_deny_missing.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle
 
 cat >/etc/pam.d/common-account <<CAPTAC
 account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
@@ -8,7 +8,7 @@ account required                        pam_tally2.so
 account	required			pam_permit.so
 CAPTAC
 
-cat >/etc/pam.d/common-auth <<CAPTDM
+cat >/etc/pam.d/login <<CAPTDM
 auth required pam_tally2.so onerr=fail audit silent even_deny_root unlock_time=900
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
 auth	requisite			pam_deny.so

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/tests/pam_tally2_even_deny_root_absent.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle
 
 cat >/etc/pam.d/common-account <<CAPTC
 account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
@@ -8,11 +8,10 @@ account required                        pam_tally2.so
 account	required			pam_permit.so
 CAPTC
 
-cat >/etc/pam.d/common-auth <<CAPTEDRM
+cat >/etc/pam.d/login <<CAPTEDRM
 auth required pam_tally2.so onerr=fail audit silent deny=3 unlock_time=900
 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
 auth	requisite			pam_deny.so
 auth	required			pam_permit.so
 auth	optional			pam_cap.so
 CAPTEDRM
-