| Message ID | 20221128052502.19286-1-Sai.Sathujoda@toshiba-tsip.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [isar-cip-core] security-customizations: Fix account locked for non-consecutive failed attempts | expand |
Hi Jan, Can you please review this patch ? Regards, Sai Ashrith (T S I P) -----Original Message----- From: Sai.Sathujoda@toshiba-tsip.com <Sai.Sathujoda@toshiba-tsip.com> Sent: Monday, November 28, 2022 10:55 AM To: cip-dev@lists.cip-project.org; jan.kiszka@siemens.com Cc: ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@toshiba.co.jp> Subject: [isar-cip-core] security-customizations: Fix account locked for non-consecutive failed attempts From: Sai <Sai.Sathujoda@toshiba-tsip.com> As per security configuration the user account should be locked for consecutive failed login attempts, but with current pam configuration it is locked even for non-consecutive failed login attempts, because it is missing the pam configuration in account phase which will do necessary reset for non-consecutive failed attempts. Closes [1] [1] https://gitlab.com/cip-project/cip-testing/cip-security-tests/-/issues/3 Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com> --- recipes-core/security-customizations/files/postinst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index 0d0eb07..4ff8ecf 100644 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -25,11 +25,13 @@ PAM_AUTH_FILE="/etc/pam.d/common-auth" # pam_tally2 is deprecated from pam version 1.4.0-7 if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then PAM_MODULE="pam_tally2.so" - PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" + PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60 + \naccount required pam_tally2.so" elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then PAM_MODULE="pam_faillock.so" PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \ - \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60" + \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \ + \naccount required pam_faillock.so" else echo "No suitable pam module found to lock failed login attempts" exit 1 -- 2.20.1
On 28.11.22 06:25, Sai.Sathujoda@toshiba-tsip.com wrote: > From: Sai <Sai.Sathujoda@toshiba-tsip.com> > > As per security configuration the user account should be locked for consecutive > failed login attempts, but with current pam configuration it is locked even for > non-consecutive failed login attempts, because it is missing the pam configuration > in account phase which will do necessary reset for non-consecutive failed attempts. > > Closes [1] > [1] https://gitlab.com/cip-project/cip-testing/cip-security-tests/-/issues/3 > > Signed-off-by: Sai <Sai.Sathujoda@toshiba-tsip.com> > --- > recipes-core/security-customizations/files/postinst | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst > index 0d0eb07..4ff8ecf 100644 > --- a/recipes-core/security-customizations/files/postinst > +++ b/recipes-core/security-customizations/files/postinst > @@ -25,11 +25,13 @@ PAM_AUTH_FILE="/etc/pam.d/common-auth" > # pam_tally2 is deprecated from pam version 1.4.0-7 > if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then > PAM_MODULE="pam_tally2.so" > - PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" > + PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60 > + \naccount required pam_tally2.so" > elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then > PAM_MODULE="pam_faillock.so" > PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \ > - \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60" > + \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \ > + \naccount required pam_faillock.so" > else > echo "No suitable pam module found to lock failed login attempts" > exit 1 Thanks, applied. Jan
diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index 0d0eb07..4ff8ecf 100644 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -25,11 +25,13 @@ PAM_AUTH_FILE="/etc/pam.d/common-auth" # pam_tally2 is deprecated from pam version 1.4.0-7 if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then PAM_MODULE="pam_tally2.so" - PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" + PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60 + \naccount required pam_tally2.so" elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then PAM_MODULE="pam_faillock.so" PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \ - \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60" + \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \ + \naccount required pam_faillock.so" else echo "No suitable pam module found to lock failed login attempts" exit 1