Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS Controls 5.3.* (PAM) #38

Open
ucguerrilla opened this issue Dec 18, 2019 · 1 comment
Open

CIS Controls 5.3.* (PAM) #38

ucguerrilla opened this issue Dec 18, 2019 · 1 comment

Comments

@ucguerrilla
Copy link

ucguerrilla commented Dec 18, 2019
edited

On Ubuntu 16.04 LTS, I encountered several issues with the PAM configurations that may warrant review / confirmation. Tested this on a basic server configuration with base system OpenSSH installed (only).

Under the CIS controls for 5.3:

  1. Since we are using pam-pwquality, you may want to install the linux package: apt-get install libpam-pwquality BEFORE copying files.

  2. The template file (templates/common-passwd-CIS) copy command had no affect in my testing because the system file that you want to overwrite is actually: /etc/pam.d/common-password

  3. The templates/command-passwd-CIS syntax is actually non-compliant with CIS control 5.3.3, which is expecting the module pam_pwhistory to be used. Also, the section added to the template following the "#CIS" comment did not behave as expected in my testing. I think a template config like the following may work better: (at least, it achieved my objectives and behaved as expected/desired for password resets for local users and from root)

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password	requisite			pam_pwquality.so  try_first_pass retry=3
password    required            pam_pwhistory.so  use_authtok  remember=5
password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512 remember=5
# here's the fallback if no module succeeds
password	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password	required			pam_permit.so

# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
@Jsitech
Copy link
Owner

Jsitech commented Jan 30, 2020

Thanks for bringing this to my attention, will look into it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Jsitech @ucguerrilla