-
Notifications
You must be signed in to change notification settings - Fork 694
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' breaks passwd
#12074
Comments
Could you paste more information since I can't reproduce on latest commit of master branch. ###############################################################################
# BEGIN fix (44 / 293) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'
###############################################################################
(>&2 echo "Remediating rule 44/293: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'")
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then
var_password_pam_retry='3'
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="$var_password_pam_retry" defaultValue="$var_password_pam_retry"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix 'type' if it's wrong
if grep -q -P "^\\s*(?"'!'"password\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_pwquality.so)/\\1password\\2/" "/etc/pam.d/common-password"
fi
# fix 'control' if it's wrong
if grep -q -P "^\\s*password\\s+(?"'!'"requisite)[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+)[[:alnum:]]+(\\s+pam_pwquality.so)/\\1requisite\\2/" "/etc/pam.d/common-password"
fi
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s)retry=[^[:space:]]*/\\1retry${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\sretry(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwquality.so[^\\n]*)/\\1 retry${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_pwquality.so retry${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
# END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' |
@alanmcanonical, did you run |
FYI: build command: export ADDITIONAL_CMAKE_OPTIONS="-DSSG_SCE_ENABLED:BOOL=ON"
./build_product -j8 ubuntu2204 -o'5.11' generate the remediation:
|
Clear install ubuntu-22.04.4-live-server-amd64. Lets use your #12074 (comment) script root@ad:/home/ad# nano xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
root@ad:/home/ad# chmod +x xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
# before (I entered mismatched passwords here on purpose)
root@ad:/home/ad# passwd
New password:
Retype new password:
Sorry, passwords do not match.
passwd: Authentication token manipulation error
passwd: password unchanged
root@ad:/home/ad# ./xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
Remediating rule 44/293: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'
# after
root@ad:/home/ad# passwd
passwd: Module is unknown
passwd: password unchanged
root@ad:/home/ad# cat xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
###############################################################################
# BEGIN fix (44 / 293) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'
###############################################################################
(>&2 echo "Remediating rule 44/293: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'")
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then
var_password_pam_retry='3'
if [ -e "/etc/pam.d/common-password" ] ; then
valueRegex="$var_password_pam_retry" defaultValue="$var_password_pam_retry"
# non-empty values need to be preceded by an equals sign
[ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
# add an equals sign to non-empty values
[ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
# fix 'type' if it's wrong
if grep -q -P "^\\s*(?"'!'"password\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_pwquality.so)/\\1password\\2/" "/etc/pam.d/common-password"
fi
# fix 'control' if it's wrong
if grep -q -P "^\\s*password\\s+(?"'!'"requisite)[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+)[[:alnum:]]+(\\s+pam_pwquality.so)/\\1requisite\\2/" "/etc/pam.d/common-password"
fi
# fix the value for 'option' if one exists but does not match 'valueRegex'
if grep -q -P "^\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s)retry=[^[:space:]]*/\\1retry${defaultValue}/" "/etc/pam.d/common-password"
# add 'option=default' if option is not set
elif grep -q -E "^\\s*password\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" &&
grep -E "^\\s*password\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\sretry(=|\\s|\$)" ; then
sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwquality.so[^\\n]*)/\\1 retry${defaultValue}/" "/etc/pam.d/common-password"
# add a new entry if none exists
elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
echo "password requisite pam_pwquality.so retry${defaultValue}" >> "/etc/pam.d/common-password"
fi
else
echo "/etc/pam.d/common-password doesn't exist" >&2
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
# END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'
root@ad:/home/ad# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
root@ad:/home/ad# history
1 nano xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
2 chmod +x xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
3 passwd
4 ./xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
5 passwd
6 cat xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
7 cat /etc/os-release
8 history |
@PiRomant do you have |
There is no |
I don't have libpam-pwquality too |
So, there are 7 |
Try installing it, it is part of the whole CIS 5.4.1 solution. Does it solve your issue? |
Yes, it helps. After installing 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' |
I believe that's by design, if you want root to also follow the same guidelines, you would need to use the |
the ubuntu profile is for now still in v1. |
Since this is not an issue I'm closing it. |
But, installing |
@PiRomant that is already part of the remediation and profile: It probably just isn't part of version 0.1.73, it will land in the next one |
if you need more information: |
Description of problem:
Fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' breaks
passwd
SCAP Security Guide Version:
Benchmark Version: 0.1.73
Operating System Version:
Ubuntu 22.04.4 LTS
Steps to Reproduce:
Execute Bash Remediation Script for CIS Ubuntu 22.04 Level 1 Server Benchmark
Actual Results:
Expected Results:
# passwd New password: Retype new password:
The text was updated successfully, but these errors were encountered: