Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' breaks passwd #12074

Closed
PiRomant opened this issue Jun 18, 2024 · 20 comments
Closed

Fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' breaks passwd #12074

PiRomant opened this issue Jun 18, 2024 · 20 comments
Labels
CIS CIS Benchmark related. Ubuntu Ubuntu product related.

Comments

@PiRomant
Copy link

Description of problem:

Fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' breaks passwd

SCAP Security Guide Version:

Benchmark Version: 0.1.73

Operating System Version:

Ubuntu 22.04.4 LTS

Steps to Reproduce:

Execute Bash Remediation Script for CIS Ubuntu 22.04 Level 1 Server Benchmark

###############################################################################
# BEGIN fix (42 / 291) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'
###############################################################################
(>&2 echo "Remediating rule 42/291: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'")
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_retry='3'


if [ -e "/etc/pam.d/common-password" ] ; then
    valueRegex="$var_password_pam_retry" defaultValue="$var_password_pam_retry"
    # non-empty values need to be preceded by an equals sign
    [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
    # add an equals sign to non-empty values
    [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"

    # fix 'type' if it's wrong
    if grep -q -P "^\\s*(?"'!'"password\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_pwquality.so)/\\1password\\2/" "/etc/pam.d/common-password"
    fi

    # fix 'control' if it's wrong
    if grep -q -P "^\\s*password\\s+(?"'!'"requisite)[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+)[[:alnum:]]+(\\s+pam_pwquality.so)/\\1requisite\\2/" "/etc/pam.d/common-password"
    fi

    # fix the value for 'option' if one exists but does not match 'valueRegex'
    if grep -q -P "^\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s)retry=[^[:space:]]*/\\1retry${defaultValue}/" "/etc/pam.d/common-password"

    # add 'option=default' if option is not set
    elif grep -q -E "^\\s*password\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" &&
            grep    -E "^\\s*password\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\sretry(=|\\s|\$)" ; then

        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwquality.so[^\\n]*)/\\1 retry${defaultValue}/" "/etc/pam.d/common-password"
    # add a new entry if none exists
    elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
        echo "password requisite pam_pwquality.so retry${defaultValue}" >> "/etc/pam.d/common-password"
    fi
else
    echo "/etc/pam.d/common-password doesn't exist" >&2
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

# END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'

Actual Results:

Remediating rule 42/291: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'
# passwd
passwd: Module is unknown
passwd: password unchanged

Expected Results:

# passwd
New password:
Retype new password:
@PiRomant
Copy link
Author

image

CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0_5.4.1.pdf
CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v2.0.0_5.4.1.pdf

@dodys dodys added Ubuntu Ubuntu product related. CIS CIS Benchmark related. labels Jun 27, 2024
@alanmcanonical
Copy link
Contributor

Could you paste more information since I can't reproduce on latest commit of master branch.
Here is my generated remediation which is exactly the same:

###############################################################################
# BEGIN fix (44 / 293) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'
###############################################################################
(>&2 echo "Remediating rule 44/293: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'")
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_retry='3'


if [ -e "/etc/pam.d/common-password" ] ; then
    valueRegex="$var_password_pam_retry" defaultValue="$var_password_pam_retry"
    # non-empty values need to be preceded by an equals sign
    [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
    # add an equals sign to non-empty values
    [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"

    # fix 'type' if it's wrong
    if grep -q -P "^\\s*(?"'!'"password\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_pwquality.so)/\\1password\\2/" "/etc/pam.d/common-password"
    fi

    # fix 'control' if it's wrong
    if grep -q -P "^\\s*password\\s+(?"'!'"requisite)[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+)[[:alnum:]]+(\\s+pam_pwquality.so)/\\1requisite\\2/" "/etc/pam.d/common-password"
    fi

    # fix the value for 'option' if one exists but does not match 'valueRegex'
    if grep -q -P "^\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s)retry=[^[:space:]]*/\\1retry${defaultValue}/" "/etc/pam.d/common-password"

    # add 'option=default' if option is not set
    elif grep -q -E "^\\s*password\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" &&
            grep    -E "^\\s*password\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\sretry(=|\\s|\$)" ; then

        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwquality.so[^\\n]*)/\\1 retry${defaultValue}/" "/etc/pam.d/common-password"
    # add a new entry if none exists
    elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
        echo "password requisite pam_pwquality.so retry${defaultValue}" >> "/etc/pam.d/common-password"
    fi
else
    echo "/etc/pam.d/common-password doesn't exist" >&2
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
# END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'

@PiRomant
Copy link
Author

@alanmcanonical, did you run passwd as root?

@alanmcanonical
Copy link
Contributor

Screenshot from 2024-06-28 09-19-41

@alanmcanonical
Copy link
Contributor

FYI:
commit: f0c15b2

build command:

export ADDITIONAL_CMAKE_OPTIONS="-DSSG_SCE_ENABLED:BOOL=ON"
./build_product -j8 ubuntu2204 -o'5.11'

generate the remediation:

cd build
oscap xccdf generate fix --profile cis_level1_server --cpe ssg-ubuntu2204-cpe-dictionary.xml --verbose INFO --verbose-log-file verbose.log --output fix.sh ssg-ubuntu2204-xccdf.xml

@PiRomant
Copy link
Author

Clear install ubuntu-22.04.4-live-server-amd64. Lets use your #12074 (comment) script

root@ad:/home/ad# nano xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
root@ad:/home/ad# chmod +x xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
# before (I entered mismatched passwords here on purpose)
root@ad:/home/ad# passwd
New password:
Retype new password:
Sorry, passwords do not match.
passwd: Authentication token manipulation error
passwd: password unchanged

root@ad:/home/ad# ./xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
Remediating rule 44/293: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'
# after
root@ad:/home/ad# passwd
passwd: Module is unknown
passwd: password unchanged

root@ad:/home/ad# cat xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
###############################################################################
# BEGIN fix (44 / 293) for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'
###############################################################################
(>&2 echo "Remediating rule 44/293: 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'")
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var_password_pam_retry='3'


if [ -e "/etc/pam.d/common-password" ] ; then
    valueRegex="$var_password_pam_retry" defaultValue="$var_password_pam_retry"
    # non-empty values need to be preceded by an equals sign
    [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
    # add an equals sign to non-empty values
    [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"

    # fix 'type' if it's wrong
    if grep -q -P "^\\s*(?"'!'"password\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_pwquality.so)/\\1password\\2/" "/etc/pam.d/common-password"
    fi

    # fix 'control' if it's wrong
    if grep -q -P "^\\s*password\\s+(?"'!'"requisite)[[:alnum:]]+\\s+pam_pwquality.so" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+)[[:alnum:]]+(\\s+pam_pwquality.so)/\\1requisite\\2/" "/etc/pam.d/common-password"
    fi

    # fix the value for 'option' if one exists but does not match 'valueRegex'
    if grep -q -P "^\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s)retry=[^[:space:]]*/\\1retry${defaultValue}/" "/etc/pam.d/common-password"

    # add 'option=default' if option is not set
    elif grep -q -E "^\\s*password\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" &&
            grep    -E "^\\s*password\\s+requisite\\s+pam_pwquality.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\sretry(=|\\s|\$)" ; then

        sed --follow-symlinks -i -E -e "s/^(\\s*password\\s+requisite\\s+pam_pwquality.so[^\\n]*)/\\1 retry${defaultValue}/" "/etc/pam.d/common-password"
    # add a new entry if none exists
    elif ! grep -q -P "^\\s*password\\s+requisite\\s+pam_pwquality.so(\\s.+)?\\s+retry${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
        echo "password requisite pam_pwquality.so retry${defaultValue}" >> "/etc/pam.d/common-password"
    fi
else
    echo "/etc/pam.d/common-password doesn't exist" >&2
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
# END fix for 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'
root@ad:/home/ad# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
root@ad:/home/ad# history
    1  nano xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
    2  chmod +x xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
    3  passwd
    4  ./xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
    5  passwd
    6  cat xccdf_org.ssgproject.content_rule_accounts_password_pam_retry.sh
    7  cat /etc/os-release
    8  history

@dodys
Copy link
Contributor

dodys commented Jul 2, 2024

@PiRomant do you have libpam-pwquality installed?

@alanmcanonical
Copy link
Contributor

Screenshot from 2024-07-02 09-40-42

@PiRomant
Copy link
Author

PiRomant commented Jul 2, 2024

There is no libpam-pwquality after running the script #12074 (comment).

@alanmcanonical
Copy link
Contributor

I don't have libpam-pwquality too

@PiRomant
Copy link
Author

PiRomant commented Jul 2, 2024

So, there are 7 pam_pwquality configuration checks, and none of them confirms that it is installed and enabled?

@dodys
Copy link
Contributor

dodys commented Jul 2, 2024

There is no libpam-pwquality after running the script #12074 (comment).

Try installing it, it is part of the whole CIS 5.4.1 solution. Does it solve your issue?

@PiRomant
Copy link
Author

PiRomant commented Jul 2, 2024

Yes, it helps. After installing libpam-pwqualit, none of the remediation below break passwd.
However, password restrictions do not apply to root. Root can set a weak password for anyone.

'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit'
'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit'
'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass'
'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen'
'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit'
'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'
'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'

@dodys
Copy link
Contributor

dodys commented Jul 2, 2024

Yes, it helps. After installing libpam-pwqualit, none of the remediation below break passwd. However, password restrictions do not apply to root. Root can set a weak password for anyone.

'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit' 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass' 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen' 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit' 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'

I believe that's by design, if you want root to also follow the same guidelines, you would need to use the enforce_for_root
https://linux.die.net/man/8/pam_pwquality

@PiRomant
Copy link
Author

PiRomant commented Jul 2, 2024

Yes, and this both now in CIS v2.

CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v2.0.0_5.3.1.3 Ensure libpam-pwquality is installed
CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v2.0.0_5.3.3.2.8 Ensure password quality is enforced for the root user

@dodys
Copy link
Contributor

dodys commented Jul 2, 2024

Yes, and this both now in CIS v2.

CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v2.0.0_5.3.1.3 Ensure libpam-pwquality is installed CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v2.0.0_5.3.3.2.8 Ensure password quality is enforced for the root user

the ubuntu profile is for now still in v1.

@dodys
Copy link
Contributor

dodys commented Jul 2, 2024

Since this is not an issue I'm closing it.

@dodys dodys closed this as not planned Won't fix, can't repro, duplicate, stale Jul 2, 2024
@PiRomant
Copy link
Author

PiRomant commented Jul 2, 2024

But, installing libpam-pwquality is a part of 5.4.1 in v1. https://github.com/user-attachments/files/15899704/CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0_5.4.1.pdf
image

@dodys
Copy link
Contributor

dodys commented Jul 2, 2024
edited
Loading

@PiRomant that is already part of the remediation and profile:
https://github.com/ComplianceAsCode/content/blob/master/products/ubuntu2204/profiles/cis_level1_server.profile#L850

It probably just isn't part of version 0.1.73, it will land in the next one

@dodys
Copy link
Contributor

dodys commented Jul 2, 2024

if you need more information:
#11968

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CIS CIS Benchmark related. Ubuntu Ubuntu product related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dodys @PiRomant @alanmcanonical