Skip to content
This repository was archived by the owner on Apr 17, 2023. It is now read-only.
This repository was archived by the owner on Apr 17, 2023. It is now read-only.

Bug -- PAM resource all_with_args calls can match true against an undefined module #160

Open
Open
Bug -- PAM resource all_with_args calls can match true against an undefined module#160
@wdower

Description

@wdower
wdower
opened on Mar 8, 2022

If you use match_pam_rule with all_with_X_args , on a module that is not actually defined in a rule, it will return a false positive true.

Ex.

$> inspec exec ~/work/simp/inspec-profile-disa_stig-el7 --controls=V-71945 -t ssh://vagrant@127.0.0.1:2222 -i .kitchen/kitchen-vagrant/vanilla-rhel-7/.vagrant/machines/default/virtualbox/private_key --sudo

Profile: DISA RedHat Enterprise Linux 7 STIG - v1r4 (disa_stig-el7)
Version: 0.2.0
Target:  ssh://vagrant@127.0.0.1:2222

  ×  V-71945: If three unsuccessful root logon attempts within 15 minutes occur the
  associated account must be locked. (2 failed)
     ×  PAM Config[/etc/pam.d/password-auth] lines is expected to include ["auth required pam_faillock.so even_deny_root", "auth sufficient pam_unix.so try_first_pass", "auth [default=die] pam_faillock.so even_deny_root"]
     expected "account required pam_unix.so\naccount sufficient pam_localuser.so\naccount sufficient pam_succeed_if...ession required pam_unix.so\nsession optional pam_keyinit.so revoke\nsession required pam_limits.so" to include ["auth required pam_faillock.so even_deny_root", "auth sufficient pam_unix.so try_first_pass", "auth [default=die] pam_faillock.so even_deny_root"]
     Diff:
     @@ -1,4 +1,18 @@
     -auth required pam_faillock.so even_deny_root
     -auth sufficient pam_unix.so try_first_pass
     -auth [default=die] pam_faillock.so even_deny_root
     +account required pam_unix.so
     +account sufficient pam_localuser.so
     +account sufficient pam_succeed_if.so uid < 1000 quiet
     +account required pam_permit.so
     +auth required pam_deny.so
     +auth required pam_env.so
     +auth required pam_faildelay.so delay=2000000
     +auth sufficient pam_unix.so nullok try_first_pass
     +auth requisite pam_succeed_if.so uid >= 1000 quiet_success
     +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
     +password required pam_deny.so
     +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
     +-session optional pam_systemd.so
     +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
     +session required pam_unix.so
     +session optional pam_keyinit.so revoke
     +session required pam_limits.so

     ✔  PAM Config[/etc/pam.d/password-auth] lines is expected to include auth .* pam_faillock.so (preauth|authfail), all with args even_deny_root
     ×  PAM Config[/etc/pam.d/system-auth] lines is expected to include ["auth required pam_faillock.so even_deny_root", "auth sufficient pam_unix.so try_first_pass", "auth [default=die] pam_faillock.so even_deny_root"]
     expected "account required pam_unix.so\naccount sufficient pam_localuser.so\naccount sufficient pam_succeed_if...ession required pam_unix.so\nsession optional pam_keyinit.so revoke\nsession required pam_limits.so" to include ["auth required pam_faillock.so even_deny_root", "auth sufficient pam_unix.so try_first_pass", "auth [default=die] pam_faillock.so even_deny_root"]
     Diff:
     @@ -1,4 +1,18 @@
     -auth required pam_faillock.so even_deny_root
     -auth sufficient pam_unix.so try_first_pass
     -auth [default=die] pam_faillock.so even_deny_root
     +account required pam_unix.so
     +account sufficient pam_localuser.so
     +account sufficient pam_succeed_if.so uid < 1000 quiet
     +account required pam_permit.so
     +auth required pam_deny.so
     +auth required pam_env.so
     +auth required pam_faildelay.so delay=2000000
     +auth sufficient pam_unix.so nullok try_first_pass
     +auth requisite pam_succeed_if.so uid >= 1000 quiet_success
     +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
     +password required pam_deny.so
     +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
     +-session optional pam_systemd.so
     +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
     +session required pam_unix.so
     +session optional pam_keyinit.so revoke
     +session required pam_limits.so

     ✔  PAM Config[/etc/pam.d/system-auth] lines is expected to include auth .* pam_faillock.so (preauth|authfail), all with args even_deny_root


Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 2 successful, 2 failures, 0 skipped

Note that the first check's fail diff shows that there is no PAM rule for the pam_faillock.so module, but the second check passes when it expects PAM lines "to include auth .* pam_faillock.so (preauth|authfail), all with args even_deny_root"

Tested using Vagrant's bento/centos-7 VM.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions