Add accounts_passwords_pam_tally2_file rule for default pam_tally2 ta…

…lly directory STIG requirement Also fixed some platform references
ComplianceAsCode · Jul 23, 2024 · db702a7 · db702a7
1 parent 0077fc6
commit db702a7
Show file tree

Hide file tree

Showing 13 changed files with 112 additions and 7 deletions.
diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
@@ -702,6 +702,7 @@ controls:
   - medium
   title: SLEM 5 must use the default pam_tally2 tally directory.
   rules:
+    - accounts_passwords_pam_tally2_file
     - accounts_passwords_pam_tally2_file_selinux
   status: automated
 - id: SLEM-05-412035

diff --git a/...ts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_file/rule.yml b/...ts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_file/rule.yml
@@ -0,0 +1,47 @@
+documentation_complete: true
+
+title: 'SLEM 5 must use the default pam_tally2 tally directory.'
+
+description: |-
+    This rule configures the system to use default pam_tally2 tally directory
+
+rationale: |-
+    By limiting the number of failed logon attempts, the risk of unauthorized
+    system access via user password guessing, otherwise known as
+    brute-force attacks, is reduced. Limits are imposed by locking the account.
+
+severity: medium
+
+identifiers:
+    cce@slmicro5: CCE-94089-0
+
+references:
+    disa: CCI-000044
+    nist@slmicro5: AC-7(a)
+    srg: SRG-OS-000021-GPOS-00005
+
+ocil_clause: 'file= is set to /var/log/tallylog or missing'
+
+ocil: |-
+    Verify the location of the default tallylog file for the pam_tally2 module,
+    with the following command
+    <pre>$sudo grep -R pam_tally2 /etc/pam.d/login | grep "file=" | grep -v "^#"</pre>
+
+fixtext: |-
+    Configure SLEM 5 to use the default pam_tally2 tally directory
+    Modify the content of <tt>/etc/pam.d/login</tt>, like this:
+    <pre>sudo sed -ri 's/\s+file=\S+\s+/ /g' /etc/pam.d/login</tt> </pre>
+
+platform: package[pam]
+
+template:
+    name: pam_options
+    vars:
+      path: /etc/pam.d/login
+      type: auth
+      control_flag: required
+      module: pam_tally2.so
+      arguments:
+        - argument: file
+          argument_match: .*
+          remove_argument: file=
diff --git a/...assword_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_default.fail.sh b/...assword_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_default.fail.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_slmicro5
+
+cat >/etc/pam.d/common-account <<CAPTC
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
+account	requisite			pam_deny.so
+account required			pam_tally2.so
+account	required			pam_permit.so
+CAPTC
+
+cat >/etc/pam.d/login <<CAPTUTC
+auth required pam_tally2.so file=/var/log/tallylog
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+auth	requisite			pam_deny.so
+auth	required			pam_permit.so
+auth	optional			pam_cap.so
+CAPTUTC
diff --git a/...ord_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_non_default.fail.sh b/...ord_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_non_default.fail.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_slmicro5
+
+cat >/etc/pam.d/common-account <<CAPTC
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
+account	requisite			pam_deny.so
+account required			pam_tally2.so
+account	required			pam_permit.so
+CAPTC
+
+cat >/etc/pam.d/login <<CAPTUTA
+auth required pam_tally2.so file=/var/log/pam_tally2.log
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+auth	requisite			pam_deny.so
+auth	required			pam_permit.so
+auth	optional			pam_cap.so
+CAPTUTA
diff --git a/...rd_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_unconfigured.pass.sh b/...rd_attempts/accounts_passwords_pam_tally2_file/tests/pam_tally2_file_unconfigured.pass.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_slmicro5
+
+cat >/etc/pam.d/common-account <<CAPTC
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
+account	requisite			pam_deny.so
+account required			pam_tally2.so
+account	required			pam_permit.so
+CAPTC
+
+cat >/etc/pam.d/login <<CAPTUTC
+auth required pam_tally2.so deny=3
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+auth	requisite			pam_deny.so
+auth	required			pam_permit.so
+auth	optional			pam_cap.so
+CAPTUTC
diff --git a/...cking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/ansible/shared.yml b/...cking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_slmicro
+# platform = multi_platform_slmicro5
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...m/locking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/bash/shared.sh b/...m/locking_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/bash/shared.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_slmicro
+# platform = multi_platform_slmicro5
 
 if ! semanage fcontext -a -t faillog_t "/var/log/tallylog"; then
     semanage fcontext -m -t faillog_t "/var/log/tallylog"

diff --git a/..._out_password_attempts/accounts_passwords_pam_tally2_file_selinux/tests/faillog_t.pass.sh b/..._out_password_attempts/accounts_passwords_pam_tally2_file_selinux/tests/faillog_t.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
 # packages = policycoreutils-python-utils
-# platform = multi_platform_slmicro
+# platform = multi_platform_slmicro5
 
 semanage fcontext -m -t faillog_t "/var/log/tallylog"
diff --git a/...king_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/tests/tmp_t.fail.sh b/...king_out_password_attempts/accounts_passwords_pam_tally2_file_selinux/tests/tmp_t.fail.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # packages = policycoreutils-python-utils
-# platform = multi_platform_slmicro
+# platform = multi_platform_slmicro5
 
 semanage fcontext -m -t tmp_t "/var/log/tallylog"
 restorecon -R -v "/var/log/tallylog"
diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
@@ -16,7 +16,7 @@
 	<platform>multi_platform_rhel</platform>
 	<platform>multi_platform_rhv</platform>
 	<platform>multi_platform_sle</platform>
-    <platform>multi_platform_slmicro</platform>
+    <platform>multi_platform_slmicro5</platform>
     <platform>multi_platform_ubuntu</platform>
     <platform>multi_platform_uos</platform>
       </affected>

diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
@@ -485,5 +485,4 @@ CCE-94084-1
 CCE-94085-8
 CCE-94086-6
 CCE-94087-4
-CCE-94089-0
 CCE-94090-8
diff --git a/shared/templates/pam_options/ansible.template b/shared/templates/pam_options/ansible.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro5
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/shared/templates/pam_options/bash.template b/shared/templates/pam_options/bash.template
@@ -8,6 +8,7 @@ declare -a VALUES=()
 declare -a VALUE_NAMES=()
 declare -a ARGS=()
 declare -a NEW_ARGS=()
+declare -a DEL_ARGS=()
 
 {{% for arg in ARGUMENTS -%}}
 {{% if arg['variable'] | length -%}}
@@ -28,6 +29,9 @@ NEW_ARGS+=("{{{ arg['new_argument'] }}}")
 {{%- else -%}}
 NEW_ARGS+=("")
 {{%- endif %}}
+{{% if arg['remove_argument'] | length -%}}
+DEL_ARGS+=("{{{ arg['remove_argument'] }}}")
+{{%- endif %}}
 {{%- endfor %}}
 
 for idx in "${!VALUES[@]}"
@@ -39,5 +43,8 @@ for idx in "${!ARGS[@]}"
 do
     if ! grep -q -P "^\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}}.*\s+${ARGS[$idx]}\s*$" {{{ PATH }}} ; then
         sed --follow-symlinks -i -E -e "s/^\\s*{{{ TYPE }}}\\s+{{{ CONTROL_FLAG }}}\\s+{{{ MODULE }}}.*\$/& ${NEW_ARGS[$idx]}/" {{{ PATH }}}
+        if [ -n ${DEL_ARGS[$idx]} ]; then
+            sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" {{{ PATH }}}
+        fi
     fi
 done