Merge pull request #14188 from jan-cerny/unlock_time_zero

Add new rule accounts_passwords_pam_faillock_unlock_time_with_zero

Author: Mab879

components/pam.yml

@@ -68,6 +68,7 @@ rules:
 - accounts_passwords_pam_faillock_silent
 - accounts_passwords_pam_faillock_root_unlock_time
 - accounts_passwords_pam_faillock_unlock_time
+- accounts_passwords_pam_faillock_unlock_time_with_zero
 - accounts_passwords_pam_faillock_enabled
 - accounts_passwords_pam_tally2
 - accounts_passwords_pam_tally2_deny_root

controls/cis_rhel10.yml

@@ -1956,7 +1956,7 @@ controls:
           by an administrator. However, it also mentions that using value 0 can facilitate a DoS
           attack to legitimate users.
       rules:
-          - accounts_passwords_pam_faillock_unlock_time
+          - accounts_passwords_pam_faillock_unlock_time_with_zero
           - var_accounts_passwords_pam_faillock_unlock_time=900
 
     - id: 5.3.2.1.3

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/ansible/shared.yml

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_pam_faillock_enable(rule_title=rule_title) }}}
+{{{ ansible_pam_faillock_parameter_value('unlock_time', 'var_accounts_passwords_pam_faillock_unlock_time', rule_title=rule_title) }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/bash/shared.sh

@@ -0,0 +1,6 @@
+# platform = multi_platform_all
+
+{{{ bash_instantiate_variables('var_accounts_passwords_pam_faillock_unlock_time') }}}
+
+{{{ bash_pam_faillock_enable() }}}
+{{{ bash_pam_faillock_parameter_value('unlock_time', '$var_accounts_passwords_pam_faillock_unlock_time') }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/oval/shared.xml

@@ -0,0 +1,256 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="6">
+    {{{ oval_metadata(DESCRIPTION, rule_title=rule_title) }}}
+
+    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
+      <criteria operator="AND" comment="Check if pam_faillock.so is properly enabled">
+        <!-- pam_unix.so is a control module present in all realistic scenarios and also used
+             as reference for the correct position of pam_faillock.so in auth section. If the
+             system is properly configured, it must appear only once in auth section. -->
+        <criteria operator="AND"
+		  comment="Count occurrences of pam_unix.so in system-auth and password-auth">
+	  <criterion test_ref="test_{{{ rule_id }}}_system_pam_unix_auth"
+		     comment="pam_unix.so appears only once in auth section of system-auth"/>
+	  <criterion test_ref="test_{{{ rule_id }}}_password_pam_unix_auth"
+                     comment="pam_unix.so appears only once in auth section of password-auth"/>
+	</criteria>
+
+        <!-- pam_faillock.so parameters can be defined directly in pam files or, in newer
+             versions, in {{{ pam_faillock_conf_path }}}. The last is the recommended option when
+             available. Also, is the option used by authselect tool. However, regardless the
+             approach, a minimal declaration is common in pam files. -->
+        <criteria operator="AND" comment="Check common definition of pam_faillock.so">
+          <criterion
+	      test_ref="test_{{{ rule_id }}}_system_pam_faillock_auth"
+	      comment="pam_faillock.so is properly defined in auth section of system-auth"/>
+          <criterion
+	      test_ref="test_{{{ rule_id }}}_system_pam_faillock_account"
+	      comment="pam_faillock.so is properly defined in account section of system-auth"/>
+          <criterion
+	      test_ref="test_{{{ rule_id }}}_password_pam_faillock_auth"
+	      comment="pam_faillock.so is properly defined in auth section of password-auth"/>
+          <criterion
+	      test_ref="test_{{{ rule_id }}}_password_pam_faillock_account"
+	      comment="pam_faillock.so is properly defined in account section of password-auth"/>
+        </criteria>
+      </criteria>
+
+      <!-- pam_faillock.so parameters should be defined in {{{ pam_faillock_conf_path }}} whenever
+           possible. But due to backwards compatibility, they are also allowed in pam files
+           directly. In case they are defined in both places, pam files have precedence and this
+           may confuse the assessment. The following tests ensure only one option is used. Note
+           that if {{{ pam_faillock_conf_path }}} is available, authselect tool only manage parameters on it -->
+      <criteria operator="OR" comment="Check expected value for pam_faillock.so unlock_time parameter">
+        <criteria operator="AND"
+                  comment="Check expected pam_faillock.so unlock_time parameter in pam files">
+          <criterion
+              test_ref="test_{{{ rule_id }}}_parameter_pamd_system"
+              comment="Check the unlock_time parameter in auth section of system-auth file"/>
+          <criterion
+              test_ref="test_{{{ rule_id }}}_parameter_pamd_password"
+              comment="Check the unlock_time parameter in auth section of password-auth file"/>
+          <criterion
+              test_ref="test_{{{ rule_id }}}_parameter_no_faillock_conf"
+              comment="Ensure the unlock_time parameter is not present in {{{ pam_faillock_conf_path }}}"/>
+        </criteria>
+        <criteria operator="AND"
+                  comment="Check expected pam_faillock.so unlock_time parameter in {{{ pam_faillock_conf_path }}}">
+          <criterion
+              test_ref="test_{{{ rule_id }}}_parameter_no_pamd_system"
+              comment="Check the unlock_time parameter is not present system-auth file"/>
+          <criterion
+              test_ref="test_{{{ rule_id }}}_parameter_no_pamd_password"
+              comment="Check the unlock_time parameter is not present password-auth file"/>
+          <criterion
+              test_ref="test_{{{ rule_id }}}_parameter_faillock_conf"
+              comment="Ensure the unlock_time parameter is present in {{{ pam_faillock_conf_path }}}"/>
+        </criteria>
+      </criteria>
+    </criteria>
+
+  </definition>
+
+  <!-- The following tests demand complex regex which are necessary more than once.
+       These variables make simpler the usage of regex patterns. -->
+  <constant_variable id="var_{{{ rule_id }}}_pam_unix_regex"
+                     datatype="string" version="2"
+                     comment="regex to identify pam_unix.so in auth section of pam files">
+    <value>^\s*auth\N+pam_unix\.so</value>
+  </constant_variable>
+
+  <constant_variable
+      id="var_{{{ rule_id }}}_pam_faillock_auth_regex"
+      datatype="string" version="2"
+      comment="regex to identify pam_faillock.so entries in auth section of pam files">
+    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
+  </constant_variable>
+
+  <constant_variable
+      id="var_{{{ rule_id }}}_pam_faillock_account_regex"
+      datatype="string" version="2"
+      comment="regex to identify pam_faillock.so entry in account section of pam files">
+    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</value>
+  </constant_variable>
+
+  <constant_variable
+      id="var_{{{ rule_id }}}_pam_faillock_unlock_time_parameter_regex"
+      datatype="string" version="1"
+      comment="regex to identify pam_faillock.so unlock_time entry in auth section of pam files">
+    <value>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</value>
+  </constant_variable>
+
+  <constant_variable
+      id="var_{{{ rule_id }}}_faillock_conf_unlock_time_parameter_regex"
+      datatype="string" version="1"
+      comment="regex to identify unlock_time entry in {{{ pam_faillock_conf_path }}}">
+    <value>^[\s]*unlock_time[\s]*=[\s]*([0-9]+)</value>
+  </constant_variable>
+
+  {{% macro generate_test_faillock_enabled(file_stem) %}}
+  <!-- Check occurences of pam_unix.so in auth section of {{{ file_stem }}}-auth file -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="none_exist" version="2"
+      id="test_{{{ rule_id }}}_{{{ file_stem }}}_pam_unix_auth"
+      comment="no more that one pam_unix.so is expected in auth section of {{{ file_stem }}}-auth">
+    <ind:object object_ref="object_{{{ rule_id }}}_{{{ file_stem }}}_pam_unix_auth"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_{{{ rule_id }}}_{{{ file_stem }}}_pam_unix_auth"
+      comment="Get the second and subsequent occurrences of pam_unix.so in auth section of {{{ file_stem}}}-auth">
+    <ind:filepath>/etc/pam.d/{{{file_stem}}}-auth</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_{{{ rule_id }}}_pam_unix_regex"/>
+    <ind:instance datatype="int" operation="greater than">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- Check common definition of pam_faillock.so in {{{ file_stem }}}-auth file -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="only_one_exists" version="2"
+      id="test_{{{ rule_id }}}_{{{ file_stem }}}_pam_faillock_auth"
+      comment="One and only one occurrence is expected in auth section of {{{ file_stem }}}-auth">
+    <ind:object
+	object_ref="object_{{{ rule_id }}}_{{{ file_stem }}}_pam_faillock_auth"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_{{{ rule_id }}}_{{{ file_stem }}}_pam_faillock_auth"
+      comment="Check common definition of pam_faillock.so in auth section of common-auth">
+    <ind:filepath>/etc/pam.d/{{{ file_stem }}}-auth</ind:filepath>
+    <ind:pattern operation="pattern match"
+		 var_ref="var_{{{ rule_id }}}_pam_faillock_auth_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  {{{ generate_test_faillock_enabled (file_stem="system")   }}}
+  {{{ generate_test_faillock_enabled (file_stem="password") }}}
+  {{{ generate_test_faillock_enabled (file_stem="common")   }}}
+
+  {{% macro generate_test_faillock_account(file_stem, file) %}}
+  <!-- Check common definition of pam_faillock.so in {{{ file_stem }}}-account -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="only_one_exists" version="2"
+      id="test_{{{ rule_id }}}_{{{ file_stem }}}_pam_faillock_account"
+      comment="One and only one occurrence is expected in {{{ file }}}">
+    <ind:object
+	object_ref="object_{{{ rule_id }}}_{{{ file_stem }}}_pam_faillock_account"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_{{{ rule_id }}}_{{{ file_stem }}}_pam_faillock_account"
+      comment="Check common definition of pam_faillock.so in account section of {{{ file }}}">
+    <ind:filepath>/etc/pam.d/{{{ file }}}</ind:filepath>
+    <ind:pattern operation="pattern match"
+                 var_ref="var_{{{ rule_id }}}_pam_faillock_account_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  {{{ generate_test_faillock_account (file_stem="system",   file="system-auth")    }}}
+  {{{ generate_test_faillock_account (file_stem="password", file="password-auth")  }}}
+  {{{ generate_test_faillock_account (file_stem="common",   file="common-account") }}}
+
+  {{% macro generate_check_parameter_in_pam_file(file_stem) %}}
+  <!-- Check absence of unlock_time parameter in {{{ file_stem }}}-auth -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="none_exist" version="2"
+      id="test_{{{ rule_id }}}_parameter_no_pamd_{{{ file_stem }}}"
+      comment="Check the absence of unlock_time parameter in {{{ file_stem }}}-auth">
+    <ind:object object_ref="object_{{{ rule_id }}}_parameter_pamd_{{{ file_stem }}}"/>
+  </ind:textfilecontent54_test>
+
+  <!-- Check expected value of unlock_time parameter in {{{ file_stem }}}-auth -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="all_exist" version="2"
+      id="test_{{{ rule_id }}}_parameter_pamd_{{{ file_stem }}}"
+      comment="Check the expected unlock_time value in {{{ file_stem }}}-auth" state_operator="OR">
+    <ind:object object_ref="object_{{{ rule_id }}}_parameter_pamd_{{{ file_stem }}}"/>
+    <ind:state state_ref="state_{{{ rule_id }}}_parameter_lower_bound"/>
+    <ind:state state_ref="state_{{{ rule_id }}}_parameter_special_allowed_value"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_{{{ rule_id }}}_parameter_pamd_{{{ file_stem }}}"
+      comment="Get the pam_faillock.so unlock_time parameter from {{{ file_stem }}}-auth file">
+    <ind:filepath>/etc/pam.d/{{{ file_stem }}}-auth</ind:filepath>
+    <ind:pattern operation="pattern match"
+		 var_ref="var_{{{ rule_id }}}_pam_faillock_unlock_time_parameter_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  <!-- boundaries to test the parameter value -->
+  <!-- Specify the required external variable & create corresponding state from it -->
+  <external_variable id="var_accounts_passwords_pam_faillock_unlock_time" datatype="int"
+                     comment="external variable to use" version="1"/>
+
+  <ind:textfilecontent54_state
+      version="1"
+      id="state_{{{ rule_id }}}_parameter_lower_bound">
+    <ind:subexpression datatype="int" operation="greater than or equal"
+		       var_ref="var_accounts_passwords_pam_faillock_unlock_time"/>
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_state
+      version="1"
+      id="state_{{{ rule_id }}}_parameter_special_allowed_value">
+    <ind:subexpression datatype="int" operation="equals">0</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  {{{ generate_check_parameter_in_pam_file (file_stem="system")   }}}
+  {{{ generate_check_parameter_in_pam_file (file_stem="password") }}}
+  {{{ generate_check_parameter_in_pam_file (file_stem="common")   }}}
+
+  <!-- Check expected value of unlock_time parameter in {{{ pam_faillock_conf_path }}} -->
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1"
+			      id="test_{{{ rule_id }}}_parameter_faillock_conf"
+			      comment="Check the expected unlock_time value in {{{ pam_faillock_conf_path }}}" state_operator="OR">
+    <ind:object object_ref="object_{{{ rule_id }}}_parameter_faillock_conf"/>
+    <ind:state state_ref="state_{{{ rule_id }}}_parameter_lower_bound"/>
+    <ind:state state_ref="state_{{{ rule_id }}}_parameter_special_allowed_value"/>
+  </ind:textfilecontent54_test>
+
+  <!-- Check absence of unlock_time parameter in {{{ pam_faillock_conf_path }}} -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="none_exist" version="1"
+      id="test_{{{ rule_id }}}_parameter_no_faillock_conf"
+      comment="Check the absence of unlock_time parameter in {{{ pam_faillock_conf_path }}}">
+    <ind:object object_ref="object_{{{ rule_id }}}_parameter_faillock_conf"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="1"
+      id="object_{{{ rule_id }}}_parameter_faillock_conf"
+      comment="Check the expected pam_faillock.so unlock_time parameter in {{{ pam_faillock_conf_path }}}">
+    <ind:filepath>{{{ pam_faillock_conf_path }}}</ind:filepath>
+    <ind:pattern
+	operation="pattern match"
+	var_ref="var_{{{ rule_id }}}_faillock_conf_unlock_time_parameter_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/rule.yml

@@ -0,0 +1,71 @@
+documentation_complete: true
+
+title: 'Set Lockout Time for Failed Password Attempts'
+
+description: |-
+    This rule configures the system to lock out accounts during a specified time period after a
+    number of incorrect login attempts using <tt>pam_faillock.so</tt>.
+
+    Ensure that the file <tt>/etc/security/faillock.conf</tt> contains the following entry:
+    <tt>unlock_time=&lt;interval-in-seconds&gt;</tt> where
+    <tt>interval-in-seconds</tt> is set to <tt>0</tt> or is set to
+    <tt>{{{xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}}</tt> or greater.
+
+    pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
+    defined to work as expected. In order to avoid any errors when manually editing these files,
+    it is recommended to use the appropriate tools, such as <tt>authselect</tt> or <tt>authconfig</tt>,
+    depending on the OS version.
+
+    If <tt>unlock_time</tt> is set to <tt>0</tt>, manual intervention by an administrator is required
+    to unlock a user. This should be done using the <tt>faillock</tt> tool.
+
+rationale: |-
+    By limiting the number of failed logon attempts the risk of unauthorized system
+    access via user password guessing, otherwise known as brute-forcing, is reduced.
+    Limits are imposed by locking the account.
+
+severity: medium
+
+identifiers:
+    cce@rhel10: CCE-87367-9
+
+platform: package[pam]
+
+ocil_clause: |-
+    the "unlock_time" option is not set to "0" or is not set to "{{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}}",
+    the line is missing, or commented out
+
+ocil: |-
+    Verify {{{ full_name }}} is configured to lock an account until released by an administrator
+    after {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unsuccessful logon
+    attempts with the command:
+
+    <pre>$ grep 'unlock_time =' /etc/security/faillock.conf</pre>
+    <tt>unlock_time = {{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}}</tt>
+
+fixtext: |-
+    Configure {{{ full_name }}} to lock an account until released by an administrator after
+    {{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unsuccessful logon attempts with the command:
+
+    $ sudo authselect enable-feature with-faillock
+
+    Then edit the <tt>/etc/security/faillock.conf</tt> file as follows:
+    <pre>unlock_time = {{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}}</pre>
+
+warnings:
+    - general: |-
+       If the system supports the new <tt>/etc/security/faillock.conf</tt> file but the
+       pam_faillock.so parameters are defined directly in <tt>/etc/pam.d/system-auth</tt> and
+       <tt>/etc/pam.d/password-auth</tt>, the remediation will migrate the <tt>unlock_time</tt> parameter
+       to <tt>/etc/security/faillock.conf</tt> to ensure compatibility with <tt>authselect</tt> tool.
+       The parameters <tt>deny</tt> and <tt>fail_interval</tt>, if used, also have to be migrated
+       by their respective remediation.
+
+    - general: |-
+        If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation
+        will also use <tt>authselect</tt> tool. However, if any manual modification was made in
+        PAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be
+        aborted in order to preserve intentional changes. In this case, an informative message will
+        be shown in the remediation report.
+        If the system supports the <tt>/etc/security/faillock.conf</tt> file, the pam_faillock
+        parameters should be defined in <tt>faillock.conf</tt> file.

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/tests/correct.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# variables = var_accounts_passwords_pam_faillock_unlock_time=900
+echo "unlock_time = 900" > "{{{ pam_faillock_conf_path }}}"
+authselect enable-feature with-faillock
+authselect apply-changes

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/tests/high.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# variables = var_accounts_passwords_pam_faillock_unlock_time=900
+echo "unlock_time = 1000" > "{{{ pam_faillock_conf_path }}}"
+authselect enable-feature with-faillock
+authselect apply-changes

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time_with_zero/tests/zero.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+echo "unlock_time = 0" > "{{{ pam_faillock_conf_path }}}"
+authselect enable-feature with-faillock
+authselect apply-changes

shared/references/cce-redhat-avail.txt

@@ -385,7 +385,6 @@ CCE-87362-0
 CCE-87364-6
 CCE-87365-3
 CCE-87366-1
-CCE-87367-9
 CCE-87368-7
 CCE-87371-1
 CCE-87372-9