Re: [isar-cip-core] security-customizations: Fix pam_tally2 deprecation

Home Messages Hashtags Subgroups

#8892

Re: [isar-cip-core] security-customizations: Fix pam_tally2 deprecation

Jan Kiszka #8892 On 21.07.22 08:59, venkata.pyla@... wrote: From: venkata pyla <venkata.pyla@...> pam_tally2 is deprecated from PAM version 1.4.0 that is from Debian Bullseye, and introduced pam_faillock as replacement [1]. Modified the security customizations to check first pam_tally2 existence for backward compatibility and if not found use the pam_faillock to achieve the same functionality. Fixes #33 [1] https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0 Signed-off-by: venkata pyla <venkata.pyla@...> --- .../security-customizations/files/postinst \| 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index 9ba8540..ae06ab7 100644 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -22,11 +22,22 @@ sed -i "0,/^password./s/^password./${pam_cracklib_config}\n&/" "${PAM_PWD_FILE # CR1.11: Unsuccessful login attempts # Lock user account after unsuccessful login attempts PAM_AUTH_FILE="/etc/pam.d/common-auth" -pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" -if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then - sed -i '/pam_tally2/ s/^#/#/' "${PAM_AUTH_FILE}" +# pam_tally2 is deprecated from pam version 1.4.0-7 +if [ -f /lib/-linux-gnu/security/pam_tally2.so ]; then + PAM_MODULE="pam_tally2.so" + PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" +elif [ -f /lib/-linux-gnu/security/pam_faillock.so ]; then + PAM_MODULE="pam_faillock.so" + PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \ + \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60" +else + echo "No suitable pam module found to lock failed login attempts" Shouldn't we rather fail (exit 1) in this case? fi -sed -i "0,/^auth./s/^auth./${pam_tally}\n&/" "${PAM_AUTH_FILE}" + +if grep -c "${PAM_MODULE}" "${PAM_AUTH_FILE}";then + sed -i '/${PAM_MODULE}/ s/^#/#/' "${PAM_AUTH_FILE}" +fi +sed -i "0,/^auth./s/^auth./${PAM_CONFIG}\n&/" "${PAM_AUTH_FILE}" # CR2.6: Remote session termination # Terminate remote session after inactive time period Jan -- Siemens AG, Technology Competence Center Embedded Linux
More All Messages By This Member

View All 5 Messages In Topic

#8892

Join cip-dev@lists.cip-project.org to automatically receive all group messages.

Home Hashtags Subgroups Terms