Re: [isar-cip-core] security-customizations: Fix pam_tally2 deprecation

Venkata Pyla

-----Original Message-----
From: Jan Kiszka <jan.kiszka@...>
Sent: 23 July 2022 22:54
To: pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba->; cip-dev@...
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba->; hayashi kazuhiro(林 和宏 □SWC◯ACT)
Subject: Re: [isar-cip-core] security-customizations: Fix pam_tally2 deprecation

On 21.07.22 08:59, venkata.pyla@... wrote:
From: venkata pyla <venkata.pyla@...>

pam_tally2 is deprecated from PAM version 1.4.0 that is from Debian
Bullseye, and introduced pam_faillock as replacement [1].

Modified the security customizations to check first pam_tally2
existence for backward compatibility and if not found use the
pam_faillock to achieve the same functionality.

Fixes #33


Signed-off-by: venkata pyla <venkata.pyla@...>
.../security-customizations/files/postinst | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/recipes-core/security-customizations/files/postinst
index 9ba8540..ae06ab7 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -22,11 +22,22 @@ sed -i
"${PAM_PWD_FILE # CR1.11: Unsuccessful login attempts # Lock user
account after unsuccessful login attempts
-pam_tally="auth required deny=3 even_deny_root
unlock_time=60 root_unlock_time=60"
-if grep -c "" "${PAM_AUTH_FILE}";then
- sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
+# pam_tally2 is deprecated from pam version 1.4.0-7 if [ -f
+/lib/*-linux-gnu*/security/ ]; then
+ PAM_CONFIG="auth required deny=3 even_deny_root
unlock_time=60 root_unlock_time=60"
+elif [ -f /lib/*-linux-gnu*/security/ ]; then
+ PAM_CONFIG="auth required preauth silent deny=3
even_deny_root unlock_time=60 root_unlock_time=60 \
+ \nauth required .so authfail deny=3
even_deny_root unlock_time=60 root_unlock_time=60"
+ echo "No suitable pam module found to lock failed login attempts"
Shouldn't we rather fail (exit 1) in this case?
I tried not to fail in the middle of applying security configurations,
rather giving warning to the user and one can check later why this configuration is not applied.

-sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+if grep -c "${PAM_MODULE}" "${PAM_AUTH_FILE}";then
+ sed -i '/${PAM_MODULE}/ s/^#*/#/' "${PAM_AUTH_FILE}"
+sed -i "0,/^auth.*/s/^auth.*/${PAM_CONFIG}\n&/" "${PAM_AUTH_FILE}"

# CR2.6: Remote session termination
# Terminate remote session after inactive time period

Siemens AG, Technology
Competence Center Embedded Linux

Join to automatically receive all group messages.