Re: [isar-cip-core] security-customizations: Fix pam_tally2 deprecation


Venkata Pyla
 

-----Original Message-----
From: cip-dev@... <cip-dev@...> On Behalf Of
Jan Kiszka
Sent: 24 July 2022 20:22
To: pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba-
tsip.com>; cip-dev@...
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-
tsip.com>; hayashi kazuhiro(林 和宏 □SWC◯ACT)
<kazuhiro3.hayashi@...>
Subject: Re: [cip-dev] [isar-cip-core] security-customizations: Fix pam_tally2
deprecation

On 24.07.22 07:40, Venkata.Pyla@... wrote:


-----Original Message-----
From: Jan Kiszka <jan.kiszka@...>
Sent: 23 July 2022 22:54
To: pyla venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba-
tsip.com>; cip-dev@...
Cc: dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-
tsip.com>; hayashi kazuhiro(林 和宏 □SWC◯ACT)
<kazuhiro3.hayashi@...>
Subject: Re: [isar-cip-core] security-customizations: Fix pam_tally2
deprecation

On 21.07.22 08:59, venkata.pyla@... wrote:
From: venkata pyla <venkata.pyla@...>

pam_tally2 is deprecated from PAM version 1.4.0 that is from Debian
Bullseye, and introduced pam_faillock as replacement [1].

Modified the security customizations to check first pam_tally2
existence for backward compatibility and if not found use the
pam_faillock to achieve the same functionality.

Fixes #33

[1] https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0

Signed-off-by: venkata pyla <venkata.pyla@...>
---
.../security-customizations/files/postinst | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/recipes-core/security-customizations/files/postinst
b/recipes-core/security-customizations/files/postinst
index 9ba8540..ae06ab7 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -22,11 +22,22 @@ sed -i
"0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/"
"${PAM_PWD_FILE # CR1.11: Unsuccessful login attempts # Lock user
account after unsuccessful login attempts
PAM_AUTH_FILE="/etc/pam.d/common-auth"
-pam_tally="auth required pam_tally2.so deny=3 even_deny_root
unlock_time=60 root_unlock_time=60"
-if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
- sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
+# pam_tally2 is deprecated from pam version 1.4.0-7 if [ -f
+/lib/*-linux-gnu*/security/pam_tally2.so ]; then
+ PAM_MODULE="pam_tally2.so"
+ PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root
unlock_time=60 root_unlock_time=60"
+elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then
+ PAM_MODULE="pam_faillock.so"
+ PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3
even_deny_root unlock_time=60 root_unlock_time=60 \
+ \nauth required pam_faillock.so .so authfail deny=3
even_deny_root unlock_time=60 root_unlock_time=60"
+else
+ echo "No suitable pam module found to lock failed login attempts"
Shouldn't we rather fail (exit 1) in this case?
I tried not to fail in the middle of applying security configurations,
rather giving warning to the user and one can check later why this
configuration is not applied.
Will that not make it hard to track regressions? Keep in mind that we generally
have no interactive users here, rather automated imaging steps. Inside Isar, this
message will not be shown to anyway but a log file no one looks at when the
installation succeeds.
Thanks for the explanation, I understood now, the echo messages are not showing up during the build time and it is difficult to know to the user if the configuration is not applied due to failure.

I will correct this patch and resend v2.


Jan

--
Siemens AG, Technology
Competence Center Embedded Linux

Join cip-dev@lists.cip-project.org to automatically receive all group messages.