Date
1 - 5 of 5
[isar-cip-core] security-customizations: Fix pam_tally2 deprecation
|
Venkata Pyla
From: venkata pyla <venkata.pyla@...>
pam_tally2 is deprecated from PAM version 1.4.0 that is from Debian Bullseye, and introduced pam_faillock as replacement [1]. Modified the security customizations to check first pam_tally2 existence for backward compatibility and if not found use the pam_faillock to achieve the same functionality. Fixes #33 [1] https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0 Signed-off-by: venkata pyla <venkata.pyla@...> --- .../security-customizations/files/postinst | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst index 9ba8540..ae06ab7 100644 --- a/recipes-core/security-customizations/files/postinst +++ b/recipes-core/security-customizations/files/postinst @@ -22,11 +22,22 @@ sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE # CR1.11: Unsuccessful login attempts # Lock user account after unsuccessful login attempts PAM_AUTH_FILE="/etc/pam.d/common-auth" -pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" -if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then - sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}" +# pam_tally2 is deprecated from pam version 1.4.0-7 +if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then + PAM_MODULE="pam_tally2.so" + PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" +elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then + PAM_MODULE="pam_faillock.so" + PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \ + \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60" +else + echo "No suitable pam module found to lock failed login attempts" fi -sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}" + +if grep -c "${PAM_MODULE}" "${PAM_AUTH_FILE}";then + sed -i '/${PAM_MODULE}/ s/^#*/#/' "${PAM_AUTH_FILE}" +fi +sed -i "0,/^auth.*/s/^auth.*/${PAM_CONFIG}\n&/" "${PAM_AUTH_FILE}" # CR2.6: Remote session termination # Terminate remote session after inactive time period -- 2.20.1 |
|
|
|
Jan Kiszka
On 21.07.22 08:59, venkata.pyla@... wrote:
From: venkata pyla <venkata.pyla@...>Shouldn't we rather fail (exit 1) in this case? fiJan -- Siemens AG, Technology Competence Center Embedded Linux |
|
|
|
Venkata Pyla
toggle quoted message
Show quoted text
-----Original Message-----I tried not to fail in the middle of applying security configurations, rather giving warning to the user and one can check later why this configuration is not applied. fiJan |
|
|
|
Jan Kiszka
On 24.07.22 07:40, Venkata.Pyla@... wrote:
Will that not make it hard to track regressions? Keep in mind that we-----Original Message-----I tried not to fail in the middle of applying security configurations, generally have no interactive users here, rather automated imaging steps. Inside Isar, this message will not be shown to anyway but a log file no one looks at when the installation succeeds. Jan -- Siemens AG, Technology Competence Center Embedded Linux |
|
|
|
Venkata Pyla
toggle quoted message
Show quoted text
-----Original Message-----Thanks for the explanation, I understood now, the echo messages are not showing up during the build time and it is difficult to know to the user if the configuration is not applied due to failure. I will correct this patch and resend v2.
|
|
|