1. Cip-Dev
  2. Topics

[isar-cip-core] security-customizations: Fix account locked for non-consecutive failed attempts

Jan Kiszka
 

On 28.11.22 06:25, Sai.Sathujoda@... wrote:
From: Sai <Sai.Sathujoda@...>

As per security configuration the user account should be locked for consecutive
failed login attempts, but with current pam configuration it is locked even for
non-consecutive failed login attempts, because it is missing the pam configuration
in account phase which will do necessary reset for non-consecutive failed attempts.

Closes [1]
[1] https://gitlab.com/cip-project/cip-testing/cip-security-tests/-/issues/3

Signed-off-by: Sai <Sai.Sathujoda@...>
---
recipes-core/security-customizations/files/postinst | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 0d0eb07..4ff8ecf 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -25,11 +25,13 @@ PAM_AUTH_FILE="/etc/pam.d/common-auth"
# pam_tally2 is deprecated from pam version 1.4.0-7
if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then
PAM_MODULE="pam_tally2.so"
- PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60
+ \naccount required pam_tally2.so"
elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then
PAM_MODULE="pam_faillock.so"
PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
- \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
+ \naccount required pam_faillock.so"
else
echo "No suitable pam module found to lock failed login attempts"
exit 1
Thanks, applied.

Jan

--
Siemens AG, Technology
Competence Center Embedded Linux
sai.sathujoda@...
 

Hi Jan,

Can you please review this patch ?

Regards,
Sai Ashrith (T S I P)

-----Original Message-----
From: Sai.Sathujoda@... <Sai.Sathujoda@...>
Sent: Monday, November 28, 2022 10:55 AM
To: cip-dev@...; jan.kiszka@...
Cc: ashrith sai(TSIP) <Sai.Sathujoda@...>; dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@...>; hayashi kazuhiro(林 和宏 □SWC◯ACT) <kazuhiro3.hayashi@...>
Subject: [isar-cip-core] security-customizations: Fix account locked for non-consecutive failed attempts

From: Sai <Sai.Sathujoda@...>

As per security configuration the user account should be locked for consecutive failed login attempts, but with current pam configuration it is locked even for non-consecutive failed login attempts, because it is missing the pam configuration in account phase which will do necessary reset for non-consecutive failed attempts.

Closes [1]
[1] https://gitlab.com/cip-project/cip-testing/cip-security-tests/-/issues/3

Signed-off-by: Sai <Sai.Sathujoda@...>
---
recipes-core/security-customizations/files/postinst | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 0d0eb07..4ff8ecf 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -25,11 +25,13 @@ PAM_AUTH_FILE="/etc/pam.d/common-auth"
# pam_tally2 is deprecated from pam version 1.4.0-7 if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then
PAM_MODULE="pam_tally2.so"
- PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60
+ \naccount required pam_tally2.so"
elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then
PAM_MODULE="pam_faillock.so"
PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
- \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
+ \naccount required pam_faillock.so"
else
echo "No suitable pam module found to lock failed login attempts"
exit 1
--
2.20.1
sai.sathujoda@...
 

From: Sai <Sai.Sathujoda@...>

As per security configuration the user account should be locked for consecutive
failed login attempts, but with current pam configuration it is locked even for
non-consecutive failed login attempts, because it is missing the pam configuration
in account phase which will do necessary reset for non-consecutive failed attempts.

Closes [1]
[1] https://gitlab.com/cip-project/cip-testing/cip-security-tests/-/issues/3

Signed-off-by: Sai <Sai.Sathujoda@...>
---
recipes-core/security-customizations/files/postinst | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 0d0eb07..4ff8ecf 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -25,11 +25,13 @@ PAM_AUTH_FILE="/etc/pam.d/common-auth"
# pam_tally2 is deprecated from pam version 1.4.0-7
if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then
PAM_MODULE="pam_tally2.so"
- PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60
+ \naccount required pam_tally2.so"
elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then
PAM_MODULE="pam_faillock.so"
PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
- \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
+ \naccount required pam_faillock.so"
else
echo "No suitable pam module found to lock failed login attempts"
exit 1
--
2.20.1

1 - 3 of 3