Relocate faillock and pwquality pam modules config

Currently CIS Benchmark fails when checking faillock and pwquality configuration when it doesn't find them set in faillock.conf and pwquality.conf, even though some items pass, as they are correctly configured in /etc/pam.d/common-auth and /etc/pam.d/common-password. CIS recommends having the configuration only in one place, and requires those separate files to contain them. This change removes faillock and pwquality configurations from the /etc/pam.d files, adds them to the recommended configuration files, and does not change any password requirements or lock rules. Test Plan: PASS: Run build-pkgs -c -p pam-config. PASS: Install pam-config deb file and check if faillock.conf from libpam-modules is renamed with .old suffix. PASS: Roll back pam-config package to master and check if faillock.conf from libpam-modules is renamed back. PASS: Run build-image. PASS: Run fresh install of AIO-SX with complete bootstrap and unlock of the controller-0. PASS: Run fresh install of AIO-DX with complete bootstrap and unlock of controller-0 and controller-1. PASS: Change password 5 times and then try to use the first password of the sequence again to verify if it is using password history. PASS: Try password without at least 1 uppercase letter. PASS: Try password without at least 1 lowercase letter. PASS: Try password without at least one number. PASS: Try password without at least one special character. PASS: Try password with less than 12 character and verify if it fails. PASS: Try password with less than 3 different characters from the old one and verify that it fails. Story: 2011283 Task: 51351 Change-Id: I00424030b8fd877752908c35793627df16eb31c8 Signed-off-by: Rodrigo Tavares <Rodrigo.DosSantosTavares@windriver.com>
2024-11-06 16:01:30 -03:00 · 2024-11-06 16:01:30 -03:00 · 610856c7cf
commit 610856c7cf
parent a52b6e831e
8 changed files with 37 additions and 4 deletions
--- a/pam-config/debian/deb_folder/pam-config.install
+++ b/pam-config/debian/deb_folder/pam-config.install
@ -3,3 +3,5 @@ common-password /usr/share/starlingx
 common-session /usr/share/starlingx
 common-session-noninteractive /usr/share/starlingx
 common-account /usr/share/starlingx
+faillock.conf /usr/share/starlingx
+pwquality.conf /usr/share/starlingx
--- a/pam-config/debian/deb_folder/postinst
+++ b/pam-config/debian/deb_folder/postinst
@ -7,5 +7,8 @@ cp /usr/share/starlingx/common-auth /etc/pam.d/common-auth
 cp /usr/share/starlingx/common-password /etc/pam.d/common-password
 cp /usr/share/starlingx/common-session /etc/pam.d/common-session
 cp /usr/share/starlingx/common-session-noninteractive /etc/pam.d/common-session-noninteractive
+cp /usr/share/starlingx/faillock.conf /etc/security/faillock.conf
+mkdir -p /etc/security/pwquality.conf.d
+cp /usr/share/starlingx/pwquality.conf /etc/security/pwquality.conf.d/50-pwquality.conf

 #DEBHELPER#
--- a/pam-config/debian/deb_folder/postrm
+++ b/pam-config/debian/deb_folder/postrm
@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+rm -f /etc/security/faillock.conf
+dpkg-divert --remove --package pam-config --rename \
+    /etc/security/faillock.conf
+
+#DEBHELPER#
--- a/pam-config/debian/deb_folder/preinst
+++ b/pam-config/debian/deb_folder/preinst
@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+dpkg-divert --add --package pam-config --rename \
+    --divert /etc/security/faillock.conf.old \
+    /etc/security/faillock.conf
+
+#DEBHELPER#
--- a/pam-config/source-debian/common-auth
+++ b/pam-config/source-debian/common-auth
@ -10,11 +10,11 @@
 # here are the per-package modules (the "Primary" block)
 # auth	[success=1 default=ignore]	pam_unix.so nullok_secure
 # auth  sufficient                      pam_ldap.so use_first_pass
-auth    requisite                       pam_faillock.so preauth deny=5 unlock_time=300
+auth    requisite                       pam_faillock.so preauth
 auth    [success=2 default=ignore]      pam_unix.so nullok_secure
 auth    [success=1 default=ignore]      pam_sss.so use_first_pass
-auth    [default=die]                   pam_faillock.so authfail deny=5 unlock_time=300
-auth    sufficient                      pam_faillock.so authsucc deny=5 unlock_time=300
+auth    [default=die]                   pam_faillock.so authfail
+auth    sufficient                      pam_faillock.so authsucc
 # here's the fallback if no module succeeds
 auth    requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
--- a/pam-config/source-debian/common-password
+++ b/pam-config/source-debian/common-password
@ -26,7 +26,7 @@
 ##  - Added enforce_for_root for pam_pwquality.so                         #
 ###########################################################################

-password    required                        pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=12 minclass=4 ocredit=-1 lcredit=-1 ucredit=-1 dcredit=-1 enforce_for_root debug
+password    required                        pam_pwquality.so try_first_pass retry=3 authtok_type= debug
 password    required                        pam_pwhistory.so use_authtok enforce_for_root remember=5 retry=3 debug

 password    sufficient                      pam_unix.so sha512 use_authtok debug
--- a/pam-config/source-debian/faillock.conf
+++ b/pam-config/source-debian/faillock.conf
@ -0,0 +1,2 @@
+deny = 5
+unlock_time = 300
--- a/pam-config/source-debian/pwquality.conf
+++ b/pam-config/source-debian/pwquality.conf
@ -0,0 +1,8 @@
+difok=3
+minlen=12
+minclass=4
+ocredit=-1
+lcredit=-1
+ucredit=-1
+dcredit=-1
+enforce_for_root