pam

Fixed regexp in molecule/debian/verify.yml #154

Workflow file for this run

	---
	name: pam
	on: [push, pull_request]

	env:
	ANSIBLE_FORCE_COLOR: '1'

	jobs:
	pamtester:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v3
	- name: Install pamtester and test prerequisites
	run: sudo apt-get install -y pamtester cron at
	- name: Test pre-harden
	run: \|
	# Everyone is allowed to use cron
	pamtester cron nobody acct_mgmt \|\| exit 1
	# Everyone is allowed to use atd
	pamtester atd nobody acct_mgmt \|\| exit 1
	# Everyone is allowed to use su
	# TODO: Prompts for a password
	#pamtester su nobody authenticate \|\| exit 1
	# Unknown services
	# TODO: authenticate & chauthtok
	for operation in acct_mgmt open_session; do pamtester nonexistent nobody "${operation}" \|\| exit 1; done
	- name: Run Ansible playbook for pam
	run: ansible-playbook harden.yml --tags pam --skip-tags slackware,centos
	- name: Test post-harden
	run: \|
	# random users should not be able to use cron
	# enforced with pam_access
	pamtester cron nobody acct_mgmt && exit 1
	# root should still be able to use cron
	pamtester cron root acct_mgmt \|\| exit 1
	# random users should not be able to use atd
	# enforced with pam_access
	pamtester atd nobody acct_mgmt && exit 1
	# su shouldn't be allowed
	pamtester su nobody authenticate && exit 1
	# Unknown services should be denied by /etc/pam.d/other
	for operation in authenticate acct_mgmt chauthtok open_session; do echo "[*] Testing nonexistent service operation ${operation}"; pamtester nonexistent nobody "${operation}" && exit 1; done; true
	libpamtest:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v3
	- name: Install testing prerequisites
	run: sudo apt-get install -y libcmocka-dev libpam-wrapper libpam0g-dev libpamtest0-dev
	- name: Show PAM version
	run: apt-cache show libpam-modules
	- name: Compile test program
	run: pushd tests && make -f ../Makefile test && popd
	# This should fail as pam_matrix is not in use yet
	- name: Run tests - round 1
	# PAM_AUTH_ERR
	run: tests/test -t 1 -r 7
	- name: Prepare environment for testing
	run: ansible-playbook tests/pamtests.yml --tags setup
	- name: Run tests - round 2
	run: \|
	# Show user
	id
	# Authentication should succeed against pam_matrix
	echo '[*] Test 1 - root login:auth'
	tests/test -t 1 -r 0
	# pam_unix(login:account) should block as invalid user
	# This test should always succeed
	echo '[*] Test 2 - invalid account'
	tests/test -t 2
	# These will fail as a regular user with "unix_chkpwd[1550490]: could not obtain user info (root)"
	#echo '[*] Test 3'
	#tests/test -t 3 -r 2
	#echo '[*] Test 4'
	#tests/test -t 4 -r 2
	#echo '[*] Test 5'
	#tests/test -t 5 -r 2
	#echo '[*] Test 6'
	#tests/test -t 6 -r 2
	# Should work as root
	echo '[*] Test 3 - root login:account'
	sudo tests/test -t 3
	echo '[*] Test 4 - root cron:account'
	sudo tests/test -t 4
	# Nothing's preventing user nobody from using cron
	echo '[*] Test 5 - nobody cron:account'
	sudo tests/test -t 5 -r 0
	# Nothing's preventing user nobody from authenticating
	echo '[*] Test 6 - nobody login:auth'
	sudo tests/test -t 6 -r 0
	# Test pam_nologin
	# https://github.com/linux-pam/linux-pam/blob/master/modules/pam_nologin/pam_nologin.c
	sudo touch /etc/nologin
	echo '[*] Test 6 - nobody login:auth (nologin)'
	sudo tests/test -t 6 -r 7
	sudo rm -v /etc/nologin
	# Anyone can use su
	echo '[*] Test 7 - nobody su:auth'
	tests/test -t 7 -r 0
	echo '[*] Test 8 - root login:auth (wrong password)'
	# Wrong password
	# PAM_AUTH_ERR
	time tests/test -t 8 -r 7
	- name: Harden PAM
	run: \|
	ansible-playbook harden.yml --tags pam --skip-tags slackware
	sudo pam-auth-update --enable access
	sudo pam-auth-update --disable polyinstation
	sudo pam-auth-update --disable lastlog
	# Re-create common-auth-matrix
	sudo rm -v /etc/pam.d/common-auth-matrix
	ansible-playbook tests/pamtests.yml --tags setup
	- name: Run tests - post-harden
	run: \|
	echo '[*] Test 2 - invalid account'
	tests/test -t 2
	# Should be denied by pam_access
	# PAM_AUTH_ERR
	echo '[*] Test 5 - nobody cron:account'
	sudo tests/test -t 5 -r 7
	# Login for "nobody" should be blocked by hardened configuration even with a valid password
	# PAM_AUTH_ERR
	echo '[*] Test 6 - nobody login:auth'
	sudo tests/test -t 6 -r 7
	# Use of su should be denied
	# PAM_PERM_DENIED
	echo '[*] Test 7 - nobody su:auth'
	tests/test -t 7 -r 6
	# This should succeed because of pam_rootok
	echo '[*] Test 7 - nobody su:auth (as root)'
	sudo tests/test -t 7 -r 0

	# Test failed login & pam_faillock
	# We need Sudo to be able to write to faillock
	# Test that the login is initially working before faillock kicks in
	sudo tests/test -t 1 -r 0
	# PAM_PERM_DENIED
	echo '[*] Test 8 - root login:auth (wrong password)'
	time sudo tests/test -t 8 -r 6
	sudo tests/test -t 8 -r 6
	sudo tests/test -t 8 -r 6
	# Should be locked after 3 attempts
	# Return value will change from PAM_PERM_DENIED to PAM_AUTH_ERR from faillock preauth
	sudo tests/test -t 8 -r 7
	sudo ls -l /var/run/faillock/
	sudo faillock --user root
	# Test that root account is locked
	# PAM_AUTH_ERR
	echo '[*] Test 1 - root login:auth (with temporary lockout)'
	sudo tests/test -t 1 -r 7
	- name: chmod /var/log/auth.log
	run: sudo chmod -c 644 /var/log/auth.log
	- name: Archive auth.log
	uses: actions/upload-artifact@v4
	with:
	name: auth.log
	path: \|
	/var/log/auth.log
	/etc/pam.d/common-account
	/etc/pam.d/common-auth
	/etc/pam.d/common-auth-matrix
	/etc/pam.d/common-password
	/etc/pam.d/common-session
	/etc/pam.d/login
	/etc/pam.d/su
	/etc/security/faillock.conf
	# TODO: Not a complete list. Also Debian.
	upstream-changes:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v3
	- name: Download upstream PAM files
	run: \|
	make pam-files
	wget -nv https://salsa.debian.org/ssh-team/openssh/-/raw/master/debian/openssh-server.sshd.pam.in -O pam-files/openssh-server.sshd.pam.in
	- name: Check upstream for changes
	run: \|
	cat 0<<EOF \| sha512sum -c
	0285899c74c51a968eddd920281972ce4c432f487fc19a4db94a4093621282d2059eeb276b00bdfecc2cd645c6a70f2d1da74d89277fd6186d3639a28e102c5e pam-files/sshd
	1ee952e39eee796af335cfa69fbed69b51f76faf3a279a2526c9fdd89fb34216c19ad323e7ff97048c80567fd1bb625f384183c22bf0ea04041a25b365cef8a2 pam-files/xscreensaver
	25af00fb379de78d2807e1f291fcf6a44a097dc4bbbe4f5ef8cc54deccba69428e72ad32cae65fd2e2b0d29a0233513fecc033b99a207890e6fb9cd7d98f87c2 pam-files/chfn
	25af00fb379de78d2807e1f291fcf6a44a097dc4bbbe4f5ef8cc54deccba69428e72ad32cae65fd2e2b0d29a0233513fecc033b99a207890e6fb9cd7d98f87c2 pam-files/chsh
	7750b5480178346bdf856d83e3aecf637f9888380657d2fe863096959ebc02a5e52fbab08bad9c4ae9e1c4f257dbe1d155eef8dd8dc1b9ac178b90e0ada5b6cb pam-files/runuser
	9b39d1238b4686cb17e04051e0b5f9a5bd264e7789c6cf5409d7ed5114de781d28fbc8a7457f1ea67664ec595313e2c49710ac1a2480dbc49ed3d6ccf91bb3e6 pam-files/runuser-l
	c4468029c85cf3346bb34c1ba6682e185b681569beefe2fa6bd6233b15cf9d4f37e916791f5b2d1385ba97f7d0287116b9f6e2a3e458ff2abcc68224c9e597f9 pam-files/login
	c4468029c85cf3346bb34c1ba6682e185b681569beefe2fa6bd6233b15cf9d4f37e916791f5b2d1385ba97f7d0287116b9f6e2a3e458ff2abcc68224c9e597f9 pam-files/remote
	7b9d8bd3702b285e7d914283515595546d6da628f18916d1e6bfcc4642e06fcefd085b8067c490fd6a5916e310139e533427982379f4318809f9bfe482151c62 pam-files/openssh-server.sshd.pam.in
	EOF
	- name: Archive pam-files
	uses: actions/upload-artifact@v4
	with:
	name: pam-files
	path: \|
	pam-files/*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fixed regexp in molecule/debian/verify.yml #154

Workflow file

Fixed regexp in molecule/debian/verify.yml #154

Jobs

Run details

Workflow file for this run