-
Notifications
You must be signed in to change notification settings - Fork 10
196 lines (193 loc) · 8.69 KB
/
pam.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
---
name: pam
on: [push, pull_request]
env:
ANSIBLE_FORCE_COLOR: '1'
jobs:
pamtester:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install pamtester and test prerequisites
run: sudo apt-get install -y pamtester cron at
- name: Test pre-harden
run: |
# Everyone is allowed to use cron
pamtester cron nobody acct_mgmt || exit 1
# Everyone is allowed to use atd
pamtester atd nobody acct_mgmt || exit 1
# Everyone is allowed to use su
# TODO: Prompts for a password
#pamtester su nobody authenticate || exit 1
# Unknown services
# TODO: authenticate & chauthtok
for operation in acct_mgmt open_session; do pamtester nonexistent nobody "${operation}" || exit 1; done
- name: Run Ansible playbook for pam
run: ansible-playbook harden.yml --tags pam --skip-tags slackware,centos
- name: Test post-harden
run: |
# random users should not be able to use cron
# enforced with pam_access
pamtester cron nobody acct_mgmt && exit 1
# root should still be able to use cron
pamtester cron root acct_mgmt || exit 1
# random users should not be able to use atd
# enforced with pam_access
pamtester atd nobody acct_mgmt && exit 1
# su shouldn't be allowed
pamtester su nobody authenticate && exit 1
# Unknown services should be denied by /etc/pam.d/other
for operation in authenticate acct_mgmt chauthtok open_session; do echo "[*] Testing nonexistent service operation ${operation}"; pamtester nonexistent nobody "${operation}" && exit 1; done; true
libpamtest:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install testing prerequisites
run: sudo apt-get install -y libcmocka-dev libpam-wrapper libpam0g-dev libpamtest0-dev
- name: Show PAM version
run: apt-cache show libpam-modules
- name: Compile test program
run: pushd tests && make -f ../Makefile test && popd
# This should fail as pam_matrix is not in use yet
- name: Run tests - round 1
# PAM_AUTH_ERR
run: tests/test -t 1 -r 7
- name: Prepare environment for testing
run: ansible-playbook tests/pamtests.yml --tags setup
- name: Run tests - round 2
run: |
# Show user
id
# Authentication should succeed against pam_matrix
echo '[*] Test 1 - root login:auth'
tests/test -t 1 -r 0
# pam_unix(login:account) should block as invalid user
# This test should always succeed
echo '[*] Test 2 - invalid account'
tests/test -t 2
# These will fail as a regular user with "unix_chkpwd[1550490]: could not obtain user info (root)"
#echo '[*] Test 3'
#tests/test -t 3 -r 2
#echo '[*] Test 4'
#tests/test -t 4 -r 2
#echo '[*] Test 5'
#tests/test -t 5 -r 2
#echo '[*] Test 6'
#tests/test -t 6 -r 2
# Should work as root
echo '[*] Test 3 - root login:account'
sudo tests/test -t 3
echo '[*] Test 4 - root cron:account'
sudo tests/test -t 4
# Nothing's preventing user nobody from using cron
echo '[*] Test 5 - nobody cron:account'
sudo tests/test -t 5 -r 0
# Nothing's preventing user nobody from authenticating
echo '[*] Test 6 - nobody login:auth'
sudo tests/test -t 6 -r 0
# Test pam_nologin
# https://github.com/linux-pam/linux-pam/blob/master/modules/pam_nologin/pam_nologin.c
sudo touch /etc/nologin
echo '[*] Test 6 - nobody login:auth (nologin)'
sudo tests/test -t 6 -r 7
sudo rm -v /etc/nologin
# Anyone can use su
echo '[*] Test 7 - nobody su:auth'
tests/test -t 7 -r 0
echo '[*] Test 8 - root login:auth (wrong password)'
# Wrong password
# PAM_AUTH_ERR
time tests/test -t 8 -r 7
- name: Harden PAM
run: |
ansible-playbook harden.yml --tags pam --skip-tags slackware
sudo pam-auth-update --enable access
sudo pam-auth-update --disable polyinstation
sudo pam-auth-update --disable lastlog
# Re-create common-auth-matrix
sudo rm -v /etc/pam.d/common-auth-matrix
ansible-playbook tests/pamtests.yml --tags setup
- name: Run tests - post-harden
run: |
echo '[*] Test 2 - invalid account'
tests/test -t 2
# Should be denied by pam_access
# PAM_AUTH_ERR
echo '[*] Test 5 - nobody cron:account'
sudo tests/test -t 5 -r 7
# Login for "nobody" should be blocked by hardened configuration even with a valid password
# PAM_AUTH_ERR
echo '[*] Test 6 - nobody login:auth'
sudo tests/test -t 6 -r 7
# Use of su should be denied
# PAM_PERM_DENIED
echo '[*] Test 7 - nobody su:auth'
tests/test -t 7 -r 6
# This should succeed because of pam_rootok
echo '[*] Test 7 - nobody su:auth (as root)'
sudo tests/test -t 7 -r 0
# Test failed login & pam_faillock
# We need Sudo to be able to write to faillock
# Test that the login is initially working before faillock kicks in
sudo tests/test -t 1 -r 0
# PAM_PERM_DENIED
echo '[*] Test 8 - root login:auth (wrong password)'
time sudo tests/test -t 8 -r 6
sudo tests/test -t 8 -r 6
sudo tests/test -t 8 -r 6
# Should be locked after 3 attempts
# Return value will change from PAM_PERM_DENIED to PAM_AUTH_ERR from faillock preauth
sudo tests/test -t 8 -r 7
sudo ls -l /var/run/faillock/
sudo faillock --user root
# Test that root account is locked
# PAM_AUTH_ERR
echo '[*] Test 1 - root login:auth (with temporary lockout)'
sudo tests/test -t 1 -r 7
- name: chmod /var/log/auth.log
run: sudo chmod -c 644 /var/log/auth.log
- name: Archive auth.log
uses: actions/upload-artifact@v4
with:
name: auth.log
path: |
/var/log/auth.log
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-auth-matrix
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/login
/etc/pam.d/su
/etc/security/faillock.conf
# TODO: Not a complete list. Also Debian.
upstream-changes:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Download upstream PAM files
run: |
make pam-files
wget -nv https://salsa.debian.org/ssh-team/openssh/-/raw/master/debian/openssh-server.sshd.pam.in -O pam-files/openssh-server.sshd.pam.in
- name: Check upstream for changes
run: |
cat 0<<EOF | sha512sum -c
0285899c74c51a968eddd920281972ce4c432f487fc19a4db94a4093621282d2059eeb276b00bdfecc2cd645c6a70f2d1da74d89277fd6186d3639a28e102c5e pam-files/sshd
1ee952e39eee796af335cfa69fbed69b51f76faf3a279a2526c9fdd89fb34216c19ad323e7ff97048c80567fd1bb625f384183c22bf0ea04041a25b365cef8a2 pam-files/xscreensaver
25af00fb379de78d2807e1f291fcf6a44a097dc4bbbe4f5ef8cc54deccba69428e72ad32cae65fd2e2b0d29a0233513fecc033b99a207890e6fb9cd7d98f87c2 pam-files/chfn
25af00fb379de78d2807e1f291fcf6a44a097dc4bbbe4f5ef8cc54deccba69428e72ad32cae65fd2e2b0d29a0233513fecc033b99a207890e6fb9cd7d98f87c2 pam-files/chsh
7750b5480178346bdf856d83e3aecf637f9888380657d2fe863096959ebc02a5e52fbab08bad9c4ae9e1c4f257dbe1d155eef8dd8dc1b9ac178b90e0ada5b6cb pam-files/runuser
9b39d1238b4686cb17e04051e0b5f9a5bd264e7789c6cf5409d7ed5114de781d28fbc8a7457f1ea67664ec595313e2c49710ac1a2480dbc49ed3d6ccf91bb3e6 pam-files/runuser-l
c4468029c85cf3346bb34c1ba6682e185b681569beefe2fa6bd6233b15cf9d4f37e916791f5b2d1385ba97f7d0287116b9f6e2a3e458ff2abcc68224c9e597f9 pam-files/login
c4468029c85cf3346bb34c1ba6682e185b681569beefe2fa6bd6233b15cf9d4f37e916791f5b2d1385ba97f7d0287116b9f6e2a3e458ff2abcc68224c9e597f9 pam-files/remote
7b9d8bd3702b285e7d914283515595546d6da628f18916d1e6bfcc4642e06fcefd085b8067c490fd6a5916e310139e533427982379f4318809f9bfe482151c62 pam-files/openssh-server.sshd.pam.in
EOF
- name: Archive pam-files
uses: actions/upload-artifact@v4
with:
name: pam-files
path: |
pam-files/*