Skip to content

Check Configuration of password remember#157

Open
m41kc0d3 wants to merge 3 commits intodev-sec:masterfrom
m41kc0d3:reuse-previous-passwords
Open

Check Configuration of password remember#157
m41kc0d3 wants to merge 3 commits intodev-sec:masterfrom
m41kc0d3:reuse-previous-passwords

Conversation

@m41kc0d3
Copy link

@m41kc0d3 m41kc0d3 commented Jul 21, 2021

and set default to 60

see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46
Public Telekom Security - Requirements

@m41kc0d3
Check Configuration of password remember
109d01a 
and set default to 60

see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46

Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
@m41kc0d3 m41kc0d3 force-pushed the reuse-previous-passwords branch from deddf31 to 109d01a Compare July 21, 2021 12:33
chris-rock
chris-rock reviewed Jul 21, 2021
View reviewed changes
Copy link
Member

@chris-rock chris-rock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @m41kc0d3 I added some comments and happy to discuss how we proceed?

controls/os_spec.rb Outdated
it { should exist }
it { should be_owned_by 'root' }
its('group') { should eq 'root' }
its(:content) { should match /^password requisite pam_pwhistory.so remember=60 use_authtok$/ }
Copy link
Member

@chris-rock chris-rock Jul 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This collects 60 passwords. I suggest to go with the CIS default of 5 and make this the default argument for this policy. You can than override the policy with 60 for your needs.

What do you think if we also split this into multiple pieces as CIS DIL 5.3 is doing?

Copy link
Author

@m41kc0d3 m41kc0d3 Jul 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I set the default back to 5

controls/os_spec.rb

control 'os-14' do
impact 1.0
title 'Check pam config - RedHat specific'
Copy link
Member

@chris-rock chris-rock Jul 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All controls that we are adding to the base line need to be applicable and tested on all major linux distributions.

Copy link
Author

@m41kc0d3 m41kc0d3 Jul 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @chris-rock,
in dev-sec/ansible-collection-hardening there is currently no configuration of this for other distributions and I am not the Debian master that can create them. So I only change some code in dev-sec/ansible-collection-hardening and create the missing test in this repo.

Copy link
Contributor

@schurzi schurzi Jul 26, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our code for PAM configuration on any non-RHEL based distribution is severely lacking.
I would propose to open an issue for this and going on with only RHEL support here.

m41kc0d3 added 2 commits July 22, 2021 09:36
@m41kc0d3
set default for password remember back to 5
330b86c 
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
@m41kc0d3
fix typo of pam checks
5514245 
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chris-rock chris-rock chris-rock left review comments

@schurzi schurzi schurzi left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@m41kc0d3 @chris-rock @schurzi