* [isar-cip-core v2] security-customizations: Fix pam_tally2 deprecation
[not found] <1704D51B3A6B759B.22812@lists.cip-project.org>
@ 2022-07-24 17:53 ` venkata.pyla
2022-07-26 15:35 ` Jan Kiszka
0 siblings, 1 reply; 2+ messages in thread
From: venkata.pyla @ 2022-07-24 17:53 UTC (permalink / raw)
To: cip-dev, jan.kiszka; +Cc: venkata pyla, dinesh.kumar, kazuhiro3.hayashi
From: venkata pyla <venkata.pyla@toshiba-tsip.com>
pam_tally2 is deprecated from PAM version 1.4.0-7 that is from
Debian Bullseye, and introduced pam_faillock as replacement.
Modified the security customizations to check first pam_tally2 existence
for backward compatibility and if not found use the pam_faillock
instead to achieve the same functionality.
Fixes #33
Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
.../security-customizations/files/postinst | 20 +++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 9ba8540..0d0eb07 100644
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -22,11 +22,23 @@ sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE
# CR1.11: Unsuccessful login attempts
# Lock user account after unsuccessful login attempts
PAM_AUTH_FILE="/etc/pam.d/common-auth"
-pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
-if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
- sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
+# pam_tally2 is deprecated from pam version 1.4.0-7
+if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then
+ PAM_MODULE="pam_tally2.so"
+ PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then
+ PAM_MODULE="pam_faillock.so"
+ PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
+ \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+else
+ echo "No suitable pam module found to lock failed login attempts"
+ exit 1
fi
-sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+
+if grep -c "${PAM_MODULE}" "${PAM_AUTH_FILE}";then
+ sed -i '/${PAM_MODULE}/ s/^#*/#/' "${PAM_AUTH_FILE}"
+fi
+sed -i "0,/^auth.*/s/^auth.*/${PAM_CONFIG}\n&/" "${PAM_AUTH_FILE}"
# CR2.6: Remote session termination
# Terminate remote session after inactive time period
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [isar-cip-core v2] security-customizations: Fix pam_tally2 deprecation
2022-07-24 17:53 ` [isar-cip-core v2] security-customizations: Fix pam_tally2 deprecation venkata.pyla
@ 2022-07-26 15:35 ` Jan Kiszka
0 siblings, 0 replies; 2+ messages in thread
From: Jan Kiszka @ 2022-07-26 15:35 UTC (permalink / raw)
To: venkata.pyla, cip-dev; +Cc: dinesh.kumar, kazuhiro3.hayashi
On 24.07.22 19:53, venkata.pyla@toshiba-tsip.com wrote:
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
>
> pam_tally2 is deprecated from PAM version 1.4.0-7 that is from
> Debian Bullseye, and introduced pam_faillock as replacement.
>
> Modified the security customizations to check first pam_tally2 existence
> for backward compatibility and if not found use the pam_faillock
> instead to achieve the same functionality.
>
> Fixes #33
>
> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> ---
> .../security-customizations/files/postinst | 20 +++++++++++++++----
> 1 file changed, 16 insertions(+), 4 deletions(-)
>
> diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
> index 9ba8540..0d0eb07 100644
> --- a/recipes-core/security-customizations/files/postinst
> +++ b/recipes-core/security-customizations/files/postinst
> @@ -22,11 +22,23 @@ sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE
> # CR1.11: Unsuccessful login attempts
> # Lock user account after unsuccessful login attempts
> PAM_AUTH_FILE="/etc/pam.d/common-auth"
> -pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
> -if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
> - sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
> +# pam_tally2 is deprecated from pam version 1.4.0-7
> +if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then
> + PAM_MODULE="pam_tally2.so"
> + PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
> +elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then
> + PAM_MODULE="pam_faillock.so"
> + PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
> + \nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
> +else
> + echo "No suitable pam module found to lock failed login attempts"
> + exit 1
> fi
> -sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
> +
> +if grep -c "${PAM_MODULE}" "${PAM_AUTH_FILE}";then
> + sed -i '/${PAM_MODULE}/ s/^#*/#/' "${PAM_AUTH_FILE}"
> +fi
> +sed -i "0,/^auth.*/s/^auth.*/${PAM_CONFIG}\n&/" "${PAM_AUTH_FILE}"
>
> # CR2.6: Remote session termination
> # Terminate remote session after inactive time period
Thanks, applied.
Jan
--
Siemens AG, Technology
Competence Center Embedded Linux
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-07-26 15:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1704D51B3A6B759B.22812@lists.cip-project.org>
2022-07-24 17:53 ` [isar-cip-core v2] security-customizations: Fix pam_tally2 deprecation venkata.pyla
2022-07-26 15:35 ` Jan Kiszka
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.