Modified no_empty_password rule to check for nullok option in /etc/pam.d/system-auth instead of checking password field in /etc/shadow. Also created OVAL check accounts_pam_no_nullok.xml to support this. See Trac ticket #92: https://fedorahosted.org/scap-security-guide/ticket/92 --- RHEL6/input/checks/accounts_pam_no_nullok.xml | 24 ++++++++++++++++++++ .../accounts/restrictions/password_storage.xml | 18 ++++++++++----- 2 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 RHEL6/input/checks/accounts_pam_no_nullok.xml
diff --git a/RHEL6/input/checks/accounts_pam_no_nullok.xml b/RHEL6/input/checks/accounts_pam_no_nullok.xml new file mode 100644 index 0000000..054cb94 --- /dev/null +++ b/RHEL6/input/checks/accounts_pam_no_nullok.xml @@ -0,0 +1,24 @@ +<def-group> + <definition class="compliance" id="accounts_pam_no_nullok" version="1"> + <metadata> + <title>No nullok Option in /etc/pam.d/system-auth</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="TO:DO" source="CCE" /> + <description>The file /etc/pam.d/system-auth should not contain the nullok option</description> + </metadata> + <criteria> + <criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="test_accounts_pam_no_nullok" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="make sure nullok is not used in /etc/pam.d/system-auth" id="test_accounts_pam_no_nullok" version="1"> + <ind:object object_ref="object_accounts_pam_no_nullok" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_accounts_pam_no_nullok" version="1"> + ind:path/etc/pam.d/</ind:path> + ind:filenamesystem-auth</ind:filename> + <ind:pattern operation="pattern match">\s*nullok\s*</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index 8e1014b..8f39126 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -17,11 +17,17 @@ should allow administrators to avoid such misconfiguration. </description>
<Rule id="no_empty_passwords" severity="high"> -<title>Verify that No Accounts Have Empty Password Fields</title> -<description>Run the command: -<pre># awk -F: '($2 == "") {print}' /etc/shadow</pre> -If this produces any output, fix the problem by locking each -account or by setting a password. +<title>Prevent Log In to Accounts With Empty Password</title> +<description>If an account is configured for password authentication +but does not have an assigned password, it may be possible to log +into the account without authentication. Ensuring that the <tt>nullok</tt> +option is <b>NOT</b> used in the <tt>/etc/pam.d/system-auth-ac</tt> +prevents logins with empty passwords. +<br /><br /> +To verify manually, the following command can be used: +<pre># grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac</pre> +If this produces any output, fix the problem by removing any instance +of <tt>nullok</tt> in <tt>/etc/pam.d/system-auth-ac</tt>. </description> <rationale> If an account has an empty password, anybody may log in and @@ -30,7 +36,7 @@ empty passwords should never be used in operational environments. </rationale> <ident cce="4238-2" /> -<oval id="accounts_no_empty_passwords" /> +<oval id="accounts_pam_no_nullok" /> <ref nist="AC-3, CM-6, IA-5" /> </Rule>
It would have been nice to point out that this is an option for the pam_unix module. But it's good enough for an ACK as-is.
On 07/30/2012 03:21 PM, Willy Santos wrote:
Modified no_empty_password rule to check for nullok option in /etc/pam.d/system-auth instead of checking password field in /etc/shadow. Also created OVAL check accounts_pam_no_nullok.xml to support this. See Trac ticket #92: https://fedorahosted.org/scap-security-guide/ticket/92
RHEL6/input/checks/accounts_pam_no_nullok.xml | 24 ++++++++++++++++++++ .../accounts/restrictions/password_storage.xml | 18 ++++++++++----- 2 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 RHEL6/input/checks/accounts_pam_no_nullok.xml
diff --git a/RHEL6/input/checks/accounts_pam_no_nullok.xml b/RHEL6/input/checks/accounts_pam_no_nullok.xml new file mode 100644 index 0000000..054cb94 --- /dev/null +++ b/RHEL6/input/checks/accounts_pam_no_nullok.xml @@ -0,0 +1,24 @@ +<def-group>
<definition class="compliance" id="accounts_pam_no_nullok" version="1">
<metadata>
<title>No nullok Option in /etc/pam.d/system-auth</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="TO:DO" source="CCE" />
<description>The file /etc/pam.d/system-auth should not contain the nullok option</description>
</metadata>
<criteria>
<criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="test_accounts_pam_no_nullok" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="make sure nullok is not used in /etc/pam.d/system-auth" id="test_accounts_pam_no_nullok" version="1">
- <ind:object object_ref="object_accounts_pam_no_nullok" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_accounts_pam_no_nullok" version="1">
- ind:path/etc/pam.d/</ind:path>
- ind:filenamesystem-auth</ind:filename>
- <ind:pattern operation="pattern match">\s*nullok\s*</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index 8e1014b..8f39126 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -17,11 +17,17 @@ should allow administrators to avoid such misconfiguration.
</description>
<Rule id="no_empty_passwords" severity="high"> -<title>Verify that No Accounts Have Empty Password Fields</title> -<description>Run the command: -<pre># awk -F: '($2 == "") {print}' /etc/shadow</pre> -If this produces any output, fix the problem by locking each -account or by setting a password. +<title>Prevent Log In to Accounts With Empty Password</title> +<description>If an account is configured for password authentication +but does not have an assigned password, it may be possible to log +into the account without authentication. Ensuring that the <tt>nullok</tt> +option is <b>NOT</b> used in the <tt>/etc/pam.d/system-auth-ac</tt> +prevents logins with empty passwords. +<br /><br /> +To verify manually, the following command can be used: +<pre># grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac</pre> +If this produces any output, fix the problem by removing any instance +of <tt>nullok</tt> in <tt>/etc/pam.d/system-auth-ac</tt>. </description> <rationale> If an account has an empty password, anybody may log in and @@ -30,7 +36,7 @@ empty passwords should never be used in operational environments. </rationale> <ident cce="4238-2" /> -<oval id="accounts_no_empty_passwords" /> +<oval id="accounts_pam_no_nullok" /> <ref nist="AC-3, CM-6, IA-5" /> </Rule>
scap-security-guide@lists.fedorahosted.org