Skip to content

Fix and modify UBTU-20-010463 (no_empty_passwords)#11282

Merged
dodys merged 2 commits into
ComplianceAsCode:masterfrom
mpurg:fix_no_empty_passwords
Nov 21, 2023
Merged

Fix and modify UBTU-20-010463 (no_empty_passwords)#11282
dodys merged 2 commits into
ComplianceAsCode:masterfrom
mpurg:fix_no_empty_passwords

Conversation

@mpurg
Copy link
Copy Markdown
Contributor

@mpurg mpurg commented Nov 15, 2023
edited
Loading

Description:

  • Fix for original remediation which removed the nullok keyword and everything after it
  • Modification of STIG rule to include removing nullok also from /etc/pam.d/common-auth

Rationale for modifying UBTU-20-010463:

  • /etc/pam.d/common-password does not contain nullok by default, nor
    does the keyword have any effect on changing passwords with passwd
    (empty passwords are not allowed with or without nullok keyword)
  • /etc/pam.d/common-auth contains nullok by default and thus allows
    logins to accounts with empty passwords

DISA was notified of the issue. Some concerns were raised regarding effect on
multifactor authentication, however, it was shown to work regardless of
nullok keyword being present in /etc/pam.d/common-auth:pam_unix.so or
not.

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Nov 15, 2023

Hi @mpurg. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Nov 15, 2023
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Nov 15, 2023

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@dodys dodys self-assigned this Nov 16, 2023
@dodys dodys requested a review from a team November 16, 2023 11:10
@dodys dodys added ok-to-test Used by openshift-ci bot. Ubuntu Ubuntu product related. STIG STIG Benchmark related. and removed needs-ok-to-test Used by openshift-ci bot. labels Nov 16, 2023
@Mab879 Mab879 added the Bash Bash remediation update. label Nov 17, 2023
@Mab879 Mab879 added this to the 0.1.71 milestone Nov 17, 2023
@mpurg
Fix and modify UBTU-20-010463 (no_empty_passwords)
59c5fd8 
- Fix for original remediation which removed the `nullok` keyword and everything after it
- Modification of STIG rule to include removing nullok also from /etc/pam.d/common-auth

Rationale for modifying UBTU-20-010463:
- /etc/pam.d/common-password does not contain nullok by default, nor
  does the keyword have any effect on changing passwords with `passwd`
  (empty passwords are not allowed with or without nullok keyword)
- /etc/pam.d/common-auth contains nullok by default and thus allows
  logins to accounts with empty passwords

DISA was notified of the issue. Some concerns were raised regarding effect on
multifactor authentication, however, it was shown to work regardless of
nullok keyword being present in /etc/pam.d/common-auth:pam_unix.so or
not.
@mpurg mpurg force-pushed the fix_no_empty_passwords branch from d4e0641 to 59c5fd8 Compare November 17, 2023 14:46
@mpurg mpurg changed the title Fix ubuntu remediation and add tests for no_empty_passwords Fix and modify UBTU-20-010463 (no_empty_passwords) Nov 17, 2023
@qlty-cloud-legacy
Copy link
Copy Markdown

qlty-cloud-legacy Bot commented Nov 17, 2023

Code Climate has analyzed commit eed70c3 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.8%.

View more on Code Climate.

dodys
dodys approved these changes Nov 21, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@dodys dodys merged commit a195365 into ComplianceAsCode:master Nov 21, 2023
@mpurg mpurg mentioned this pull request Apr 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dodys dodys dodys approved these changes

Assignees

@dodys dodys

Labels

Bash Bash remediation update. ok-to-test Used by openshift-ci bot. STIG STIG Benchmark related. Ubuntu Ubuntu product related.

Projects

None yet

Milestone

0.1.71

Development

Successfully merging this pull request may close these issues.

3 participants

@mpurg @dodys @Mab879