Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix and modify UBTU-20-010463 (no_empty_passwords) #11282

Merged
merged 2 commits into from
Nov 21, 2023
Merged

Fix and modify UBTU-20-010463 (no_empty_passwords) #11282

merged 2 commits into from
Nov 21, 2023

Conversation

mpurg
Copy link
Contributor

@mpurg mpurg commented Nov 15, 2023
edited
Loading

Description:

  • Fix for original remediation which removed the nullok keyword and everything after it
  • Modification of STIG rule to include removing nullok also from /etc/pam.d/common-auth

Rationale for modifying UBTU-20-010463:

  • /etc/pam.d/common-password does not contain nullok by default, nor
    does the keyword have any effect on changing passwords with passwd
    (empty passwords are not allowed with or without nullok keyword)
  • /etc/pam.d/common-auth contains nullok by default and thus allows
    logins to accounts with empty passwords

DISA was notified of the issue. Some concerns were raised regarding effect on
multifactor authentication, however, it was shown to work regardless of
nullok keyword being present in /etc/pam.d/common-auth:pam_unix.so or
not.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Nov 15, 2023

Hi @mpurg. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Nov 15, 2023
@github-actions GitHub Actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@dodys dodys self-assigned this Nov 16, 2023
@dodys dodys requested a review from a team November 16, 2023 11:10
@dodys dodys added ok-to-test Used by openshift-ci bot. Ubuntu Ubuntu product related. STIG STIG Benchmark related. and removed needs-ok-to-test Used by openshift-ci bot. labels Nov 16, 2023
@Mab879 Mab879 added the Bash Bash remediation update. label Nov 17, 2023
@Mab879 Mab879 added this to the 0.1.71 milestone Nov 17, 2023
@mpurg
Fix and modify UBTU-20-010463 (no_empty_passwords)
59c5fd8 
- Fix for original remediation which removed the `nullok` keyword and everything after it
- Modification of STIG rule to include removing nullok also from /etc/pam.d/common-auth

Rationale for modifying UBTU-20-010463:
- /etc/pam.d/common-password does not contain nullok by default, nor
  does the keyword have any effect on changing passwords with `passwd`
  (empty passwords are not allowed with or without nullok keyword)
- /etc/pam.d/common-auth contains nullok by default and thus allows
  logins to accounts with empty passwords

DISA was notified of the issue. Some concerns were raised regarding effect on
multifactor authentication, however, it was shown to work regardless of
nullok keyword being present in /etc/pam.d/common-auth:pam_unix.so or
not.
@mpurg mpurg changed the title Fix ubuntu remediation and add tests for no_empty_passwords Fix and modify UBTU-20-010463 (no_empty_passwords) Nov 17, 2023
@codeclimate CodeClimate
Copy link

codeclimate bot commented Nov 17, 2023

Code Climate has analyzed commit eed70c3 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.8%.

View more on Code Climate.

dodys
dodys approved these changes Nov 21, 2023
View reviewed changes
Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@dodys dodys merged commit a195365 into ComplianceAsCode:master Nov 21, 2023
38 checks passed
@mpurg mpurg mentioned this pull request Apr 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dodys dodys dodys approved these changes

Assignees

@dodys dodys

Labels
Bash Bash remediation update. ok-to-test Used by openshift-ci bot. STIG STIG Benchmark related. Ubuntu Ubuntu product related.
Projects
None yet
Milestone
0.1.71
Development

Successfully merging this pull request may close these issues.
3 participants
@mpurg @dodys @Mab879