Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cis-dil-benchmark-1.4.3 'Ensure authentication required for single user mode' inconsistency between Linux flavors #143

Open
dlouzan opened this issue Jan 9, 2023 · 0 comments
Open

cis-dil-benchmark-1.4.3 'Ensure authentication required for single user mode' inconsistency between Linux flavors #143

dlouzan opened this issue Jan 9, 2023 · 0 comments

Comments

@dlouzan
Copy link

dlouzan commented Jan 9, 2023

Hello, first of all thanks for the great project, Siemens fans here 👍

While importing the benchmark baseline for some internal tests, we have found that rule cis-dil-benchmark-1.4.3 tests fail on some specific Linux flavors, and we are not sure whether this is a wrong / incomplete benchmark test, or a valid failure.

  • cis-dil-benchmark-1.4.3 expects the password entry not to be exactly equal to ! or *
  • Debian sets by default in the cloud images the root /etc/shadow password to *. This fails validation.
  • Fedora cloud images otoh sets it to !locked, which passes validation.
  • But perhaps the CIS test should test for anything prefixed by ! or an exact *
  • Standard tooling reports them as being exactly the same state locked

    • Fedora 36:

      # cat /etc/redhat-release
Fedora release 36 (Thirty Six)

# grep root /etc/shadow
root:!locked::0:99999:7:::

# passwd -S root
root LK 1969-12-31 0 99999 7 -1 (Password locked.)

    • Debian 11:

      # cat /etc/debian_version
11.6

# grep root /etc/shadow
root:*:19345:0:99999:7:::

# passwd -S root
root L 12/19/2022 0 99999 7 -1

# passwd -l root
passwd: password expiry information changed.

# grep root /etc/shadow
root:!*:19345:0:99999:7:::

# passwd -S root
root L 12/19/2022 0 99999 7 -1

The man page says:

# man 5 shadow
...
       encrypted password
           This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow file may decide not to permit any access at all if the
           password field is empty.

           A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked.

           Refer to crypt(3) for details on how this string is interpreted.

           If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).
...

So we're not sure if this is a wrong test in CIL or the behaviour is indeed different between both /etc/shadow states. Should !* be valid too? (actually anything !-prefixed)

Could you guys shed some light here? Thanks!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dlouzan