libpamtest: sudo ls -l /var/run/faillock/ #24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: pam | |
on: [push, pull_request] | |
env: | |
ANSIBLE_FORCE_COLOR: '1' | |
jobs: | |
pamtester: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install pamtester and test prerequisites | |
run: sudo apt-get install -y pamtester cron at | |
- name: Test pre-harden | |
run: | | |
# Everyone is allowed to use cron | |
pamtester cron nobody acct_mgmt || exit 1 | |
# Everyone is allowed to use atd | |
pamtester atd nobody acct_mgmt || exit 1 | |
# Everyone is allowed to use su | |
# TODO: Prompts for a password | |
#pamtester su nobody authenticate || exit 1 | |
# Unknown services | |
# TODO: authenticate & chauthtok | |
for operation in acct_mgmt open_session; do pamtester nonexistent nobody "${operation}" || exit 1; done | |
- name: Run Ansible playbook for pam | |
run: ansible-playbook harden.yml --tags pam --skip-tags slackware,centos | |
- name: Test post-harden | |
run: | | |
# random users should not be able to use cron | |
# enforced with pam_access | |
pamtester cron nobody acct_mgmt && exit 1 | |
# random users should not be able to use atd | |
# enforced with pam_access | |
pamtester atd nobody acct_mgmt && exit 1 | |
# su shouldn't be allowed | |
pamtester su nobody authenticate && exit 1 | |
# Unknown services should be denied by /etc/pam.d/other | |
for operation in authenticate acct_mgmt chauthtok open_session; do echo "[*] Testing nonexistent service operation ${operation}"; pamtester nonexistent nobody "${operation}" && exit 1; done; true | |
libpamtest: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install testing prerequisites | |
run: sudo apt-get install -y libcmocka-dev libpam-wrapper libpam0g-dev libpamtest0-dev | |
- name: Compile test program | |
run: pushd tests && make -f ../Makefile test && popd | |
# This should fail as pam_matrix is not in use yet | |
- name: Run tests - round 1 | |
run: tests/test -t 1 -r 2 | |
- name: Prepare environment for testing | |
run: ansible-playbook tests/pamtests.yml --tags setup | |
- name: Run tests - round 2 | |
run: | | |
# Show user | |
id | |
# Authentication should succeed against pam_matrix | |
echo '[*] Test 1' | |
tests/test -t 1 -r 0 | |
# pam_unix(login:account) should block as invalid user | |
echo '[*] Test 2' | |
tests/test -t 2 -r 2 | |
# These will fail as a regular user with "unix_chkpwd[1550490]: could not obtain user info (root)" | |
#echo '[*] Test 3' | |
#tests/test -t 3 -r 2 | |
#echo '[*] Test 4' | |
#tests/test -t 4 -r 2 | |
#echo '[*] Test 5' | |
#tests/test -t 5 -r 2 | |
#echo '[*] Test 6' | |
#tests/test -t 6 -r 2 | |
# Should work as root | |
echo '[*] Test 7' | |
sudo tests/test -t 3 -r 0 | |
echo '[*] Test 8' | |
sudo tests/test -t 4 -r 0 | |
echo '[*] Test 9' | |
sudo tests/test -t 5 -r 0 | |
echo '[*] Test 10' | |
sudo tests/test -t 6 -r 0 | |
# Anyone can use su | |
echo '[*] Test 11' | |
tests/test -t 7 -r 0 | |
echo '[*] Test 12' | |
# Wrong password | |
tests/test -t 8 | |
- name: Harden PAM | |
run: | | |
ansible-playbook harden.yml --tags pam --skip-tags slackware | |
sudo pam-auth-update --enable access | |
sudo pam-auth-update --disable polyinstation | |
# Re-create common-auth-matrix | |
sudo rm -v /etc/pam.d/common-auth-matrix | |
ansible-playbook tests/pamtests.yml --tags setup | |
- name: Run tests - post-harden | |
run: | | |
# Login for "nobody" should be blocked by hardened configuration even with a valid password | |
sudo tests/test -t 6 -r 2 | |
# Use of su should be denied | |
tests/test -t 7 -r 2 | |
# Test failed login & pam_faillock | |
sudo tests/test -t 8 | |
sudo ls -l /var/run/faillock/ | |
sudo faillock --user nobody | |
- name: chmod /var/log/auth.log | |
run: sudo chmod -c 644 /var/log/auth.log | |
- name: Archive auth.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: auth.log | |
path: | | |
/var/log/auth.log | |
/etc/pam.d/common-account | |
/etc/pam.d/common-auth | |
/etc/pam.d/common-auth-matrix | |
/etc/pam.d/common-password | |
/etc/pam.d/common-session |