Skip to content

Commit

Permalink
Revert "Clean up duplicated test"
Browse files Browse the repository at this point in the history
This reverts commit 85023f3.
  • Loading branch information
alanmcanonical committed Dec 2, 2024
1 parent ab751cd commit 28291fd
Show file tree
Hide file tree
Showing 7 changed files with 100 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/bin/bash
# platform = multi_platform_ubuntu

source ubuntu_common.sh

sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account

echo "#audit" > /etc/security/faillock.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#!/bin/bash

# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
# Extra comments and whitespaces were added to test for edge cases

cat >/etc/pam.d/common-auth <<EOF
## Leading and trailing whitespaces should be ok
auth required pam_faillock.so preauth
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
## Several lines of comments should not
## break faillock remediation logic
## Nor should commented pam_unix
#auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
## Some more user comments
auth [default=die] pam_faillock.so authfail
## and some more
auth sufficient pam_faillock.so authsucc
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
EOF


cat >/etc/pam.d/common-account <<EOF
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
account required pam_faillock.so
EOF
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/bash
# platform = multi_platform_ubuntu

source ubuntu_common.sh

echo "audit" > /etc/security/faillock.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/bash
# platform = multi_platform_ubuntu

source ubuntu_common.sh

sed -i 's/\(.*pam_faillock.so.*\)/\1 audit/g' /etc/pam.d/common-auth

Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
# platform = multi_platform_ubuntu

# This test should fail because neither pam.d or faillock.conf have audit defined

source ubuntu_common.sh

echo > /etc/security/faillock.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/bin/bash
# platform = multi_platform_ubuntu

source ubuntu_common.sh

sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account

echo "audit" > /etc/security/faillock.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/bash
# platform = multi_platform_ubuntu
# remediation = none

# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
# in order to preserve intentional changes.

source ubuntu_common.sh

echo "auth sufficient pam_unix.so" >> /etc/pam.d/common-auth

0 comments on commit 28291fd

Please sign in to comment.