Access controls - pyllyukko/harden.yml GitHub Wiki

This is an access control matrix I made, so I could get a better view of how different mechanisms affects different operations. It's still a work-in-progress.

Control Affects root? login logoutd su sudo OpenSSH xscreensaver
NOLOGINS_FILE No Yes Yes No
Password locked Yes Yes
Password expired No*** No
/sbin/nologin as shell Yes Yes No**
/etc/porttime Yes Yes* Yes Yes No No No
/etc/limits: L No Yes Yes No
Failure limit exceeded (faillog) Yes Yes No No
/etc/securetty Yes Yes No No No No No
/etc/login.access Yes Yes No
/etc/suauth No N/A N/A Yes N/A N/A N/A
Account expired Yes Yes
Missing home dir No
* If PORTTIME_CHECKS_ENAB in /etc/login.defs
** Users can still connect and authenticate with **ssh -N** and do malicious stuff like tunnel traffic through the server, or connect to other services through the server's loopback address
*** With PubkeyAuthentication

Log messages

Service Message to user (if any) Log message Control
login Too many logins.
  • No logins allowed for `user'
  • Too many logins (max 1) for user
 /etc/limits
login Invalid login time invalid login time for 'user' on '/dev/tty1' /etc/porttime
login LOGIN 'user' REFUSED on '/dev/tty1' /etc/login.access
login Your password is inactive. Contact the system administrator. Password expired

shadow suite

This is how shadow suite is being built in Slackware 14.1:

shadow will be compiled with the following features:

        auditing support:               no
        CrackLib support:               no
        PAM support:                    no
        SELinux support:                no
        ACL support:                    yes
        Extended Attributes support:    yes
        tcb support (incomplete):       no
        shadow group support:           yes
        S/Key support:                  no
        SHA passwords encryption:       yes
        nscd support:                   yes

faillog

faillog is mysterious. You can set the defaults for non-existent UIDs with --all --user RANGE, but when you use useradd without the --no-log-init parameter, it resets the values for that UID to zero. Also the man page says that the created user is not added to the lastlog database, which might cause problems.

I think this whole thing in shadow suite is somehow inconsistent. This is what is said on the src/useradd.c file:

/*
 * Initialize faillog and lastlog entries for this UID in case
 * it belongs to a previously deleted user. We do it only if
 * no user with this UID exists yet (entries for shared UIDs
 * are left unchanged).  --marekm
 */
/* local, no need for xgetpwuid */
if ((!lflg) && (getpwuid (user_id) == NULL)) {
        faillog_reset (user_id);
        lastlog_reset (user_id);
}

That's kinda odd, since useradd doesn't seem to do UID 'recycling', which is also stated in the adduser script:

# This setting enables the 'recycling' of older unused UIDs.
# When you userdel a user, it removes it from passwd and shadow but it will
# never get used again unless you specify it expliticly -- useradd (appears to) just
# look at the last line in passwd and increment the uid.  I like the idea of 
# recycling uids but you may have very good reasons not to (old forgotten
# confidential files still on the system could then be owned by this new user).
# We'll set this to no because this is what the original adduser shell script
# did and it's what users expect.
recycleuids=no

...And if it did, that would be a grande bad idea(tm).

Bug

There is also some bug/feature in faillog, when running it against zero sized db:

# ls -l /var/log/faillog 
-rw-r--r-- 1 root root 0 Oct  5 00:03 /var/log/faillog
# faillog -l 300 -m 1 -u root
# faillog -u root
Login       Failures Maximum Latest                   On

root            0        1   01/01/70 02:00:00 +0200  
# faillog -l 300 -m 1 -u root
# faillog -u root
Login       Failures Maximum Latest                   On

root            0        1   01/01/70 02:00:00 +0200   [300s lock]

porttime

For some reason, you need to specify the rules differently for logoutd and login:

  • login requires absolute path with /dev/ prefix
  • logoutd without

You can apparenly create a custom message for logoutd (from src/logoutd.c):

#ifndef HUP_MESG_FILE
#define HUP_MESG_FILE "/etc/logoutd.mesg"
#endif

TODO

  • xdm
  • Examples of different log messages
Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️