From 2b59705148feb8ca6aafd9cf050229b069284515 Mon Sep 17 00:00:00 2001 From: Richard Marian Thomaiyar Date: Sat, 2 Nov 2019 21:24:29 +0530 Subject: pam: Disable sensitive log & nullok pam_unix logs user name when sessions are established, quiet the same in configuraiton. This is done to avoid logging user name as logs will be exported as part of debug log dump etc, thereby compramising sensitive information. Also disallow nullok login from security point of it. Tested: 1. Verified that session establishment are not recorded with user name. 2. Verfieid webui, redfish, ipmi, ssh login works as expected. (From meta-phosphor rev: 15a293b458ef2f013356f9746c0ac7a20e59c1c1) Change-Id: Ic0fcdbfd9a5968fa55a27b7d2de379f8ba131cac Signed-off-by: Richard Marian Thomaiyar Signed-off-by: Brad Bishop --- .../recipes-extended/pam/libpam/pam.d/common-auth | 2 +- .../recipes-extended/pam/libpam/pam.d/common-session | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 meta-phosphor/recipes-extended/pam/libpam/pam.d/common-session (limited to 'meta-phosphor/recipes-extended/pam/libpam/pam.d') diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth index 58ed74f19..8eef164d1 100644 --- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth +++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth @@ -10,7 +10,7 @@ # here are the per-package modules (the "Primary" block) auth [success=ok user_unknown=ignore default=2] pam_tally2.so deny=0 unlock_time=0 # Try for local user first, and then try for ldap -auth [success=2 default=ignore] pam_unix.so nullok_secure +auth [success=2 default=ignore] pam_unix.so quiet -auth [success=1 default=ignore] pam_ldap.so ignore_unknown_user ignore_authinfo_unavail # here's the fallback if no module succeeds auth requisite pam_deny.so diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-session b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-session new file mode 100644 index 000000000..e8751d2ee --- /dev/null +++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-session @@ -0,0 +1,19 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so quiet -- cgit v1.2.3