[Bug 1943188] Re: Ensure chrony is configured (Automated)
Hey @scott-mackenzie, any news about this bug? I really could not reproduce it using multipass images, or the newest images downloaded from the ubuntu site and installed on QEMU VMs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1943188 Title: Ensure chrony is configured (Automated) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1943188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1942010] Re: Ensure lockout for failed password attempts is configured
Hey @scott-mackenzie, any news about this bug? I really could not reproduce it using multipass images, or the newest images downloaded from the ubuntu site and installed on QEMU VMs. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942010 Title: Ensure lockout for failed password attempts is configured To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1942010/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1943188] Re: Ensure chrony is configured (Automated)
** Changed in: ubuntu-advantage-tools (Ubuntu) Assignee: (unassigned) => Richard Maciel Costa (richardmaciel) ** Changed in: ubuntu-advantage-tools (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1943188 Title: Ensure chrony is configured (Automated) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1943188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1942010] Re: Ensure lockout for failed password attempts is configured
Hi, the attached files don't look like ones that were changed by the USG hardening script. Specially because the hardening scripts add the pam_tally2 files in specific places. Below is the script code: # #5.3.2 Ensure lockout for failed password attempts is configured (Automated) rule-5.3.2() { print_rule_banner "Ensure lockout for failed password attempts is configured" egrep -q 'pam_tally2.so.* deny=5 unlock_time=900' /etc/pam.d/common-auth if [ $? -gt 0 ]; then sed -i "1i # CIS rule 5.3.2\nauth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" /etc/pam.d/common-auth sed -i -E '/account\srequisite\s+pam_deny.so/a # CIS rule 5.3.2\naccount required\t\t\tpam_tally2.so' /etc/pam.d/common-account fi } # As one may see, the code inserts the pam_tally2 line at the 1st line of the common-auth file and appends the pam_tally2 line just after the 'account requisite pam_deny.so' line, in the common-auth file. Check with the customer if they move the pam_tally2 lines to their correct spot if it will work. I can see a bug in the OVAL used to audit the files, because they just check for the pam_tally2 lines and not their correct position. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942010 Title: Ensure lockout for failed password attempts is configured To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1942010/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1942010] Re: Ensure lockout for failed password attempts is configured
Hi, is it possible to get a copies of the '/etc/pam.d/common-auth' and '/etc/pam.d/common-account' files? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942010 Title: Ensure lockout for failed password attempts is configured To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1942010/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1942010] Re: Ensure lockout for failed password attempts is configured
** Changed in: ubuntu-advantage-tools (Ubuntu) Assignee: (unassigned) => Richard Maciel Costa (richardmaciel) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942010 Title: Ensure lockout for failed password attempts is configured To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1942010/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1927796] Re: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix
By following the same test procedure done in #18 and #19, the Hirsute build of pam_faillock was successfully validated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1927796 Title: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1927796] Re: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix
By following the same test procedure done in #18 and #19, the Groovy build of pam_faillock was successfully validated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1927796 Title: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1927796] Re: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix
By following the same test procedure done in #18 and #19, the Focal build of pam_faillock was successfully validated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1927796 Title: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1927796] Re: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix
Additional tests done on bionic: after changing the parameters set in /etc/security/faillock.conf to: deny=2 unlock_time=20 By trying to authenticate with the wrong password 2 times, it was verified that the account was locked for the amount of time set to the unlock_time parameter (20s). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1927796 Title: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1927796] Re: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix
Tested pam_faillock module for pam on bionic. Test consisted on setting up pam_faillock with the following configuration, as described in the man page: /etc/security/faillock.conf file example: deny=4 unlock_time=1200 silent /etc/pam.d/config file example: auth required pam_faillock.so preauth # optionally use requisite above if you do not want to prompt for the password # on locked accounts auth sufficient pam_unix.so auth [default=die] pam_faillock.so authfail auth required pam_deny.so account required pam_faillock.so # if you drop the above call to pam_faillock.so the lock will be done also # on non-consecutive authentication failures account required pam_unix.so A new user 'joas' was created and its password set. Then, initially, 4 logins were made through ssh and terminal, using the correct password. All were successful. User 'joas' was, then, logged out and 4 attempts to login with incorrect password were made. Since pam_faillock module was set to lock on the 4th incorrect attempt, another try was done, this time with the correct password. After confirming that the 'joas' account was locked, by trying, with the correct password, additional times, the superuser account was used to display the account stats ('faillock --user joas') and then used to unlock the 'joas' account ('faillock --user joas --reset'). Then, again 4 logins were made using the correct password, in order to check it was successfully authenticating. Another test consisted on typing the wrong password 3 times, then typing the correct one, to make sure the PAM module was properly resetting the counter. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1927796 Title: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1927796] [NEW] [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix
Public bug reported: [IMPACT] There is a known issue in pam_tally2 which may cause an account to be lock down even with correct password, in a busy node environment where simultaneous logins takes place (https://github.com/linux-pam/linux-pam/issues/71). There are already two customer cases from the US Army complaining about this behavior (https://canonical.lightning.force.com/lightning/r/Case/5004K03vkq4QAA/view and https://canonical.lightning.force.com/lightning/r/Case/5004K03tkbmQAA/view). Also, potentially, this will cause further problems in the future, since both STIG benchmarks and CIS benchmarks rely on pam_tally2 to lock accounts when wrong passwords are used. And both benchmarks - but specially STIG - requires use of a lot of audit rules, which can lead to the busy node environment. The issue impacts all pam_tally2 versions distributed in all currently supported Ubuntu versions and also the next unreleased one. Note that, according to https://github.com/linux-pam/linux-pam/issues/71, there is no plan to fix this issue! [FIX] This fix proposes to add pam_faillock module to the PAM package, so users of pam_tally2 having issues can migrate to pam_faillock. We also plan to modify the current STIG benchmarks to rely on pam_faillock instead of pam_tally2, but in order to do so, we need the pam_faillock module to be available. Note that we don't propose to remove pam_tally2, since not every user of this module is affected. [TEST] Tested on a VM installed with Focal server iso and on another with Bionic server iso. Enabled pam_faillock module as recommeded by its man page. Then tried to log over ssh with an incorrect password, until the account got locked. Waited for the configured grace time to unlock and logged in using the correct password. Note that, since the pam_tally2 issue is caused by a racing condition, with a hard to recreate environment (we could not even reproduce it with pam_tally2), we could not reproduce the conditions to test pam_faillock with. [REGRESSION POTENTIAL] The regression potential for this is small, since we're not removing the old pam_tally2 module, just adding another one. So anyone still using pam_tally2 will be able to do so. ** Affects: pam (Ubuntu) Importance: Undecided Status: New ** Tags: pam-faillock pam-tally2 ** Attachment added: "Zip file containg debdiffs of all PAM packages for current supported and for the next distro" https://bugs.launchpad.net/bugs/1927796/+attachment/5495607/+files/debdiffs.tgz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1927796 Title: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
Reviewed patches and they look good to me. However, in the future, we should consider another possibility: disable FIPS mode for libNSS3 by default, since that lib isn't FIPS-certified. This can prevent customers from mistakenly think the opposite. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1885562] Re: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Changed in: nss (Ubuntu) Assignee: (unassigned) => Richard Maciel Costa (richardmaciel) ** Changed in: nss (Ubuntu Bionic) Assignee: (unassigned) => Richard Maciel Costa (richardmaciel) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885562 Title: [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs