From 690e8dd826d1cb39c0c12c03792781862cc2dd23 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sat, 19 Oct 2024 23:49:07 -0500 Subject: [PATCH] Avoid faillock lock/tally reset on reboot or timeout --- debian/security-misc.postinst | 3 +++ etc/security/faillock.conf.security-misc | 11 +++++++--- usr/libexec/security-misc/pam-info | 5 ++++- ...ty-misc => faillock-preauth-security-misc} | 7 ++----- usr/share/pam-configs/faillock2-security-misc | 8 -------- .../pam-configs/unix-faillock-security-misc | 20 +++++++++++++++++++ 6 files changed, 37 insertions(+), 17 deletions(-) rename usr/share/pam-configs/{faillock-security-misc => faillock-preauth-security-misc} (60%) delete mode 100644 usr/share/pam-configs/faillock2-security-misc create mode 100644 usr/share/pam-configs/unix-faillock-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index e232778..41aa3dc 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -52,6 +52,9 @@ case "$1" in ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true + + ## state dir for faillock + mkdir -p /var/lib/security-misc/faillock ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc index d52c196..3442279 100644 --- a/etc/security/faillock.conf.security-misc +++ b/etc/security/faillock.conf.security-misc @@ -6,7 +6,7 @@ # # The directory where the user files with the failure records are kept. # The default is /var/run/faillock. -# dir = /var/run/faillock +dir = /var/lib/security-misc/faillock # # Will log the user name into the system log if the user is not found. # Enabled if option is present. @@ -38,14 +38,19 @@ deny = 50 # authentication failures must happen for the user account # lock out is n seconds. # The default is 900 (15 minutes). -# fail_interval = 900 +# security-misc note: the interval should be set to infinity if possible, +# however pam_faillock arbitrarily limits this variable to a maximum of 604800 +# seconds (7 days). See +# https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59 +# for details. Therefore we set this to the maximum allowable value of 7 days. +fail_interval = 604800 # # The access will be re-enabled after n seconds after the lock out. # The value 0 has the same meaning as value `never` - the access # will not be re-enabled without resetting the faillock # entries by the `faillock` command. # The default is 600 (10 minutes). -# unlock_time = 600 +unlock_time = never # # Root account can become locked as well as regular accounts. # Enabled if option is present. diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 6f2172c..50dd9d7 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -21,6 +21,9 @@ true "$0: START PHASE 2" set -o pipefail +## Named constants. +pam_faillock_state_dir="/var/lib/security-misc/faillock" + ## Debugging. who_ami="$(whoami)" true "$0: who_ami: $who_ami" @@ -102,7 +105,7 @@ fi ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. -if ! pam_faillock_output="$(faillock --user -- "$PAM_USER")" ; then +if ! pam_faillock_output="$(faillock --dir "$pam_faillock_state_dir" --user "$PAM_USER")" ; then true "$0: faillock non-zero exit code." exit 0 fi diff --git a/usr/share/pam-configs/faillock-security-misc b/usr/share/pam-configs/faillock-preauth-security-misc similarity index 60% rename from usr/share/pam-configs/faillock-security-misc rename to usr/share/pam-configs/faillock-preauth-security-misc index d337690..f72826c 100644 --- a/usr/share/pam-configs/faillock-security-misc +++ b/usr/share/pam-configs/faillock-preauth-security-misc @@ -1,11 +1,8 @@ -Name: lock accounts after 50 failed authentication attempts (part 1) (by package security-misc) +Name: lock accounts after 50 failed authentication attempts (preauth component) (by package security-misc) Default: yes -Priority: 290 +Priority: 1024 Auth-Type: Primary Auth: optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x required pam_faillock.so preauth -Account-Type: Primary -Account: - requisite pam_faillock.so diff --git a/usr/share/pam-configs/faillock2-security-misc b/usr/share/pam-configs/faillock2-security-misc deleted file mode 100644 index 7bc5fb7..0000000 --- a/usr/share/pam-configs/faillock2-security-misc +++ /dev/null @@ -1,8 +0,0 @@ -Name: lock accounts after 50 failed authentication attempts (part 2) (by package security-misc) -Default: yes -Priority: 245 -Auth-Type: Primary -Auth: - [success=2 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - [default=die] pam_faillock.so authfail - sufficient pam_faillock.so authsucc diff --git a/usr/share/pam-configs/unix-faillock-security-misc b/usr/share/pam-configs/unix-faillock-security-misc new file mode 100644 index 0000000..876ffa8 --- /dev/null +++ b/usr/share/pam-configs/unix-faillock-security-misc @@ -0,0 +1,20 @@ +Name: Unix authentication with faillock (by package security-misc) +Default: yes +Priority: 384 +Auth-Type: Primary +Auth: + [success=3 default=ignore] pam_unix.so nullok try_first_pass + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + requisite pam_deny.so + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + optional pam_faillock.so authsucc + required pam_permit.so +Auth-Initial: + [success=3 default=ignore] pam_unix.so nullok + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + requisite pam_deny.so + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + optional pam_faillock.so authsucc + required pam_permit.so