For ASB v2's remediateEnsurePasswordExpiration ensure that all user passwords have dates of last changes (#747)
This commit is contained in:
Marius Niculescu
GitHub
Родитель
bcb4b972a0
Коммит
60db2c0977
|
|
@ -15,7 +15,7 @@
|
|||
"version": "1.0.0",
|
||||
"contentType": "Custom",
|
||||
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
|
||||
"contentHash": "C618A254472BC53F0A82B5A4B4518AC32FB44C04DE9B6B4B9E6F525816168C2F",
|
||||
"contentHash": "22470C3C3B91C10529A15FEF1ADA98F776BB7B9DFA4803EE758619288B5EA50E",
|
||||
"configurationParameter": {
|
||||
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
|
||||
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
|
||||
|
|
@ -625,7 +625,7 @@
|
|||
"version": "1.0.0",
|
||||
"contentType": "Custom",
|
||||
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
|
||||
"contentHash": "C618A254472BC53F0A82B5A4B4518AC32FB44C04DE9B6B4B9E6F525816168C2F",
|
||||
"contentHash": "22470C3C3B91C10529A15FEF1ADA98F776BB7B9DFA4803EE758619288B5EA50E",
|
||||
"assignmentType": "ApplyAndAutoCorrect",
|
||||
"configurationParameter": [
|
||||
{
|
||||
|
|
@ -716,7 +716,7 @@
|
|||
"version": "1.0.0",
|
||||
"contentType": "Custom",
|
||||
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
|
||||
"contentHash": "C618A254472BC53F0A82B5A4B4518AC32FB44C04DE9B6B4B9E6F525816168C2F",
|
||||
"contentHash": "22470C3C3B91C10529A15FEF1ADA98F776BB7B9DFA4803EE758619288B5EA50E",
|
||||
"assignmentType": "ApplyAndAutoCorrect",
|
||||
"configurationParameter": [
|
||||
{
|
||||
|
|
@ -807,7 +807,7 @@
|
|||
"version": "1.0.0",
|
||||
"contentType": "Custom",
|
||||
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
|
||||
"contentHash": "C618A254472BC53F0A82B5A4B4518AC32FB44C04DE9B6B4B9E6F525816168C2F",
|
||||
"contentHash": "22470C3C3B91C10529A15FEF1ADA98F776BB7B9DFA4803EE758619288B5EA50E",
|
||||
"assignmentType": "ApplyAndAutoCorrect",
|
||||
"configurationParameter": [
|
||||
{
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
"version": "1.0.0",
|
||||
"contentType": "Custom",
|
||||
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
|
||||
"contentHash": "D7655DA524E32327A1FA123B16687BE495973309199B11A2D4269011A8F767DB",
|
||||
"contentHash": "7C81A17C64F4128F3D9AD2F5EFA2459A7C3181072C0222F92ECE43D139C57BAA",
|
||||
"configurationParameter": {
|
||||
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
|
||||
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
|
||||
|
|
@ -624,7 +624,7 @@
|
|||
"version": "1.0.0",
|
||||
"contentType": "Custom",
|
||||
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
|
||||
"contentHash": "D7655DA524E32327A1FA123B16687BE495973309199B11A2D4269011A8F767DB",
|
||||
"contentHash": "7C81A17C64F4128F3D9AD2F5EFA2459A7C3181072C0222F92ECE43D139C57BAA",
|
||||
"assignmentType": "ApplyAndAutoCorrect",
|
||||
"configurationParameter": [
|
||||
{
|
||||
|
|
@ -715,7 +715,7 @@
|
|||
"version": "1.0.0",
|
||||
"contentType": "Custom",
|
||||
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
|
||||
"contentHash": "D7655DA524E32327A1FA123B16687BE495973309199B11A2D4269011A8F767DB",
|
||||
"contentHash": "7C81A17C64F4128F3D9AD2F5EFA2459A7C3181072C0222F92ECE43D139C57BAA",
|
||||
"assignmentType": "ApplyAndAutoCorrect",
|
||||
"configurationParameter": [
|
||||
{
|
||||
|
|
@ -806,7 +806,7 @@
|
|||
"version": "1.0.0",
|
||||
"contentType": "Custom",
|
||||
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
|
||||
"contentHash": "D7655DA524E32327A1FA123B16687BE495973309199B11A2D4269011A8F767DB",
|
||||
"contentHash": "7C81A17C64F4128F3D9AD2F5EFA2459A7C3181072C0222F92ECE43D139C57BAA",
|
||||
"assignmentType": "ApplyAndAutoCorrect",
|
||||
"configurationParameter": [
|
||||
{
|
||||
|
|
|
|||
|
|
@ -1270,7 +1270,7 @@ static char* AuditEnsureMaxDaysBetweenPasswordChanges(void* log)
|
|||
static char* AuditEnsurePasswordExpiration(void* log)
|
||||
{
|
||||
char* reason = NULL;
|
||||
CheckPasswordExpirationLessThan(atoi(g_desiredEnsurePasswordExpiration ?
|
||||
CheckPasswordExpirationLessThan(atol(g_desiredEnsurePasswordExpiration ?
|
||||
g_desiredEnsurePasswordExpiration : g_defaultEnsurePasswordExpiration), &reason, log);
|
||||
return reason;
|
||||
}
|
||||
|
|
@ -1278,7 +1278,7 @@ static char* AuditEnsurePasswordExpiration(void* log)
|
|||
static char* AuditEnsurePasswordExpirationWarning(void* log)
|
||||
{
|
||||
char* reason = NULL;
|
||||
CheckPasswordExpirationWarning(atoi(g_desiredEnsurePasswordExpirationWarning ?
|
||||
CheckPasswordExpirationWarning(atol(g_desiredEnsurePasswordExpirationWarning ?
|
||||
g_desiredEnsurePasswordExpirationWarning : g_defaultEnsurePasswordExpirationWarning), &reason, log);
|
||||
return reason;
|
||||
}
|
||||
|
|
@ -2909,8 +2909,8 @@ static int RemediateEnsureMaxDaysBetweenPasswordChanges(char* value, void* log)
|
|||
static int RemediateEnsurePasswordExpiration(char* value, void* log)
|
||||
{
|
||||
InitEnsurePasswordExpiration(value);
|
||||
return ((0 == SetMaxDaysBetweenPasswordChanges(atol(g_desiredEnsureMaxDaysBetweenPasswordChanges ?
|
||||
g_desiredEnsureMaxDaysBetweenPasswordChanges : g_defaultEnsureMaxDaysBetweenPasswordChanges), log)) &&
|
||||
return ((0 == EnsureUsersHaveDatesOfLastPasswordChanges(log)) &&
|
||||
(0 == SetMaxDaysBetweenPasswordChanges(atol(g_desiredEnsurePasswordExpiration), log)) &&
|
||||
(0 == CheckPasswordExpirationLessThan(atol(g_desiredEnsurePasswordExpiration), NULL, log))) ? 0 : ENOENT;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -2339,6 +2339,64 @@ int SetMaxDaysBetweenPasswordChanges(long days, void* log)
|
|||
return status;
|
||||
}
|
||||
|
||||
int EnsureUsersHaveDatesOfLastPasswordChanges(void* log)
|
||||
{
|
||||
const char* commandTemplate = "chage -d %ld %s";
|
||||
char* command = NULL;
|
||||
SIMPLIFIED_USER* userList = NULL;
|
||||
unsigned int userListSize = 0, i = 0;
|
||||
int status = 0, _status = 0;
|
||||
time_t currentTime = 0;
|
||||
long currentDate = time(¤tTime) / NUMBER_OF_SECONDS_IN_A_DAY;
|
||||
|
||||
if (0 == (status = EnumerateUsers(&userList, &userListSize, NULL, log)))
|
||||
{
|
||||
for (i = 0; i < userListSize; i++)
|
||||
{
|
||||
if (false == userList[i].hasPassword)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
else if (userList[i].lastPasswordChange < 0)
|
||||
{
|
||||
OsConfigLogInfo(log, "EnsureUsersHaveDatesOfLastPasswordChanges: password for user '%s' (%u, %u) was never changed (%lu)",
|
||||
userList[i].username, userList[i].userId, userList[i].groupId, userList[i].lastPasswordChange);
|
||||
|
||||
if (NULL == (command = FormatAllocateString(commandTemplate, currentDate, userList[i].username)))
|
||||
{
|
||||
OsConfigLogError(log, "EnsureUsersHaveDatesOfLastPasswordChanges: cannot allocate memory");
|
||||
status = ENOMEM;
|
||||
break;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (0 == (_status = ExecuteCommand(NULL, command, false, false, 0, 0, NULL, NULL, log)))
|
||||
{
|
||||
OsConfigLogInfo(log, "EnsureUsersHaveDatesOfLastPasswordChanges: user '%s' (%u, %u) date of last password change is now set to %ld days since epoch (today)",
|
||||
userList[i].username, userList[i].userId, userList[i].groupId, currentDate);
|
||||
}
|
||||
|
||||
FREE_MEMORY(command);
|
||||
|
||||
if (0 == status)
|
||||
{
|
||||
status = _status;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
FreeUsersList(&userList, userListSize);
|
||||
|
||||
if (0 == status)
|
||||
{
|
||||
OsConfigLogInfo(log, "EnsureUsersHaveDatesOfLastPasswordChanges: all users who have passwords have dates of last password changes");
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
int CheckPasswordExpirationLessThan(long days, char** reason, void* log)
|
||||
{
|
||||
SIMPLIFIED_USER* userList = NULL;
|
||||
|
|
@ -2362,22 +2420,21 @@ int CheckPasswordExpirationLessThan(long days, char** reason, void* log)
|
|||
{
|
||||
OsConfigLogError(log, "CheckPasswordExpirationLessThan: password for user '%s' (%u, %u) has no expiration date (%ld)",
|
||||
userList[i].username, userList[i].userId, userList[i].groupId, userList[i].maximumPasswordAge);
|
||||
OsConfigCaptureReason(reason, "User '%s' (%u, %u) password has no expiration date (%ld)",
|
||||
OsConfigCaptureReason(reason, "Password for user '%s' (%u, %u) has no expiration date (%ld)",
|
||||
userList[i].username, userList[i].userId, userList[i].groupId, userList[i].maximumPasswordAge);
|
||||
status = ENOENT;
|
||||
}
|
||||
else if (userList[i].lastPasswordChange < 0)
|
||||
{
|
||||
OsConfigLogError(log, "CheckPasswordExpirationLessThan: password for user '%s' (%u, %u) has no recorded change date (%ld)",
|
||||
userList[i].username, userList[i].userId, userList[i].groupId, userList[i].lastPasswordChange);
|
||||
OsConfigCaptureReason(reason, "Password for user '%s' (%u, %u) has no recorded last change date (%ld)",
|
||||
userList[i].username, userList[i].userId, userList[i].groupId, userList[i].lastPasswordChange);
|
||||
status = ENOENT;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (userList[i].lastPasswordChange < 0)
|
||||
{
|
||||
OsConfigLogInfo(log, "CheckPasswordExpirationLessThan: password for user '%s' (%u, %u) has no recorded change date (%ld)",
|
||||
userList[i].username, userList[i].userId, userList[i].groupId, userList[i].lastPasswordChange);
|
||||
passwordExpirationDate = currentDate + userList[i].maximumPasswordAge;
|
||||
}
|
||||
else
|
||||
{
|
||||
passwordExpirationDate = userList[i].lastPasswordChange + userList[i].maximumPasswordAge;
|
||||
}
|
||||
passwordExpirationDate = userList[i].lastPasswordChange + userList[i].maximumPasswordAge;
|
||||
|
||||
if (passwordExpirationDate >= currentDate)
|
||||
{
|
||||
|
|
@ -2392,7 +2449,7 @@ int CheckPasswordExpirationLessThan(long days, char** reason, void* log)
|
|||
{
|
||||
OsConfigLogError(log, "CheckPasswordExpirationLessThan: password for user '%s' (%u, %u) will expire in %ld days, more than requested maximum of %ld days",
|
||||
userList[i].username, userList[i].userId, userList[i].groupId, passwordExpirationDate - currentDate, days);
|
||||
OsConfigCaptureReason(reason, "User '%s' (%u, %u) password will expire in %ld days, more than requested maximum of %ld days",
|
||||
OsConfigCaptureReason(reason, "Password for user '%s' (%u, %u) will expire in %ld days, more than requested maximum of %ld days",
|
||||
userList[i].username, userList[i].userId, userList[i].groupId, passwordExpirationDate - currentDate, days);
|
||||
status = ENOENT;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -107,6 +107,7 @@ int CheckMinDaysBetweenPasswordChanges(long days, char** reason, void* log);
|
|||
int SetMinDaysBetweenPasswordChanges(long days, void* log);
|
||||
int CheckMaxDaysBetweenPasswordChanges(long days, char** reason, void* log);
|
||||
int SetMaxDaysBetweenPasswordChanges(long days, void* log);
|
||||
int EnsureUsersHaveDatesOfLastPasswordChanges(void* log);
|
||||
int CheckPasswordExpirationLessThan(long days, char** reason, void* log);
|
||||
int CheckPasswordExpirationWarning(long days, char** reason, void* log);
|
||||
int SetPasswordExpirationWarning(long days, void* log);
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче