search

cloudfoundry / bosh-linux-stemcell-builder

BOSH Ubuntu Linux stemcells
Apache License 2.0
41 stars 104 forks source link

Noble pam_lastlog is deprecated its succesor is pam_lastlog2 #343

Open ramonskie opened 2 months ago

ramonskie commented 2 months ago

in stemcell_builder/stages/password_policies/assests/common-passowrd.patch we reference pam_lastlog. but it seems that file does not exists anymore and is deprecated see release notes https://github.com/linux-pam/linux-pam/releases/tag/v1.5.3 or commit: https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816

pam_lastlog2 https://github.com/thkukuk/lastlog2 is the succsor and is now merged within the util-linux pacakge https://packages.ubuntu.com/noble/util-linux https://github.com/util-linux/util-linux https://github.com/util-linux/util-linux

the util-linux will add more libraries that we maby don't need this needs some investigation if its worth it. as we probably can also log this with one of our loggers

references:

xtreme-nitin-ravindran commented 2 weeks ago

Ubuntu STIG requires displaying the information last successful logon. For Jammy:

Group ID (Vulid): V-260551
Group Title: SRG-OS-000480-GPOS-00227
Rule ID: SV-260551r953466_rule
Severity: CAT III
Rule Version (STIG-ID): UBTU-22-412015
Rule Title: Ubuntu 22.04 LTS must display the date and time of the last successful account logon upon logon. 
Check Content:    
Verify users are provided with feedback on when account accesses
last occurred by using the following command: 

$ grep pam_lastlog /etc/pam.d/login 
session required pam_lastlog.so showfailed 

If the line containing "pam_lastlog" is not set to "required", or the "silent" option
is present, the "showfailed" option is missing, the line is commented out,
or the line is missing , this is a finding.

CIS also has rules to audit login events For Jammy

4.1.3.12 Ensure login and logout events are collected (Automated)
Profile Applicability:
 - Level 2 - Server
 - Level 2 - Workstation
Description:
Monitor login and logout events. The parameters below track changes to files associated with login/logout events.
  - /var/log/lastlog - maintain records of the last time a user successfully logged in.
  - /var/run/faillock - directory maintains records of login failures via the pam_faillock module.

The benchmarks for Noble are not published yet, but usually mirrors the benchmarks of the previous version of the OS

ramonskie commented 2 weeks ago

so the verdict is to use the bloated util-linux package so we continue to use pam_lastlog2

ramonskie commented 2 weeks ago

the util-linux package provided for ubuntu noble is currently only 2.93.3 and lastlog2 is only packaged with util-linux => 2.40