cis-dil-benchmark-1.4.3 'Ensure authentication required for single user mode' inconsistency between Linux flavors #143
Description
Hello, first of all thanks for the great project, Siemens fans here 👍
While importing the benchmark baseline for some internal tests, we have found that rule cis-dil-benchmark-1.4.3 tests fail on some specific Linux flavors, and we are not sure whether this is a wrong / incomplete benchmark test, or a valid failure.
- cis-dil-benchmark-1.4.3 expects the password entry not to be exactly equal to
!or* - Debian sets by default in the cloud images the
root/etc/shadowpassword to*. This fails validation. - Fedora cloud images otoh sets it to
!locked, which passes validation. - But perhaps the CIS test should test for anything prefixed by
!or an exact* - Standard tooling reports them as being exactly the same state
locked-
Fedora 36:
# cat /etc/redhat-release Fedora release 36 (Thirty Six) # grep root /etc/shadow root:!locked::0:99999:7::: # passwd -S root root LK 1969-12-31 0 99999 7 -1 (Password locked.) -
Debian 11:
# cat /etc/debian_version 11.6 # grep root /etc/shadow root:*:19345:0:99999:7::: # passwd -S root root L 12/19/2022 0 99999 7 -1 # passwd -l root passwd: password expiry information changed. # grep root /etc/shadow root:!*:19345:0:99999:7::: # passwd -S root root L 12/19/2022 0 99999 7 -1
-
The man page says:
# man 5 shadow
...
encrypted password
This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow file may decide not to permit any access at all if the
password field is empty.
A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked.
Refer to crypt(3) for details on how this string is interpreted.
If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).
...So we're not sure if this is a wrong test in CIL or the behaviour is indeed different between both /etc/shadow states. Should !* be valid too? (actually anything !-prefixed)
Could you guys shed some light here? Thanks!