Ubuntu Security Guide

  1. Bug #2065113
  2. Activity log

Activity log for bug #2065113

Date Who What changed Old value New value Message
2024-05-07 22:25:56 Jaimes Joschko bug added bug
2024-05-07 22:27:01 Jaimes Joschko description # TLDR After applying CIS server level 1 or 2 on Ubuntu 22.04 Jammy Jellyfish the command `passwd` fails with the error "passwd: Module is unknown" # Workaround/fix Install `libpam-pwquality` using ``` sudo apt install libpam-pwquality **keep your currently-installed version of `/etc/security/pwquality.conf` and Do not override local changes**``` # Reproduction ## Image Info ``` ubuntu@CIS-01:~$ uname -a Linux CIS-01 5.15.0-105-generic #115-Ubuntu SMP Mon Apr 15 09:52:04 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux ubuntu@CIS-01:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.4 LTS Release: 22.04 Codename: jammy ``` ## Steps to reproduce On a fresh Ubuntu 22.04 Jammy Jellyfish install attach the server to Ubuntu Pro ``` sudo pro attach <TOKEN> ``` Enable `usg` ``` sudo pro enable usg ``` Install the `usg` tool ``` sudo apt install usg ``` Audit the system with `cis_level1_server` ``` sudo usg audit cis_level1_server ``` Generate a tailoring file: ``` sudo usg generate-tailoring cis_level1_server cis_level1_server-tailor-config.xml ``` Generate the fix script: ``` sudo usg generate-fix --output cis_level1_server-fix_script.sh --tailoring-file cis_level1_server-tailor-config.xml ``` Run the fix script on a test server. ``` sudo bash cis_level1_server-fix_script.sh ``` Reboot to finish applying the fixes ``` sudo reboot ``` Log back into the machine. Then try to change `root`'s password and `ubuntu`' password ``` ubuntu@CIS-01:~$ sudo passwd passwd: Module is unknown passwd: password unchanged ubuntu@CIS-01:~$ sudo passwd root passwd: Module is unknown passwd: password unchanged ubuntu@CIS-01:~$ sudo -i root@CIS-01:~# passwd passwd: Module is unknown passwd: password unchanged ``` Inspecting the file `/etc/pam.d/common-password` on the machine, the following diff from it and a fresh image: ``` diff common-password-fresh /etc/pam.d/common-password ``` output ``` 25c25 < password [success=1 default=ignore] pam_unix.so obscure yescrypt --- > password [success=1 default=ignore] pam_unix.so obscure yescrypt remember=5 27c27 < password requisite pam_deny.so --- > password requisite pam_deny.so 31c31 < password required pam_permit.so --- > password required pam_permit.so 34c34 < --- > password requisite pam_pwquality.so retry=3 ``` looking at `/var/log/auth.log` it looks like the module isn't there ``` May 7 11:17:01 CIS-01 CRON[1691]: PAM unable to dlopen(pam_pwquality.so): /lib/security/pam_pwquality.so: cannot open shared object file: No such file or directory May 7 11:17:01 CIS-01 CRON[1691]: PAM adding faulty module: pam_pwquality.so ``` Double checking ``` ls /lib/x86_64-linux-gnu/security/ | grep "pam_pwquality" ``` it's not there. Looking at ``` sudo apt-cache policy libpam-pwquality ``` it's not installed ``` libpam-pwquality: Installed: (none) Candidate: 1.4.4-1build2 Version table: 1.4.4-1build2 500 500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages ``` Installing the package ``` sudo apt install libpam-pwquality ``` **keep your currently-installed version of `/etc/security/pwquality.conf` and Do not override local changes** Once it is installed changing passwords works fine. ``` ubuntu@CIS-01:~$ sudo passwd root New password: Retype new password: passwd: password updated successfully ``` # Suggested Fix Have the USG tool install the `libpam-pwquality` package while hardening. # TLDR After applying CIS server level 1 or 2 on Ubuntu 22.04 Jammy Jellyfish the command `passwd` fails with the error "passwd: Module is unknown" # Workaround/fix Install `libpam-pwquality` using ``` sudo apt install libpam-pwquality ``` **keep your currently-installed version of `/etc/security/pwquality.conf` and Do not override local changes** # Reproduction ## Image Info ``` ubuntu@CIS-01:~$ uname -a Linux CIS-01 5.15.0-105-generic #115-Ubuntu SMP Mon Apr 15 09:52:04 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux ubuntu@CIS-01:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.4 LTS Release: 22.04 Codename: jammy ``` ## Steps to reproduce On a fresh Ubuntu 22.04 Jammy Jellyfish install attach the server to Ubuntu Pro ``` sudo pro attach <TOKEN> ``` Enable `usg` ``` sudo pro enable usg ``` Install the `usg` tool ``` sudo apt install usg ``` Audit the system with `cis_level1_server` ``` sudo usg audit cis_level1_server ``` Generate a tailoring file: ``` sudo usg generate-tailoring cis_level1_server cis_level1_server-tailor-config.xml ``` Generate the fix script: ``` sudo usg generate-fix --output cis_level1_server-fix_script.sh --tailoring-file cis_level1_server-tailor-config.xml ``` Run the fix script on a test server. ``` sudo bash cis_level1_server-fix_script.sh ``` Reboot to finish applying the fixes ``` sudo reboot ``` Log back into the machine. Then try to change `root`'s password and `ubuntu`' password ``` ubuntu@CIS-01:~$ sudo passwd passwd: Module is unknown passwd: password unchanged ubuntu@CIS-01:~$ sudo passwd root passwd: Module is unknown passwd: password unchanged ubuntu@CIS-01:~$ sudo -i root@CIS-01:~# passwd passwd: Module is unknown passwd: password unchanged ``` Inspecting the file `/etc/pam.d/common-password` on the machine, the following diff from it and a fresh image: ``` diff common-password-fresh /etc/pam.d/common-password ``` output ``` 25c25 < password [success=1 default=ignore] pam_unix.so obscure yescrypt --- > password [success=1 default=ignore] pam_unix.so obscure yescrypt remember=5 27c27 < password requisite pam_deny.so --- > password requisite pam_deny.so 31c31 < password required pam_permit.so --- > password required pam_permit.so 34c34 < --- > password requisite pam_pwquality.so retry=3 ``` looking at `/var/log/auth.log` it looks like the module isn't there ``` May 7 11:17:01 CIS-01 CRON[1691]: PAM unable to dlopen(pam_pwquality.so): /lib/security/pam_pwquality.so: cannot open shared object file: No such file or directory May 7 11:17:01 CIS-01 CRON[1691]: PAM adding faulty module: pam_pwquality.so ``` Double checking ``` ls /lib/x86_64-linux-gnu/security/ | grep "pam_pwquality" ``` it's not there. Looking at ``` sudo apt-cache policy libpam-pwquality ``` it's not installed ``` libpam-pwquality:   Installed: (none)   Candidate: 1.4.4-1build2   Version table:      1.4.4-1build2 500         500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages ``` Installing the package ``` sudo apt install libpam-pwquality ``` **keep your currently-installed version of `/etc/security/pwquality.conf` and Do not override local changes** Once it is installed changing passwords works fine. ``` ubuntu@CIS-01:~$ sudo passwd root New password: Retype new password: passwd: password updated successfully ``` # Suggested Fix Have the USG tool install the `libpam-pwquality` package while hardening.
2024-05-08 06:38:08 Miha Purg usg: assignee Miha Purg (mihap)
2024-05-08 06:46:09 Miha Purg usg: status New Incomplete
2024-05-10 18:42:41 Miha Purg usg: status Incomplete Fix Committed
2024-06-18 16:21:39 Miha Purg usg: status Fix Committed Fix Released