Consider to add MFA checking on Lynis #1476
Labels
help-wanted
Help for this issue is welcome. Great for those who like to chime in and contribute!
support-needed
up-for-grabs
waiting-for-pull-request
Waiting for the creation of a pull request
Is your feature request related to a problem? Please describe.
All users may have a problem on ranking when MFA. I.e., for example, if a system already had a strong password policy (via pam_pwquality, for example) on checked system, but also admin adds TOTP MFA support (via google authenticator PAM modue TOTP) or even strong MFA (FIDO2\U2F yubikey PAM module), like Yubico Yubikey\Google Titan\Rutoken MFA, etc, Lynis security scanner doesn't check such functionality. And that's why Lynis doesn't rank these MFA capabilities at all.
Describe the solution you'd like
Maybe a solution would be to write some checks on Linux (maybe not only Linux) PAM modules configuration. To check in those PAM configurations someting like:
auth required pam_google_authenticator.so (for google auth PAM)
or
auth required pam_u2f.so (for pam modiles related on strong hadrware MFA based on Yubikey)
and rating them after all
Required changes
Probably consider to develop a new tests in
https://github.com/CISOfy/lynis/blob/master/include/tests_authentication
to check these MFA additions. Or even to develop a completely new script? I.e.:
https://github.com/CISOfy/lynis/blob/master/include/tests_mfa
Additional context
In one hand these checks may take a lot of variants for each operating system and its PAM modules config. In the other hand, it also may vary for system-wide PAM module or, for example, for TTY login only. But It can be also variety ranked for some system-wide MFA and not system-wide MFA configurations.
The text was updated successfully, but these errors were encountered: