Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider to add MFA checking on Lynis #1476

Open
Constacalm opened this issue Apr 1, 2024 · 1 comment
Open

Consider to add MFA checking on Lynis #1476

Constacalm opened this issue Apr 1, 2024 · 1 comment
Labels
help-wanted Help for this issue is welcome. Great for those who like to chime in and contribute! support-needed up-for-grabs waiting-for-pull-request Waiting for the creation of a pull request

Comments

@Constacalm
Copy link
Contributor

Constacalm commented Apr 1, 2024
edited

Is your feature request related to a problem? Please describe.

All users may have a problem on ranking when MFA. I.e., for example, if a system already had a strong password policy (via pam_pwquality, for example) on checked system, but also admin adds TOTP MFA support (via google authenticator PAM modue TOTP) or even strong MFA (FIDO2\U2F yubikey PAM module), like Yubico Yubikey\Google Titan\Rutoken MFA, etc, Lynis security scanner doesn't check such functionality. And that's why Lynis doesn't rank these MFA capabilities at all.

Describe the solution you'd like

Maybe a solution would be to write some checks on Linux (maybe not only Linux) PAM modules configuration. To check in those PAM configurations someting like:

auth required pam_google_authenticator.so (for google auth PAM)

or

auth required pam_u2f.so (for pam modiles related on strong hadrware MFA based on Yubikey)

and rating them after all

Required changes

Probably consider to develop a new tests in

https://github.com/CISOfy/lynis/blob/master/include/tests_authentication

to check these MFA additions. Or even to develop a completely new script? I.e.:

https://github.com/CISOfy/lynis/blob/master/include/tests_mfa

Additional context

In one hand these checks may take a lot of variants for each operating system and its PAM modules config. In the other hand, it also may vary for system-wide PAM module or, for example, for TTY login only. But It can be also variety ranked for some system-wide MFA and not system-wide MFA configurations.
@mboelen mboelen added up-for-grabs support-needed help-wanted Help for this issue is welcome. Great for those who like to chime in and contribute! waiting-for-pull-request Waiting for the creation of a pull request labels May 15, 2024
@mboelen
Copy link
Member

mboelen commented May 15, 2024

Thanks for your suggestion. We do have some PAM checks in a plugin, but that does not provide suggestions to enable it.

Although I see the benefit of adding it and encourage users to enable MFA, there is as you also noticed a wide range of options. One could even argue that time is better spent on securing your SSH configuration and making that part MFA.

What I will do is mark this suggestion and see if there are more people who want to help drafting up a set of tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help-wanted Help for this issue is welcome. Great for those who like to chime in and contribute! support-needed up-for-grabs waiting-for-pull-request Waiting for the creation of a pull request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mboelen @Constacalm