From 71f942de10df925687c48145dd933fe55c1b886b Mon Sep 17 00:00:00 2001 From: Rodrigo Tavares Date: Wed, 4 Dec 2024 10:52:16 -0300 Subject: [PATCH] Use * for users with no password in /etc/shadow CIS Benchmark considers the characters * and ! in the password field in the /etc/shadow file to indicate that a user does not have a password and is unable to log in if prompted for a password. This replaces the character 'x' in some of those users with a '*' so the benchmark can skip those users when checking some password-related settings. Test Plan: PASS: Run build-pkgs -c -p base-passwd. PASS: Run build-image. PASS: Run fresh install of AIO-SX with complete bootstrap and unlock of the controller-0. PASS: Run fresh install of AIO-DX with complete bootstrap and unlock of controller-0 and controller-1. PASS: Run backup and restore with complete bootstrap. PASS: Try to log in with user 'keystone' via SSH and verify that it has the same behavior as before: asks for a password, but there is no valid password to use. Story: 2011283 Task: 51442 Change-Id: I1aceacd4153a479e4e3b7efa0f74b73abbd298c2 Signed-off-by: Rodrigo Tavares --- .../patches/0001-Change-group-passwd.patch | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/base/base-passwd/debian/patches/0001-Change-group-passwd.patch b/base/base-passwd/debian/patches/0001-Change-group-passwd.patch index 6229509e8..5b8dcb8c8 100644 --- a/base/base-passwd/debian/patches/0001-Change-group-passwd.patch +++ b/base/base-passwd/debian/patches/0001-Change-group-passwd.patch @@ -58,16 +58,16 @@ index ad1dd2d..5ab0d52 100644 -games:*:60: users:*:100: nogroup:*:65534: -+nova:x:162:nova -+neutron:x:164:neutron -+ceilometer:x:166:ceilometer -+sysinv:x:168:sysinv -+snmpd:x:169:snmpd,fm -+fm:x:195:fm -+libvirt:x:991:nova -+ironic:x:1874:ironic -+www:x:1877:www -+keystone:x:42424:keystone ++nova:*:162:nova ++neutron:*:164:neutron ++ceilometer:*:166:ceilometer ++sysinv:*:168:sysinv ++snmpd:*:169:snmpd,fm ++fm:*:195:fm ++libvirt:*:991:nova ++ironic:*:1874:ironic ++www:*:1877:www ++keystone:*:42424:keystone diff --git a/passwd.master b/passwd.master index f1e69a4..c3a3ebc 100644 --- a/passwd.master @@ -89,15 +89,15 @@ index f1e69a4..c3a3ebc 100644 irc:*:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin -+neutron:x:164:164:OpenStack Neutron Daemons:/var/lib/neutron:/sbin/nologin -+sysinv:x:168:168:sysinv Daemons:/var/lib/sysinv:/sbin/nologin -+snmpd:x:169:169:net-snmp:/usr/share/snmp:/sbin/nologin -+fm:x:195:195:fm-mgr:/var/lib/fm:/sbin/nologin -+ceilometer:x:991:166:OpenStack ceilometer Daemons:/var/lib/ceilometer:/sbin/nologin -+nova:x:994:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin -+ironic:x:1874:1874:OpenStack Ironic Daemons:/var/lib/ironic:/sbin/nologin -+www:x:1877:1877:www:/home/www:/sbin/nologin -+keystone:x:42424:42424:OpenStack Keystone Daemons:/var/lib/keystone:/sbin/nologin ++neutron:*:164:164:OpenStack Neutron Daemons:/var/lib/neutron:/sbin/nologin ++sysinv:*:168:168:sysinv Daemons:/var/lib/sysinv:/sbin/nologin ++snmpd:*:169:169:net-snmp:/usr/share/snmp:/sbin/nologin ++fm:*:195:195:fm-mgr:/var/lib/fm:/sbin/nologin ++ceilometer:*:991:166:OpenStack ceilometer Daemons:/var/lib/ceilometer:/sbin/nologin ++nova:*:994:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin ++ironic:*:1874:1874:OpenStack Ironic Daemons:/var/lib/ironic:/sbin/nologin ++www:*:1877:1877:www:/home/www:/sbin/nologin ++keystone:*:42424:42424:OpenStack Keystone Daemons:/var/lib/keystone:/sbin/nologin -- 2.17.1