feat: add pam_authramp

#127

README.md

@@ -35,7 +35,7 @@ Hardening applied:
 - Pushing upstream fedora to harden the build for all fedora users, including secureblue users ([for example, by enabling CFI](https://bugzilla.redhat.com/show_bug.cgi?id=2252874))
 - Require a password for sudo every time it's called
 - Disable passwordless sudo for `rpm-ostree install` <sup>[why?](https://github.com/rohanssrao/silverblue-privesc)
-- Brute force protection by locking user accounts for 24 hours after 50 failed login attempts, hardened password encryption and password quality suggestions
+- Strong Brute force protection using [pam-authramp](https://github.com/34N0/pam-authramp), hardened password encryption and password quality suggestions
 - Installing chkrootkit, usbguard, and bubblejail
 - Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
 - Configure chronyd to use Network Time Security (NTS) <sup>[using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf)</sup>

config/common/common-packages.yml

@@ -1,13 +1,15 @@
 type: rpm-ostree
 repos: 
   - https://copr.fedorainfracloud.org/coprs/secureblue/hardened_malloc/repo/fedora-39/secureblue-hardened_malloc-fedora-39.repo
+  - https://copr.fedorainfracloud.org/coprs/secureblue/pam-authramp/repo/fedora-39/pam-authramp.repo
 install:    
   - lm_sensors
   - lynis
   - hardened_malloc
   - chkrootkit
   - usbguard
   - usbguard-dbus
+  - pam-authramp
 
 
 

config/common/common-scripts.yml

@@ -1,4 +1,5 @@
 type: script
 scripts:
-  - authselect.sh
+  - addauthramp.sh
+  - optoutauthselect.sh
   - setfilepermissions.sh

config/files/usr/etc/security/authramp.conf

@@ -0,0 +1,25 @@
+# AuthRamp Configuration File
+# This file configures the behavior of the AuthRamp PAM module.
+#
+[Configuration]
+# Directory where tally information is stored.
+# Each user has a separate file in this directory to track authentication failures.
+# tally_dir = /var/run/authramp
+#
+# Number of allowed free authentication attempts before applying delays.
+# During these free tries, the module allows authentication without introducing delays.
+# free_tries = 6
+#
+# Base delay applied to each authentication failure.
+# This is the initial delay applied after the free tries are exhausted.
+# base_delay_seconds = 30
+#
+# Multiplier for the delay calculation based on the number of failures.
+# The delay for each subsequent failure is calculated as follows:
+# delay = ramp_multiplier * (fails - free_tries) * ln(fails - free_tries) + base_delay_seconds
+# ramp_multiplier = 50
+#
+# Even lock out the root user. Enabling this can be dangerous and may result in a total system lockout.
+# For auditing purposes, the tally will still be created for the root user, even if this setting is disabled.
+# If you plan to enable this feature, make sure there isn't any tally stored under <tally_dir>/root, or you risk immediate lockout.
+even_deny_root = true

config/scripts/addauthramp.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+set -euo pipefail
+
+echo "Configuring PAM to use pam_athramp"
+
+system_service="/etc/pam.d/system-auth"
+password_service="/etc/pam.d/password-auth"
+
+header="# Generated by Secureblue"
+authramp_preauth="auth        required                                     libpam_authramp.so preauth"
+authramp_authfail="auth        [default=die]                                libpam_authramp.so authfail"
+authramp_account="account     required                                     libpam_authramp.so"
+
+update_pam_service() {
+    local file="$1"
+
+    sed -i "/^# Generated by authselect/,/^# See authselect(8) for more details./c$header" "$file"
+    sed -i "/^auth\\s\\+sufficient\\s\\+pam_unix\\.so/i$authramp_preauth" "$file"
+    sed -i "/^auth\\s\\+required\\s\\+pam_deny\\.so/i$authramp_authfail" "$file"
+    sed -i "/^account\\s\\+required\\s\\+pam_unix\\.so/i$authramp_account" "$file"
+}
+
+update_pam_service "$system_service"
+update_pam_service "$password_service"
+

config/scripts/optoutauthselect.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+echo "Opting-out of 'authselect' profile generation"
+
+rm /etc/authselect/authselect.conf
+authselect opt-out 1> /dev/null