Use * for users with no password in /etc/shadow

CIS Benchmark considers the characters * and ! in the password field in the /etc/shadow file to indicate that a user does not have a password and is unable to log in if prompted for a password. This replaces the character 'x' in some of those users with a '*' so the benchmark can skip those users when checking some password-related settings. Test Plan: PASS: Run build-pkgs -c -p base-passwd. PASS: Run build-image. PASS: Run fresh install of AIO-SX with complete bootstrap and unlock of the controller-0. PASS: Run fresh install of AIO-DX with complete bootstrap and unlock of controller-0 and controller-1. PASS: Run backup and restore with complete bootstrap. PASS: Try to log in with user 'keystone' via SSH and verify that it has the same behavior as before: asks for a password, but there is no valid password to use. Story: 2011283 Task: 51442 Change-Id: I1aceacd4153a479e4e3b7efa0f74b73abbd298c2 Signed-off-by: Rodrigo Tavares <Rodrigo.DosSantosTavares@windriver.com>
2024-12-04 10:52:16 -03:00 · 2024-12-04 10:52:16 -03:00 · 71f942de10
commit 71f942de10
parent de056f5f9d
1 changed files with 19 additions and 19 deletions
--- a/base/base-passwd/debian/patches/0001-Change-group-passwd.patch
+++ b/base/base-passwd/debian/patches/0001-Change-group-passwd.patch
@ -58,16 +58,16 @@ index ad1dd2d..5ab0d52 100644
 -games:*:60:
 users:*:100:
 nogroup:*:65534:
-+nova:x:162:nova
-+neutron:x:164:neutron
-+ceilometer:x:166:ceilometer
-+sysinv:x:168:sysinv
-+snmpd:x:169:snmpd,fm
-+fm:x:195:fm
-+libvirt:x:991:nova
-+ironic:x:1874:ironic
-+www:x:1877:www
-+keystone:x:42424:keystone
+nova:*:162:nova
+neutron:*:164:neutron
+ceilometer:*:166:ceilometer
+sysinv:*:168:sysinv
+snmpd:*:169:snmpd,fm
+fm:*:195:fm
+libvirt:*:991:nova
+ironic:*:1874:ironic
+www:*:1877:www
+keystone:*:42424:keystone
 diff --git a/passwd.master b/passwd.master
 index f1e69a4..c3a3ebc 100644
 --- a/passwd.master
@ -89,15 +89,15 @@ index f1e69a4..c3a3ebc 100644
 irc:*:39:39:ircd:/run/ircd:/usr/sbin/nologin
 gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
 nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
-+neutron:x:164:164:OpenStack Neutron Daemons:/var/lib/neutron:/sbin/nologin
-+sysinv:x:168:168:sysinv Daemons:/var/lib/sysinv:/sbin/nologin
-+snmpd:x:169:169:net-snmp:/usr/share/snmp:/sbin/nologin
-+fm:x:195:195:fm-mgr:/var/lib/fm:/sbin/nologin
-+ceilometer:x:991:166:OpenStack ceilometer Daemons:/var/lib/ceilometer:/sbin/nologin
-+nova:x:994:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin
-+ironic:x:1874:1874:OpenStack Ironic Daemons:/var/lib/ironic:/sbin/nologin
-+www:x:1877:1877:www:/home/www:/sbin/nologin
-+keystone:x:42424:42424:OpenStack Keystone Daemons:/var/lib/keystone:/sbin/nologin
+neutron:*:164:164:OpenStack Neutron Daemons:/var/lib/neutron:/sbin/nologin
+sysinv:*:168:168:sysinv Daemons:/var/lib/sysinv:/sbin/nologin
+snmpd:*:169:169:net-snmp:/usr/share/snmp:/sbin/nologin
+fm:*:195:195:fm-mgr:/var/lib/fm:/sbin/nologin
+ceilometer:*:991:166:OpenStack ceilometer Daemons:/var/lib/ceilometer:/sbin/nologin
+nova:*:994:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin
+ironic:*:1874:1874:OpenStack Ironic Daemons:/var/lib/ironic:/sbin/nologin
+www:*:1877:1877:www:/home/www:/sbin/nologin
+keystone:*:42424:42424:OpenStack Keystone Daemons:/var/lib/keystone:/sbin/nologin
 -- 
 2.17.1