From 29e58f656aa84d3a6ca8589c8d5d29f1d0dcbd30 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 6 Jan 2025 19:43:21 +0000
Subject: [PATCH] Implement accounts_passwords_pam_faillock_enabled

---
 .../bash/shared.sh                            |   3 +
 .../oval/shared.xml                           | 121 ++++++++++++++++++
 .../tests/ubuntu_correct.pass.sh              |   4 +
 .../tests/ubuntu_empty_faillock_conf.pass.sh  |   6 +
 .../tests/ubuntu_multiple_pam_unix.fail.sh    |  11 ++
 5 files changed, 145 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_correct.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_empty_faillock_conf.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_multiple_pam_unix.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh
new file mode 100644
index 000000000000..43feff6ed1e8
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_ubuntu
+
+{{{ bash_pam_faillock_enable() }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/oval/shared.xml
new file mode 100644
index 000000000000..8cdf01595088
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/oval/shared.xml
@@ -0,0 +1,121 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="6">
+    {{{ oval_metadata(DESCRIPTION) }}}
+
+    {{% if 'debian' in product or 'ubuntu' in product %}}
+
+    <criteria operator="AND" comment="Check the proper configuration of pam_faillock.so">
+      <!-- pam_unix.so is a control module present in all realistic scenarios and also used
+           as reference for the correct position of pam_faillock.so in auth section. If the
+           system is properly configured, it must appear only once in auth section. -->
+      <criterion test_ref="test_accounts_passwords_pam_faillock_common_pam_unix_auth"
+		  comment="pam_unix.so appears only once in auth section of common-auth"/>
+      <criterion test_ref="test_accounts_passwords_pam_faillock_common_pam_faillock_auth"
+		  comment="pam_faillock.so is properly defined in auth section of common-auth"/>
+      <criterion test_ref="test_accounts_passwords_pam_faillock_common_pam_faillock_account"
+		  comment="pam_faillock.so is properly defined in common-account"/>
+    </criteria>
+
+    {{% endif %}}    
+  </definition>
+
+  <!-- The following tests demand complex regex which are necessary more than once.
+       These variables make simpler the usage of regex patterns. -->
+  <constant_variable id="var_accounts_passwords_pam_faillock_pam_unix_regex"
+                     datatype="string" version="2"
+                     comment="regex to identify pam_unix.so in auth section of pam files">
+    <value>^\s*auth\N+pam_unix\.so</value>
+  </constant_variable>
+
+  <constant_variable
+      id="var_accounts_passwords_pam_faillock_pam_faillock_auth_regex"
+      datatype="string" version="2"
+      comment="regex to identify pam_faillock.so entries in auth section of pam files">
+    {{% if 'debian' in product %}}
+    <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
+    {{% elif 'ubuntu' in product %}}
+    <value>^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail</value>
+    {{% elif 'openeuler' in product or 'kylinserver' in product %}}
+    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
+    {{% else %}}
+    <value>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</value>
+    {{% endif %}}
+  </constant_variable>
+
+  <constant_variable
+      id="var_accounts_passwords_pam_faillock_pam_faillock_account_regex"
+      datatype="string" version="2"
+      comment="regex to identify pam_faillock.so entry in account section of pam files">
+    {{% if 'debian' in product or 'ubuntu' in product %}}
+    <value>^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$</value>
+    {{% elif 'openeuler' in product or 'kylinserver' in product %}}
+    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so</value>
+    {{% else %}}
+    <value>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</value>
+    {{% endif %}}
+  </constant_variable>
+
+  {{% macro generate_test_faillock_enabled(file_stem) %}}
+  <!-- Check occurences of pam_unix.so in auth section of {{{ file_stem }}}-auth file -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="none_exist" version="2"
+      id="test_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_unix_auth"
+      comment="no more that one pam_unix.so is expected in auth section of {{{ file_stem }}}-auth">
+    <ind:object object_ref="object_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_unix_auth"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_unix_auth"
+      comment="Get the second and subsequent occurrences of pam_unix.so in auth section of {{{ file_stem}}}-auth">
+    <ind:filepath>/etc/pam.d/{{{file_stem}}}-auth</ind:filepath>
+    <ind:pattern operation="pattern match" var_ref="var_accounts_passwords_pam_faillock_pam_unix_regex"/>
+    <ind:instance datatype="int" operation="greater than">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- Check common definition of pam_faillock.so in {{{ file_stem }}}-auth file -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="only_one_exists" version="2"
+      id="test_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_faillock_auth"
+      comment="One and only one occurrence is expected in auth section of {{{ file_stem }}}-auth">
+    <ind:object
+	object_ref="object_accounts_passwords_pam_faillock_{{{ PRM_NAME}}}_{{{ file_stem }}}_pam_faillock_auth"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_accounts_passwords_pam_faillock_{{{ PRM_NAME}}}_{{{ file_stem }}}_pam_faillock_auth"
+      comment="Check common definition of pam_faillock.so in auth section of common-auth">
+    <ind:filepath>/etc/pam.d/{{{ file_stem }}}-auth</ind:filepath>
+    <ind:pattern operation="pattern match"
+		 var_ref="var_accounts_passwords_pam_faillock_pam_faillock_auth_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  {{{ generate_test_faillock_enabled (file_stem="common")   }}}
+
+  {{% macro generate_test_faillock_account(file_stem, file) %}}
+  <!-- Check common definition of pam_faillock.so in {{{ file_stem }}}-account -->
+  <ind:textfilecontent54_test
+      check="all" check_existence="only_one_exists" version="2"
+      id="test_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_faillock_account"
+      comment="One and only one occurrence is expected in {{{ file }}}">
+    <ind:object
+	object_ref="object_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_faillock_account"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+      version="2"
+      id="object_accounts_passwords_pam_faillock_{{{ file_stem }}}_pam_faillock_account"
+      comment="Check common definition of pam_faillock.so in account section of {{{ file }}}">
+    <ind:filepath>/etc/pam.d/{{{ file }}}</ind:filepath>
+    <ind:pattern operation="pattern match"
+                 var_ref="var_accounts_passwords_pam_faillock_pam_faillock_account_regex"/>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  {{{ generate_test_faillock_account (file_stem="common",   file="common-account") }}}
+
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_correct.pass.sh
new file mode 100644
index 000000000000..bc1a71c76143
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_correct.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_empty_faillock_conf.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_empty_faillock_conf.pass.sh
new file mode 100644
index 000000000000..87ad63f8fc9a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_empty_faillock_conf.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+
+echo > /etc/security/faillock.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_multiple_pam_unix.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_multiple_pam_unix.fail.sh
new file mode 100644
index 000000000000..20d85d146754
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_multiple_pam_unix.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# remediation = none
+
+{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+
+# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
+# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
+# in order to preserve intentional changes.
+
+sed -i '/# end of pam-auth-update config/i\auth        sufficient       pam_unix.so' /etc/pam.d/common-auth