Implement rule 5.3.2.4 Ensure pam_pwhistory module is enabled

ComplianceAsCode · Dec 16, 2024 · 6356ea8 · 6356ea8
1 parent dfdd193
commit 6356ea8
Show file tree

Hide file tree

Showing 7 changed files with 107 additions and 0 deletions.
diff --git a/components/pam.yml b/components/pam.yml
@@ -54,6 +54,7 @@ rules:
 - accounts_password_pam_minclass
 - accounts_password_pam_minlen
 - accounts_password_pam_ocredit
+- accounts_password_pam_pwhistory_enabled
 - accounts_password_pam_pwhistory_remember
 - accounts_password_pam_pwhistory_remember_password_auth
 - accounts_password_pam_pwhistory_remember_system_auth

diff --git a/...-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh b/...-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh
@@ -0,0 +1,22 @@
+# platform = multi_platform_ubuntu
+
+conf_name=cac_pwhistory
+conf_path="/usr/share/pam-configs"
+
+if [ ! -f "$conf_path"/"$conf_name" ]; then
+    if [ -f "$conf_path"/pwhistory ]; then
+        cp "$conf_path"/pwhistory "$conf_path"/"$conf_name"
+        sed -i '/Default: yes/a Priority: 1025\
+Conflicts: pwhistory' "$conf_path"/"$conf_name"
+    else
+        cat << EOF > "$conf_path"/"$conf_name"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
+EOF
+    fi
+fi
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/...pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml b/...pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml
@@ -0,0 +1,27 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="2">
+    {{{ oval_metadata("The passwords to remember should be set correctly.") }}}
+    <criteria operator="AND" comment="Check if pam_pwhistory.so is properly enabled">
+      <!--
+        pam_pwhistory.so parameters can be defined directly in pam files or, in newer versions,
+        in /etc/security/pwhistory.conf. The last is the recommended option when available. Also,
+        is the option used by auselect tool. However, regardless the approach, a minimal
+        declaration is common in pam files. -->
+      <criterion test_ref="test_accounts_password_pam_pwhistory_remember_common_password"
+        comment="pam_pwhistory.so is properly defined in password section of common-password"/>
+    </criteria>
+  </definition>
+
+  <!-- is pam_pwhistory.so enabled? -->
+  <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_remember_common_password" check="all"
+    check_existence="at_least_one_exists" version="1" comment="Check pam_pwhistory.so presence in /etc/pam.d/common-password">
+    <ind:object object_ref="object_accounts_password_pam_pwhistory_remember_common_password"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_remember_common_password"
+    version="1">
+    <ind:filepath>/etc/pam.d/common-password</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*password[\s]+((?:\[success=\d+\s+default=ignore\])|(?:requisite)|(?:required))[\s]+pam_pwhistory\.so[\s]+.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/...counts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml b/...counts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+
+title: 'Ensure pam_pwhistory module is enabled'
+
+description: |-
+    The <tt>pam_pwhistory.so</tt> module saves the last passwords for each user in order to
+    force password change history and keep the user from alternating between the same
+    password too frequently.
+    This module does not work together with kerberos. In general, it does not make much
+    sense to use this module in conjunction with <tt>NIS</tt> or <tt>LDAP</tt>, since the old passwords are
+    stored on the local machine and are not available on another machine for password
+    history checking.
+
+rationale: |-
+    Use of a unique, complex passwords helps to increase the time and resources required
+    to compromise the password.
+
+severity: medium
+
+platform: package[pam]
diff --git a/...ing_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh b/...ing_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite # pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+rm "$config_file"
diff --git a/...cking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh b/...cking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+rm "$config_file"
diff --git a/...cking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh b/...cking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+rm /usr/share/pam-configs/*pwhistory
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update