diff --git a/components/pam.yml b/components/pam.yml index c9402fce8c3..14d7501a094 100644 --- a/components/pam.yml +++ b/components/pam.yml @@ -54,6 +54,7 @@ rules: - accounts_password_pam_minclass - accounts_password_pam_minlen - accounts_password_pam_ocredit +- accounts_password_pam_pwhistory_enabled - accounts_password_pam_pwhistory_remember - accounts_password_pam_pwhistory_remember_password_auth - accounts_password_pam_pwhistory_remember_system_auth diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh new file mode 100644 index 00000000000..124e3df8e9b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh @@ -0,0 +1,22 @@ +# platform = multi_platform_ubuntu + +conf_name=cac_pwhistory +conf_path="/usr/share/pam-configs" + +if [ ! -f "$conf_path"/"$conf_name" ]; then + if [ -f "$conf_path"/pwhistory ]; then + cp "$conf_path"/pwhistory "$conf_path"/"$conf_name" + sed -i '/Default: yes/a Priority: 1025\ +Conflicts: pwhistory' "$conf_path"/"$conf_name" + else + cat << EOF > "$conf_path"/"$conf_name" +Name: pwhistory password history checking +Default: yes +Priority: 1024 +Password-Type: Primary +Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok +EOF + fi +fi + +DEBIAN_FRONTEND=noninteractive pam-auth-update diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml new file mode 100644 index 00000000000..9917af95998 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml @@ -0,0 +1,27 @@ + + + {{{ oval_metadata("The passwords to remember should be set correctly.") }}} + + + + + + + + + + + + + /etc/pam.d/common-password + ^[\s]*password[\s]+((?:\[success=\d+\s+default=ignore\])|(?:requisite)|(?:required))[\s]+pam_pwhistory\.so[\s]+.*$ + 1 + + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml new file mode 100644 index 00000000000..63ae962b2c8 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml @@ -0,0 +1,20 @@ +documentation_complete: true + + +title: 'Ensure pam_pwhistory module is enabled' + +description: |- + The pam_pwhistory.so module is part of the Pluggable Authentication Modules (PAM) + framework designed to increase password security. It works by storing a history of previously + used passwords for each user, ensuring users cannot alternate between the same passwords too frequently. +

+ This module is incompatible with Kerberos. Furthermore, its usage with NIS or LDAP is + generally impractical, as other machines can not access local password histories. + +rationale: |- + Enforcing strong passwords increases the difficulty and resources required + for password compromise. + +severity: medium + +platform: package[pam] diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh new file mode 100644 index 00000000000..91c74a66e30 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +config_file=/usr/share/pam-configs/tmp_pwhistory +cat << EOF > "$config_file" +Name: pwhistory password history checking +Default: yes +Priority: 1024 +Password-Type: Primary +Password: requisite # pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update + +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh new file mode 100644 index 00000000000..0b6d30e3652 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +config_file=/usr/share/pam-configs/tmp_pwhistory +cat << EOF > "$config_file" +Name: pwhistory password history checking +Default: yes +Priority: 1024 +Password-Type: Primary +Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update + +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh new file mode 100644 index 00000000000..22496c997b5 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +rm /usr/share/pam-configs/*pwhistory + +DEBIAN_FRONTEND=noninteractive pam-auth-update