From 8d97a794ad6bffa19d24db378b3021f9c89b55ca Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 16 Dec 2024 18:57:46 +0000
Subject: [PATCH] Implement rule 5.3.2.4 Ensure pam_pwhistory module is enabled

---
 components/pam.yml                            |  1 +
 .../bash/shared.sh                            | 22 +++++++++++++++
 .../oval/shared.xml                           | 27 +++++++++++++++++++
 .../rule.yml                                  | 20 ++++++++++++++
 .../tests/commented.fail.sh                   | 15 +++++++++++
 .../tests/correct.pass.sh                     | 15 +++++++++++
 .../tests/missing.fail.sh                     |  6 +++++
 7 files changed, 106 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh

diff --git a/components/pam.yml b/components/pam.yml
index c9402fce8c3..14d7501a094 100644
--- a/components/pam.yml
+++ b/components/pam.yml
@@ -54,6 +54,7 @@ rules:
 - accounts_password_pam_minclass
 - accounts_password_pam_minlen
 - accounts_password_pam_ocredit
+- accounts_password_pam_pwhistory_enabled
 - accounts_password_pam_pwhistory_remember
 - accounts_password_pam_pwhistory_remember_password_auth
 - accounts_password_pam_pwhistory_remember_system_auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh
new file mode 100644
index 00000000000..124e3df8e9b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh
@@ -0,0 +1,22 @@
+# platform = multi_platform_ubuntu
+
+conf_name=cac_pwhistory
+conf_path="/usr/share/pam-configs"
+
+if [ ! -f "$conf_path"/"$conf_name" ]; then
+    if [ -f "$conf_path"/pwhistory ]; then
+        cp "$conf_path"/pwhistory "$conf_path"/"$conf_name"
+        sed -i '/Default: yes/a Priority: 1025\
+Conflicts: pwhistory' "$conf_path"/"$conf_name"
+    else
+        cat << EOF > "$conf_path"/"$conf_name"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
+EOF
+    fi
+fi
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml
new file mode 100644
index 00000000000..9917af95998
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml
@@ -0,0 +1,27 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="2">
+    {{{ oval_metadata("The passwords to remember should be set correctly.") }}}
+    <criteria operator="AND" comment="Check if pam_pwhistory.so is properly enabled">
+      <!--
+        pam_pwhistory.so parameters can be defined directly in pam files or, in newer versions,
+        in /etc/security/pwhistory.conf. The last is the recommended option when available. Also,
+        is the option used by auselect tool. However, regardless the approach, a minimal
+        declaration is common in pam files. -->
+      <criterion test_ref="test_accounts_password_pam_pwhistory_remember_common_password"
+        comment="pam_pwhistory.so is properly defined in password section of common-password"/>
+    </criteria>
+  </definition>
+
+  <!-- is pam_pwhistory.so enabled? -->
+  <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_remember_common_password" check="all"
+    check_existence="at_least_one_exists" version="1" comment="Check pam_pwhistory.so presence in /etc/pam.d/common-password">
+    <ind:object object_ref="object_accounts_password_pam_pwhistory_remember_common_password"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_remember_common_password"
+    version="1">
+    <ind:filepath>/etc/pam.d/common-password</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*password[\s]+((?:\[success=\d+\s+default=ignore\])|(?:requisite)|(?:required))[\s]+pam_pwhistory\.so[\s]+.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml
new file mode 100644
index 00000000000..63ae962b2c8
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+
+title: 'Ensure pam_pwhistory module is enabled'
+
+description: |-
+    The <tt>pam_pwhistory.so</tt> module is part of the Pluggable Authentication Modules (PAM) 
+    framework designed to increase password security. It works by storing a history of previously 
+    used passwords for each user, ensuring users cannot alternate between the same passwords too frequently.
+    <br /><br />
+    This module is incompatible with Kerberos. Furthermore, its usage with <tt>NIS</tt> or <tt>LDAP</tt> is 
+    generally impractical, as other machines can not access local password histories.
+
+rationale: |-
+    Enforcing strong passwords increases the difficulty and resources required 
+    for password compromise.
+
+severity: medium
+
+platform: package[pam]
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh
new file mode 100644
index 00000000000..91c74a66e30
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite # pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh
new file mode 100644
index 00000000000..0b6d30e3652
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh
new file mode 100644
index 00000000000..22496c997b5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+rm /usr/share/pam-configs/*pwhistory
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update