diff --git a/components/pam.yml b/components/pam.yml index bd2b849cc22..285ea347237 100644 --- a/components/pam.yml +++ b/components/pam.yml @@ -59,6 +59,7 @@ rules: - accounts_password_pam_pwhistory_remember_system_auth - accounts_password_pam_pwquality_password_auth - accounts_password_pam_pwquality_system_auth +- accounts_password_pam_pwquality_enabled - accounts_password_pam_retry - accounts_password_pam_ucredit - accounts_password_pam_unix_remember diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 3ba3a970c19..fe374b47cfb 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1867,8 +1867,9 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - accounts_password_pam_pwquality_enabled + status: automated - id: 5.3.2.4 title: Ensure pam_pwhistory module is enabled (Automated) diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh new file mode 100644 index 00000000000..38f2d36dbe2 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh @@ -0,0 +1,3 @@ +# platform = multi_platform_ubuntu + +{{{ bash_pam_pwquality_enable() }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/ubuntu.xml new file mode 100644 index 00000000000..359d61af24b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/ubuntu.xml @@ -0,0 +1,37 @@ +{{% if 'ubuntu' in product %}} +{{% set configuration_files = ["common-password"] %}} +{{% endif %}} + + + {{{ oval_metadata("Check pam_pwquality module is enabled") }}} + + {{% for file in configuration_files %}} + + {{% endfor %}} + + + + {{% macro test_pwquality_enabled(path, test_ref) %}} + + + + {{% endmacro %}} + + {{% macro object_pwquality_enabled(path, test_ref) %}} + + {{{ path }}} + ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ + 1 + + {{% endmacro %}} + + {{% for file in configuration_files %}} + {{{ test_pwquality_enabled( path="/etc/pam.d/" ~ file , + test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}} + {{{ object_pwquality_enabled( path="/etc/pam.d/" ~ file , + test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}} + {{% endfor %}} + diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/rule.yml new file mode 100644 index 00000000000..9f9a1e585ef --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/rule.yml @@ -0,0 +1,21 @@ +documentation_complete: true + + +title: 'Verify pam_pwquality module is activated' + +description: |- + The pam_pwquality.so module ensures password quality by evaluating user-created passwords + against a system dictionary and a set of rules designed to detect weak choices. Originally derived + from the pam_cracklib module, this module is backward-compatible with options of pam_cracklib. +

+ The module's process includes prompting the user for a password, checking its strength, and if it + meets the criteria requesting the password again for confirmation. If both entries match, the + password is passed to subsequent modules to be set as the new authentication token. + +rationale: |- + Strong passwords significantly increase the time and effort required for unauthorized access, + increasing overall system security. + +severity: medium + +platform: package[pam] diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh new file mode 100644 index 00000000000..95830eba0ab --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +sed -i 's/\(^.*pam_pwquality\.so.*\)/# \1/' /etc/pam.d/common-password diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh new file mode 100644 index 00000000000..02bd487048c --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh @@ -0,0 +1,27 @@ +{{% if 'ubuntu' in product %}} +configuration_files=("common-password") +{{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}} +configuration_files=("password-auth" "system-auth") +{{% else %}} +configuration_files=("system-auth") +{{% endif %}} + + +{{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}} +authselect create-profile testingProfile --base-on sssd + +for file in ${configuration_files[@]}; do + sed -i --follow-symlinks "/pam_pwquality\.so/d" \ + "/etc/authselect/custom/testingProfile/$file" +done +authselect select --force custom/testingProfile +{{% elif 'ubuntu' in product %}} +rm -f /usr/share/pam-configs/pwquality +DEBIAN_FRONTEND=noninteractive pam-auth-update +{{% else %}} +for file in ${configuration_files[@]}; do + sed -i --follow-symlinks "/pam_pwquality\.so/d" "/etc/pam.d/$file" +done +{{% endif%}} + +truncate -s 0 /etc/security/pwquality.conf diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh new file mode 100644 index 00000000000..a74d14e7eb3 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +cat << EOF > /usr/share/pam-configs/pwquality +Name: Pwquality password strength checking +Default: yes +Priority: 1024 +Conflicts: cracklib +Password-Type: Primary +Password: + requisite pam_pwquality.so +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh new file mode 100644 index 00000000000..feb4afc273d --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# platform = multi_platform_ubuntu + +source common.sh