Delete unix configuration after the common-password updated by pam-au…

…th-update to avoid the not applicable case of bash_pam_unix_enable macro
ComplianceAsCode · Dec 16, 2024 · 8675619 · 8675619
1 parent c96cfc5
commit 8675619
Show file tree

Hide file tree

Showing 8 changed files with 45 additions and 22 deletions.
diff --git a/...ut_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh b/...ut_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
-cat << EOF > /usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
 Priority: 256
@@ -28,3 +29,4 @@ Password-Initial:
 EOF
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/..._password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh b/..._password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh
@@ -2,22 +2,34 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_pam_unix_remember=5
 
-config_file=/usr/share/pam-configs/cac_unix
+config_file=/usr/share/pam-configs/tmpunix
 remember_cnt=5
 
-{{{ bash_pam_unix_enable() }}}
-sed -i -E '/^Password:/,/^[^[:space:]]/ {
-    /pam_unix\.so/ {
-        s/\s*remember=[^[:space:]]*//g
-        s/$/ remember='"$remember_cnt"'/g
-    }
-}' "$config_file"
-
-sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
-    /pam_unix\.so/ {
-        s/\s*remember=[^[:space:]]*//g
-        s/$/ remember='"$remember_cnt"'/g
-    }
-}' "$config_file"
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt remember=$remember_cnt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt remember=$remember_cnt
+EOF
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/...ut_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh b/...ut_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh
@@ -2,7 +2,7 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_pam_unix_remember=5
 
-config_file=/usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
 remember_cnt=3
 
 cat << EOF > "$config_file"
@@ -32,3 +32,4 @@ Password-Initial:
 EOF
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm $config_file
diff --git a/...hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh b/...hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
@@ -3,7 +3,8 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 # remediation = none
 
-cat << EOF > /usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
 Priority: 256
@@ -29,3 +30,4 @@ Password-Initial:
         [success=end default=ignore]    pam_unix.so obscure # sha512
 EOF
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/...assword_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/...assword_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
@@ -3,7 +3,8 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 
 {{% if 'ubuntu' in product %}}
-cat << EOF > /usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
 Priority: 256
@@ -29,6 +30,7 @@ Password-Initial:
         [success=end default=ignore]    pam_unix.so obscure sha512
 EOF
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
 {{% else %}}
 pam_file="/etc/pam.d/system-auth"
 

diff --git a/...assword_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/...assword_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
@@ -3,7 +3,8 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 
 {{% if 'ubuntu' in product %}}
-cat << EOF > /usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
 Priority: 256
@@ -29,6 +30,7 @@ Password-Initial:
         [success=end default=ignore]    pam_unix.so obscure
 EOF
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
 {{% else %}}
 sed -i --follow-symlinks '/^password.*sufficient.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/system-auth"
 {{% endif %}}
diff --git a/...hing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh b/...hing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
@@ -2,7 +2,8 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_hashing_algorithm_pam=sha512
 
-cat << EOF > /usr/share/pam-configs/unix
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
 Name: Unix authentication
 Default: yes
 Priority: 256
@@ -28,3 +29,4 @@ Password-Initial:
         [success=end default=ignore]    pam_unix.so obscure sha5122
 EOF
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
@@ -911,7 +911,7 @@ conf_path="/usr/share/pam-configs/"
 
 if [ ! -f "$conf_path"/"$conf_name" ]; then
     if [ -f "$conf_path"/unix ]; then
-        if grep -q $(md5sum "$conf_path"/unix | cut -d ' ' -f 1) /var/lib/dpkg/info/libpam-runtime.md5sums;then
+        if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
             cp "$conf_path/unix" "$conf_path/"$conf_name""
             sed '/Default: yes/a Priority: 257\
 Conflicts: unix' "$conf_path"/"$conf_name"