From e9211e9ca206af0be11ec11fd58cbc4046dbc9b7 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 15 Jan 2025 13:53:57 +0000
Subject: [PATCH] Use pam_options template with bash turned off

---
 .../oval/shared.xml                           | 52 -------------------
 .../rule.yml                                  | 15 ++++++
 2 files changed, 15 insertions(+), 52 deletions(-)
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml
deleted file mode 100644
index 1a822cfd471..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml
+++ /dev/null
@@ -1,52 +0,0 @@
-{{% if "sle12" in product or "debian" in product or "ubuntu" in product %}}
-{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}}
-{{% else %}}
-{{%- set accounts_password_pam_file = '/etc/pam.d/system-auth' -%}}
-{{% endif %}}
-
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="2">
-    {{{ oval_metadata("Enforce password history for root of pam_pwhistory.") }}}
-      <criteria operator="AND" comment="Check if pam_pwhistory.so is properly configured">
-        <criterion test_ref="test_accounts_password_pam_pwhistory_enabled"
-                   comment="pam_pwhistory.so is properly defined in password section of PAM file"/>
-        <criterion test_ref="test_accounts_password_pam_pwhistory_enforce_for_root_parameter"
-                 comment="enforce_for_root parameter of pam_pwhistory.so is properly configured"/>
-      </criteria>
-  </definition>
-
-  <!-- is pam_pwhistory.so enabled? -->
-  <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_enabled"
-                              check="all" version="1" comment="Check pam_pwhistory.so presence in PAM file">
-    <ind:object object_ref="object_accounts_password_pam_pwhistory_enabled"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_enabled"
-                                version="1">
-    <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
-    <ind:pattern var_ref="var_accounts_password_pam_pwhistory_module_regex"
-                 var_check="at least one" operation="pattern match"/>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- variables used to check the module implementation -->
-  <local_variable id="var_accounts_password_pam_pwhistory_module_regex"
-		  datatype="string" version="1"
-		  comment="The regex is to confirm the pam_pwhistory.so module is enabled">
-    <literal_component>^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so.*$</literal_component>
-  </local_variable>
-
-  <!-- Check the pam_pwhistory.so enforce_for_root parameter -->
-  <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_enforce_for_root_parameter" version="1"
-                              check="all" check_existence="all_exist"
-                              comment="Test if enforce_for_root attribute of pam_pwhistory.so is set correctly in {{{ accounts_password_pam_file }}}">
-    <ind:object object_ref="object_accounts_password_pam_pwhistory_enforce_for_root_parameter" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_enforce_for_root_parameter" version="1">
-    <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so\s+[^#\n\r]*\benforce_for_root\b.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml
index 4d3b37d621c..a20269e5a4d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml
@@ -16,3 +16,18 @@ rationale: 'Preventing re-use of previous passwords helps ensure that a compromi
 severity: medium
 
 platform: package[pam]
+
+template:
+    name: pam_options
+    vars:
+      path: /etc/pam.d/common-password
+      type: password
+      control_flag: requisite
+      module: pam_pwhistory.so
+      arguments:
+        - argument: enforce_for_root
+          new_argument: enforce_for_root
+{{% if 'ubuntu' in product %}}
+      backends:
+        - bash: "off"
+{{% endif %}}