Ubuntu enable unix

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh

@@ -2,16 +2,35 @@
 
 {{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
 
-{{% if "debian" in product or "ubuntu" in product or "sle12" in product %}}
+{{% if "debian" in product or "sle12" in product %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
+{{% elif "ubuntu" in product %}}
+config_file="/usr/share/pam-configs/cac_unix"
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
 {{% endif %}}
 
-{{% if "debian" in product or "ubuntu" in product %}}
+{{% if "debian" in product %}}
 
 {{{ bash_ensure_pam_module_options(accounts_password_pam_unix_remember_file, 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}}
 
+{{% elif "ubuntu" in product %}}
+{{{ bash_pam_unix_enable() }}}
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_unix_remember"'/g
+    }
+}' "$config_file"
+
+sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_unix_remember"'/g
+    }
+}' "$config_file"
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 
 {{{ bash_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh

@@ -1,7 +1,32 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
-config_file=/etc/pam.d/common-password
-if grep -q "pam_unix\.so.*remember=" "${config_file}" ; then
-    sed -i "/pam_unix\.so/ s/\bremember=\S*//" "${config_file}"
-fi
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh

@@ -2,6 +2,34 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_pam_unix_remember=5
 
-config_file=/etc/pam.d/common-password
+config_file=/usr/share/pam-configs/tmpunix
 remember_cnt=5
-sed -i "s/password.*pam_unix.so.*/password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=${remember_cnt} rounds=5000/" "${config_file}"
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt remember=$remember_cnt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt remember=$remember_cnt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh

@@ -2,7 +2,34 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_pam_unix_remember=5
 
-config_file=/etc/pam.d/common-password
+config_file=/usr/share/pam-configs/tmpunix
 remember_cnt=3
-sed -i "s/password.*pam_unix.so.*/password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=${remember_cnt} rounds=5000/" "${config_file}"
 
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt remember=$remember_cnt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt remember=$remember_cnt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm $config_file

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh

@@ -6,18 +6,30 @@
 PAM_FILE_PATH="/etc/pam.d/common-password"
 CONTROL="required"
 {{%- elif 'ubuntu' in product -%}}
-PAM_FILE_PATH="/etc/pam.d/common-password"
+{{{ bash_pam_unix_enable() }}}
+PAM_FILE_PATH=/usr/share/pam-configs/cac_unix
 {{%- else -%}}
 PAM_FILE_PATH="/etc/pam.d/system-auth"
 CONTROL="sufficient"
 {{%- endif %}}
 
 {{% if 'ubuntu' in product -%}}
-# Can't use macro bash_ensure_pam_module_configuration because the control
-# contains special characters and is not static ([success=N default=ignore)
-if ! grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
-  sed -i -E --follow-symlinks "/\s*password\s+.*\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH"
+if ! grep -qzP "Password:\s*\n\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
+  sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/$/ '"$var_password_hashing_algorithm_pam"'/g
+    }
+}' "$PAM_FILE_PATH"
+fi
+
+if ! grep -qzP "Password-Initial:\s*\n\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
+  sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/$/ '"$var_password_hashing_algorithm_pam"'/g
+    }
+}' "$PAM_FILE_PATH"
 fi
+
 {{%- else -%}}
 {{{ bash_ensure_pam_module_configuration("$PAM_FILE_PATH", 'password', "$CONTROL", 'pam_unix.so', "$var_password_hashing_algorithm_pam", '', '') }}}
 {{%- endif %}}
@@ -27,8 +39,22 @@ declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blow
 
 for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do
   if [ "$hash_option" != "$var_password_hashing_algorithm_pam" ]; then
+    {{% if 'ubuntu' in product -%}}
+      sed -i -E '/^Password:/,/^[^[:space:]]/ {
+      /pam_unix\.so/ {
+        s/\s*'"$hash_option"'//g
+      }
+      }' "$PAM_FILE_PATH"
+      sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+      /pam_unix\.so/ {
+        s/\s*'"$hash_option"'//g
+      }
+      }' "$PAM_FILE_PATH"
+      DEBIAN_FRONTEND=noninteractive pam-auth-update
+    {{%- else -%}}
     if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$PAM_FILE_PATH"; then
       {{{ bash_remove_pam_module_option_configuration("$PAM_FILE_PATH", 'password', ".*", 'pam_unix.so', "$hash_option") }}}
     fi
+    {{%- endif %}}
   fi
 done

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml

@@ -1,24 +1,24 @@
+{{% if product in ['sle12', 'sle15', 'slmicro5'] %}}
+  {{% set pam_file = "/etc/pam.d/common-password" %}}
+  {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required))[\s]+pam_unix\.so[\s]+" %}}
+{{% elif 'ubuntu' in product %}}
+  {{% set pam_file = "/etc/pam.d/common-password" %}}
+  {{% set line_pattern = "^[\s]*password[\s]+(?:\[success=\d+\s+default=ignore\])[\s]+pam_unix\.so[\s]+" %}}
+{{% else %}}
+  {{% set pam_file = "/etc/pam.d/system-auth" %}}
+  {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+" %}}
+{{% endif %}}
+
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="2">
-    {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}}
+    {{{ oval_metadata("The password hashing algorithm should be set correctly in {{{ pam_file }}}.") }}}
     <criteria operator="AND">
       <criterion test_ref="test_pam_unix_hashing_algorithm_systemauth" />
     </criteria>
   </definition>
 
-  {{% if product in ['sle12', 'sle15', 'slmicro5'] %}}
-    {{% set pam_file = "/etc/pam.d/common-password" %}}
-    {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required))[\s]+pam_unix\.so[\s]+" %}}
-  {{% elif 'ubuntu' in product %}}
-    {{% set pam_file = "/etc/pam.d/common-password" %}}
-    {{% set line_pattern = "^[\s]*password[\s]+(?:\[success=\d+\s+default=ignore\])[\s]+pam_unix\.so[\s]+" %}}
-  {{% else %}}
-    {{% set pam_file = "/etc/pam.d/system-auth" %}}
-    {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+" %}}
-  {{% endif %}}
-
-  {{% set pam_unix_algorithms = "(sha512|yescrypt|gost_yescrypt|blowfish|sha256|md5|bigcrypt)" %}}
-  {{% set hashing_pattern = line_pattern + "(?!.*" + pam_unix_algorithms + ".*" + pam_unix_algorithms + ").*" + pam_unix_algorithms + ".*$" %}}
+  {{% set pam_unix_algorithms = "\\b(sha512|yescrypt|gost_yescrypt|blowfish|sha256|md5|bigcrypt)\\b" %}}
+  {{% set hashing_pattern = line_pattern + "(?!.*" + pam_unix_algorithms + "[^#]*" + pam_unix_algorithms + ")[^#]*" + pam_unix_algorithms + ".*$" %}}
 
   <!--
     In addition to the pam file, what usually differ between products are the controls in the
@@ -37,13 +37,13 @@
 
   <ind:textfilecontent54_test id="test_pam_unix_hashing_algorithm_systemauth" version="2"
     check="all" check_existence="at_least_one_exists"
-    comment="check if pam_unix.so hashing algorithm option is correct and specified only once in /etc/pam.d/system-auth">
+    comment="check if pam_unix.so hashing algorithm option is correct and specified only once in {{{ pam_file }}}">
     <ind:object object_ref="object_pam_unix_hashing_algorithm_systemauth"/>
     <ind:state state_ref="state_pam_unix_hashing_algorithm_systemauth"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_pam_unix_hashing_algorithm_systemauth" version="1"
-    comment="only one hashing algorithm option for pam_unix.so is found in /etc/pam.d/system-auth">
+    comment="only one hashing algorithm option for pam_unix.so is found in {{{ pam_file }}}">
     <ind:filepath>{{{ pam_file }}}</ind:filepath>
     <ind:pattern operation="pattern match">{{{ hashing_pattern }}}</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh

@@ -3,5 +3,31 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 # remediation = none
 
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' /etc/pam.d/common-password
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/$/ # sha512/' /etc/pam.d/common-password
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass # sha512
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure # sha512
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh

@@ -3,11 +3,34 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 
 {{% if 'ubuntu' in product %}}
-pam_file="/etc/pam.d/common-password"
-
-if ! grep -q "^\s*password.*pam_unix\.so.*sha512" "$pam_file"; then
-	sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/$/ sha512/' "$pam_file"
-fi
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass sha512
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure sha512
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
 {{% else %}}
 pam_file="/etc/pam.d/system-auth"
 

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh

@@ -3,7 +3,34 @@
 # variables = var_password_hashing_algorithm_pam=sha512
 
 {{% if 'ubuntu' in product %}}
-sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/common-password"
+config_file=/usr/share/pam-configs/tmpunix
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
 {{% else %}}
 sed -i --follow-symlinks '/^password.*sufficient.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/system-auth"
 {{% endif %}}