-
Notifications
You must be signed in to change notification settings - Fork 710
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ubuntu 24.04: Implement 5.3.2.4 Ensure pam_pwhistory module is enabled #12726
Merged
Merged
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
8d97a79
Implement rule 5.3.2.4 Ensure pam_pwhistory module is enabled
alanmcanonical 42fb97a
Add rule to ubuntu2404 cis control 5.3.2.4
alanmcanonical ec4dae3
Rename title
alanmcanonical dedc5a7
Implement bash_pam_pwhistory_enable macro
alanmcanonical 3b8cf2d
Use template parameter
alanmcanonical File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3 changes: 3 additions & 0 deletions
3
...-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # platform = multi_platform_ubuntu | ||
|
|
||
| {{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}} |
27 changes: 27 additions & 0 deletions
27
...pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="2"> | ||
| {{{ oval_metadata("The passwords to remember should be set correctly.") }}} | ||
| <criteria operator="AND" comment="Check if pam_pwhistory.so is properly enabled"> | ||
| <!-- | ||
| pam_pwhistory.so parameters can be defined directly in pam files or, in newer versions, | ||
| in /etc/security/pwhistory.conf. The last is the recommended option when available. Also, | ||
| is the option used by auselect tool. However, regardless the approach, a minimal | ||
| declaration is common in pam files. --> | ||
| <criterion test_ref="test_accounts_password_pam_pwhistory_remember_common_password" | ||
| comment="pam_pwhistory.so is properly defined in password section of common-password"/> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <!-- is pam_pwhistory.so enabled? --> | ||
| <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_remember_common_password" check="all" | ||
| check_existence="at_least_one_exists" version="1" comment="Check pam_pwhistory.so presence in /etc/pam.d/common-password"> | ||
| <ind:object object_ref="object_accounts_password_pam_pwhistory_remember_common_password"/> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_remember_common_password" | ||
| version="1"> | ||
| <ind:filepath>/etc/pam.d/common-password</ind:filepath> | ||
| <ind:pattern operation="pattern match">^[\s]*password[\s]+((?:\[success=\d+\s+default=ignore\])|(?:requisite)|(?:required))[\s]+pam_pwhistory\.so[\s]+.*$</ind:pattern> | ||
| <ind:instance datatype="int">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
| </def-group> |
20 changes: 20 additions & 0 deletions
20
...counts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| documentation_complete: true | ||
|
|
||
|
|
||
| title: 'Verify pam_pwhistory module is activated' | ||
|
|
||
| description: |- | ||
| The <tt>pam_pwhistory.so</tt> module is part of the Pluggable Authentication Modules (PAM) | ||
| framework designed to increase password security. It works by storing a history of previously | ||
| used passwords for each user, ensuring users cannot alternate between the same passwords too frequently. | ||
| <br /><br /> | ||
| This module is incompatible with Kerberos. Furthermore, its usage with <tt>NIS</tt> or <tt>LDAP</tt> is | ||
| generally impractical, as other machines can not access local password histories. | ||
|
|
||
| rationale: |- | ||
| Enforcing strong passwords increases the difficulty and resources required | ||
| for password compromise. | ||
|
|
||
| severity: medium | ||
|
|
||
| platform: package[pam] |
15 changes: 15 additions & 0 deletions
15
...ing_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/commented.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ubuntu | ||
|
|
||
| config_file=/usr/share/pam-configs/tmp_pwhistory | ||
| cat << EOF > "$config_file" | ||
| Name: pwhistory password history checking | ||
| Default: yes | ||
| Priority: 1024 | ||
| Password-Type: Primary | ||
| Password: requisite # pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok | ||
| EOF | ||
|
|
||
| DEBIAN_FRONTEND=noninteractive pam-auth-update | ||
|
|
||
| rm "$config_file" |
15 changes: 15 additions & 0 deletions
15
...cking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/correct.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ubuntu | ||
|
|
||
| config_file=/usr/share/pam-configs/tmp_pwhistory | ||
| cat << EOF > "$config_file" | ||
| Name: pwhistory password history checking | ||
| Default: yes | ||
| Priority: 1024 | ||
| Password-Type: Primary | ||
| Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok | ||
| EOF | ||
|
|
||
| DEBIAN_FRONTEND=noninteractive pam-auth-update | ||
|
|
||
| rm "$config_file" |
6 changes: 6 additions & 0 deletions
6
...cking_out_password_attempts/accounts_password_pam_pwhistory_enabled/tests/missing.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| #!/bin/bash | ||
| # platform = multi_platform_ubuntu | ||
|
|
||
| rm /usr/share/pam-configs/*pwhistory | ||
|
|
||
| DEBIAN_FRONTEND=noninteractive pam-auth-update |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be one line or
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pam-auth-update can identify the non new-line conf, so no need to change this