From c681ba53d2de3aa584a38a349ff59562c7fc39c9 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Tue, 7 Jan 2025 11:03:17 +0000
Subject: [PATCH 01/11] Set the cis recommend value

---
 controls/cis_ubuntu2404.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index fbc438cf883..ca7689a90f6 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -2001,11 +2001,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
-      - var_password_pam_remember=5
-      - accounts_password_pam_unix_remember
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.4.3.
+    rules:
+      - var_password_pam_remember=24
+      - accounts_password_pam_pwhistory_remember
+    status: automated
 
   - id: 5.3.3.3.2
     title: Ensure password history is enforced for the root user (Automated)

From 95c371a0013639d101e6bd200d8ee1a6f07ec9f9 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Tue, 7 Jan 2025 21:31:38 +0000
Subject: [PATCH 02/11] Rewrite the remediation and tests of
 accounts_password_pam_pwhistory_remember to use pam-auth-update

---
 .../bash/ubuntu.sh                            | 14 +++++
 .../oval/shared.xml                           | 54 +++++++++++++++++++
 .../rule.yml                                  |  2 +
 .../tests/ubuntu_arg_missing.fail.sh          | 18 +++++++
 .../tests/ubuntu_argument_missing.fail.sh     | 17 ++++++
 .../tests/ubuntu_correct_value.pass.sh        | 16 ++++++
 .../tests/ubuntu_wrong_value.fail.sh          | 17 ++++++
 7 files changed, 138 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/ubuntu.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_arg_missing.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_argument_missing.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_correct_value.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/ubuntu.sh
new file mode 100644
index 00000000000..fe3a661bee2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/ubuntu.sh
@@ -0,0 +1,14 @@
+# platform = multi_platform_ubuntu
+
+{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}
+
+{{{ bash_instantiate_variables("var_password_pam_remember") }}}
+
+sed -i -E '/^Password:/,/^.*$/ {
+    /pam_pwhistory\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_remember"'/g
+    }
+}' /usr/share/pam-configs/cac_pwhistory
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
new file mode 100644
index 00000000000..6ec3254c132
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
@@ -0,0 +1,54 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="2">
+    {{{ oval_metadata("The passwords to remember of pam_pwhistory should be set correctly.") }}}
+      <criteria operator="AND" comment="Check if pam_pwhistory.so is properly configured">
+        <criterion test_ref="test_accounts_password_pam_pwhistory_enabled"
+                   comment="pam_pwhistory.so is properly defined in password section of PAM file"/>
+        <criterion test_ref="test_accounts_password_pam_pwhistory_remember_parameter"
+                 comment="Remember parameter of pam_pwhistory.so is properly configured"/>
+      </criteria>
+  </definition>
+
+  <external_variable comment="number of passwords that should be remembered" datatype="int" id="var_password_pam_remember" version="1" />
+
+  <!-- is pam_pwhistory.so enabled? -->
+  <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_enabled"
+                              check="all" version="1" comment="Check pam_pwhistory.so presence in PAM file">
+    <ind:object object_ref="object_accounts_password_pam_pwhistory_enabled"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_enabled"
+                                version="1">
+    <ind:filepath>/etc/pam.d/common-password</ind:filepath>
+    <ind:pattern var_ref="var_accounts_password_pam_pwhistory_module_regex"
+                 var_check="at least one" operation="pattern match"/>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- variables used to check the module implementation -->
+  <local_variable id="var_accounts_password_pam_pwhistory_module_regex"
+		  datatype="string" version="1"
+		  comment="The regex is to confirm the pam_pwhistory.so module is enabled">
+    <literal_component>^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so.*$</literal_component>
+  </local_variable>
+
+  <ind:textfilecontent54_state id="state_accounts_password_pam_pwhistory_remember" version="1">
+    <ind:subexpression datatype="int" operation="greater than or equal"
+                       var_ref="var_password_pam_remember"/>
+  </ind:textfilecontent54_state>
+
+  <!-- Check the pam_pwhistory.so remember parameter -->
+  <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_remember_parameter" version="1"
+                              check="all" check_existence="all_exist"
+                              comment="Test if remember attribute of pam_pwhistory.so is set correctly in /usr/share/pam-configs/cac_pwhistory">
+    <ind:object object_ref="object_accounts_password_pam_pwhistory_remember_parameter" />
+    <ind:state state_ref="state_accounts_password_pam_pwhistory_remember" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_remember_parameter" version="1">
+    <ind:filepath>/usr/share/pam-configs/cac_pwhistory</ind:filepath>
+    <ind:pattern operation="pattern match">^Password:\s*(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so\s+.*\bremember=([0-9]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
\ No newline at end of file
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
index 8758454ece6..72b94bc8064 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
@@ -49,6 +49,7 @@ ocil: |-
 
 platform: package[pam]
 
+{{% if 'ubuntu' not in product %}}
 template:
     name: pam_options
     vars:
@@ -61,3 +62,4 @@ template:
           operation: greater than or equal
         - argument: use_authtok
           new_argument: use_authtok
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_arg_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_arg_missing.fail.sh
new file mode 100644
index 00000000000..b3676ef1e81
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_arg_missing.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+# variables = var_password_pam_remember=5
+
+config_file=/usr/share/pam-configs/tmppwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so enforce_for_root try_first_pass use_authtok 
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmppwhistory
+rm "$config_file"
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_argument_missing.fail.sh
new file mode 100644
index 00000000000..51c0f2c6859
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_argument_missing.fail.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+# variables = var_password_pam_remember=5
+
+config_file=/usr/share/pam-configs/tmppwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmppwhistory
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_correct_value.pass.sh
new file mode 100644
index 00000000000..9bce05f8e5c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_correct_value.pass.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+# variables = var_password_pam_remember=5
+
+config_file=/usr/share/pam-configs/cac_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=5 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh
new file mode 100644
index 00000000000..098ccbc4ede
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+# variables = var_password_pam_remember=5
+
+config_file=/usr/share/pam-configs/tmppwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=6 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmppwhistory
+rm "$config_file"

From b78620c05ca1b7a7553839f063f27c0a7f165142 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 8 Jan 2025 10:25:43 +0000
Subject: [PATCH 03/11] Add eol

---
 .../accounts_password_pam_pwhistory_remember/oval/shared.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
index 6ec3254c132..2b92b22e9d0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
@@ -51,4 +51,4 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
-</def-group>
\ No newline at end of file
+</def-group>

From 79297d2403678db8b3d8c671fbd0d45fd9a843ae Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Thu, 9 Jan 2025 15:43:15 +0000
Subject: [PATCH 04/11] Align oval with benchmark

---
 .../oval/shared.xml                                  | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
index 2b92b22e9d0..dd9d093662a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
@@ -1,3 +1,7 @@
+{{% if "sle12" in product or "debian" in product or "ubuntu" in product %}}
+{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}}
+{{% endif %}}
+
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="2">
     {{{ oval_metadata("The passwords to remember of pam_pwhistory should be set correctly.") }}}
@@ -19,7 +23,7 @@
 
   <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_enabled"
                                 version="1">
-    <ind:filepath>/etc/pam.d/common-password</ind:filepath>
+    <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
     <ind:pattern var_ref="var_accounts_password_pam_pwhistory_module_regex"
                  var_check="at least one" operation="pattern match"/>
     <ind:instance datatype="int">1</ind:instance>
@@ -40,14 +44,14 @@
   <!-- Check the pam_pwhistory.so remember parameter -->
   <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_remember_parameter" version="1"
                               check="all" check_existence="all_exist"
-                              comment="Test if remember attribute of pam_pwhistory.so is set correctly in /usr/share/pam-configs/cac_pwhistory">
+                              comment="Test if remember attribute of pam_pwhistory.so is set correctly in {{{ accounts_password_pam_file }}}">
     <ind:object object_ref="object_accounts_password_pam_pwhistory_remember_parameter" />
     <ind:state state_ref="state_accounts_password_pam_pwhistory_remember" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_remember_parameter" version="1">
-    <ind:filepath>/usr/share/pam-configs/cac_pwhistory</ind:filepath>
-    <ind:pattern operation="pattern match">^Password:\s*(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so\s+.*\bremember=([0-9]*)\b.*$</ind:pattern>
+    <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so\s+[^#]*\bremember=([0-9]*)\b.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 

From a466201fe30a47954a4794129ff95698996badda Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Thu, 9 Jan 2025 15:44:36 +0000
Subject: [PATCH 05/11] Fix the regex in sed to be consistent

---
 .../accounts_password_pam_pwhistory_remember/bash/ubuntu.sh     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/ubuntu.sh
index fe3a661bee2..b7fac68821f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/ubuntu.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/ubuntu.sh
@@ -4,7 +4,7 @@
 
 {{{ bash_instantiate_variables("var_password_pam_remember") }}}
 
-sed -i -E '/^Password:/,/^.*$/ {
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
     /pam_pwhistory\.so/ {
         s/\s*remember=[^[:space:]]*//g
         s/$/ remember='"$var_password_pam_remember"'/g

From da6bfd505a6e664c3fe95126e1f0883eb283683a Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Thu, 9 Jan 2025 18:37:04 +0000
Subject: [PATCH 06/11] Exclude line break

---
 .../accounts_password_pam_pwhistory_remember/oval/shared.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
index dd9d093662a..0113d9878d8 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
@@ -51,7 +51,7 @@
 
   <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_remember_parameter" version="1">
     <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so\s+[^#]*\bremember=([0-9]*)\b.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so\s+[^#\n\r]*\bremember=([0-9]*)\b.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 

From da743d8b01418b0b4e424593ed60b03fad147240 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Thu, 9 Jan 2025 18:37:17 +0000
Subject: [PATCH 07/11] Remove duplicate test

---
 .../tests/ubuntu_arg_missing.fail.sh           | 18 ------------------
 1 file changed, 18 deletions(-)
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_arg_missing.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_arg_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_arg_missing.fail.sh
deleted file mode 100644
index b3676ef1e81..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_arg_missing.fail.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# packages = pam
-# variables = var_password_pam_remember=5
-
-config_file=/usr/share/pam-configs/tmppwhistory
-
-cat << EOF > "$config_file"
-Name: pwhistory password history checking
-Default: yes
-Priority: 1024
-Password-Type: Primary
-Password: requisite pam_pwhistory.so enforce_for_root try_first_pass use_authtok 
-EOF
-
-DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmppwhistory
-rm "$config_file"
-

From f82dba23879b20a9166a30cd688c8e5c32201884 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Thu, 9 Jan 2025 18:38:12 +0000
Subject: [PATCH 08/11] Make pam-configs names more consistent

---
 .../tests/ubuntu_argument_missing.fail.sh                    | 4 ++--
 .../tests/ubuntu_correct_value.pass.sh                       | 5 +++--
 .../tests/ubuntu_wrong_value.fail.sh                         | 4 ++--
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_argument_missing.fail.sh
index 51c0f2c6859..490a64c26e2 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_argument_missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_argument_missing.fail.sh
@@ -3,7 +3,7 @@
 # packages = pam
 # variables = var_password_pam_remember=5
 
-config_file=/usr/share/pam-configs/tmppwhistory
+config_file=/usr/share/pam-configs/tmp_pwhistory
 
 cat << EOF > "$config_file"
 Name: pwhistory password history checking
@@ -13,5 +13,5 @@ Password-Type: Primary
 Password: requisite pam_pwhistory.so enforce_for_root try_first_pass use_authtok
 EOF
 
-DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmppwhistory
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
 rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_correct_value.pass.sh
index 9bce05f8e5c..d685766fff8 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_correct_value.pass.sh
@@ -3,7 +3,7 @@
 # packages = pam
 # variables = var_password_pam_remember=5
 
-config_file=/usr/share/pam-configs/cac_pwhistory
+config_file=/usr/share/pam-configs/tmp_pwhistory
 
 cat << EOF > "$config_file"
 Name: pwhistory password history checking
@@ -13,4 +13,5 @@ Password-Type: Primary
 Password: requisite pam_pwhistory.so remember=5 enforce_for_root try_first_pass use_authtok
 EOF
 
-DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh
index 098ccbc4ede..b4f43596bbc 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh
@@ -3,7 +3,7 @@
 # packages = pam
 # variables = var_password_pam_remember=5
 
-config_file=/usr/share/pam-configs/tmppwhistory
+config_file=/usr/share/pam-configs/tmp_pwhistory
 
 cat << EOF > "$config_file"
 Name: pwhistory password history checking
@@ -13,5 +13,5 @@ Password-Type: Primary
 Password: requisite pam_pwhistory.so remember=6 enforce_for_root try_first_pass use_authtok
 EOF
 
-DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmppwhistory
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
 rm "$config_file"

From 7fcdbbf8e6e9e0d4918a277b915fe89188f5ffbc Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Thu, 9 Jan 2025 18:57:36 +0000
Subject: [PATCH 09/11] Decrese the remember count to make it wrong

---
 .../tests/ubuntu_wrong_value.fail.sh                            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh
index b4f43596bbc..8600b5e059c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh
@@ -10,7 +10,7 @@ Name: pwhistory password history checking
 Default: yes
 Priority: 1024
 Password-Type: Primary
-Password: requisite pam_pwhistory.so remember=6 enforce_for_root try_first_pass use_authtok
+Password: requisite pam_pwhistory.so remember=4 enforce_for_root try_first_pass use_authtok
 EOF
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory

From 845f5c3a3fd7330c7c3483aa42fc2c90c227591d Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Fri, 10 Jan 2025 15:25:07 +0000
Subject: [PATCH 10/11] Also allow ubuntu 2004 to use the existing template

---
 .../accounts_password_pam_pwhistory_remember/rule.yml           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
index 72b94bc8064..eb6a270e031 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
@@ -49,7 +49,7 @@ ocil: |-
 
 platform: package[pam]
 
-{{% if 'ubuntu' not in product %}}
+{{% if 'ubuntu' not in product or product == 'ubuntu2004' %}}
 template:
     name: pam_options
     vars:

From 56f5eb4aa517f3c4a06ebd9d40df2cdbc09da26a Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 15 Jan 2025 13:45:20 +0000
Subject: [PATCH 11/11] Use pam_options template with bash turned off

---
 .../oval/shared.xml                           | 58 -------------------
 .../rule.yml                                  |  8 ++-
 2 files changed, 7 insertions(+), 59 deletions(-)
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
deleted file mode 100644
index 0113d9878d8..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml
+++ /dev/null
@@ -1,58 +0,0 @@
-{{% if "sle12" in product or "debian" in product or "ubuntu" in product %}}
-{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}}
-{{% endif %}}
-
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="2">
-    {{{ oval_metadata("The passwords to remember of pam_pwhistory should be set correctly.") }}}
-      <criteria operator="AND" comment="Check if pam_pwhistory.so is properly configured">
-        <criterion test_ref="test_accounts_password_pam_pwhistory_enabled"
-                   comment="pam_pwhistory.so is properly defined in password section of PAM file"/>
-        <criterion test_ref="test_accounts_password_pam_pwhistory_remember_parameter"
-                 comment="Remember parameter of pam_pwhistory.so is properly configured"/>
-      </criteria>
-  </definition>
-
-  <external_variable comment="number of passwords that should be remembered" datatype="int" id="var_password_pam_remember" version="1" />
-
-  <!-- is pam_pwhistory.so enabled? -->
-  <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_enabled"
-                              check="all" version="1" comment="Check pam_pwhistory.so presence in PAM file">
-    <ind:object object_ref="object_accounts_password_pam_pwhistory_enabled"/>
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_enabled"
-                                version="1">
-    <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
-    <ind:pattern var_ref="var_accounts_password_pam_pwhistory_module_regex"
-                 var_check="at least one" operation="pattern match"/>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <!-- variables used to check the module implementation -->
-  <local_variable id="var_accounts_password_pam_pwhistory_module_regex"
-		  datatype="string" version="1"
-		  comment="The regex is to confirm the pam_pwhistory.so module is enabled">
-    <literal_component>^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so.*$</literal_component>
-  </local_variable>
-
-  <ind:textfilecontent54_state id="state_accounts_password_pam_pwhistory_remember" version="1">
-    <ind:subexpression datatype="int" operation="greater than or equal"
-                       var_ref="var_password_pam_remember"/>
-  </ind:textfilecontent54_state>
-
-  <!-- Check the pam_pwhistory.so remember parameter -->
-  <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_remember_parameter" version="1"
-                              check="all" check_existence="all_exist"
-                              comment="Test if remember attribute of pam_pwhistory.so is set correctly in {{{ accounts_password_pam_file }}}">
-    <ind:object object_ref="object_accounts_password_pam_pwhistory_remember_parameter" />
-    <ind:state state_ref="state_accounts_password_pam_pwhistory_remember" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_remember_parameter" version="1">
-    <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so\s+[^#\n\r]*\bremember=([0-9]*)\b.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
index eb6a270e031..e8f8a7a74b2 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml
@@ -49,7 +49,6 @@ ocil: |-
 
 platform: package[pam]
 
-{{% if 'ubuntu' not in product or product == 'ubuntu2004' %}}
 template:
     name: pam_options
     vars:
@@ -57,6 +56,13 @@ template:
       type: password
       control_flag: requisite
       module: pam_pwhistory.so
+{{% if 'ubuntu' in product and product != 'ubuntu2004' %}}
+      arguments:
+        - variable: remember
+          operation: greater than or equal
+      backends:
+        - bash: "off"
+{{% else %}}
       arguments:
         - variable: remember
           operation: greater than or equal