Ubuntu 24.04: Implement rule 5.3.3.3.1 Ensure password history remember is configured

controls/cis_ubuntu2404.yml

@@ -2001,11 +2001,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
-      - var_password_pam_remember=5
-      - accounts_password_pam_unix_remember
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.4.3.
+    rules:
+      - var_password_pam_remember=24
+      - accounts_password_pam_pwhistory_remember
+    status: automated
 
   - id: 5.3.3.3.2
     title: Ensure password history is enforced for the root user (Automated)

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/ubuntu.sh

@@ -0,0 +1,14 @@
+# platform = multi_platform_ubuntu
+
+{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}
+
+{{{ bash_instantiate_variables("var_password_pam_remember") }}}
+
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_pwhistory\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_remember"'/g
+    }
+}' /usr/share/pam-configs/cac_pwhistory
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml

@@ -56,8 +56,16 @@ template:
       type: password
       control_flag: requisite
       module: pam_pwhistory.so
+{{% if 'ubuntu' in product and product != 'ubuntu2004' %}}
+      arguments:
+        - variable: remember
+          operation: greater than or equal
+      backends:
+        - bash: "off"
+{{% else %}}
       arguments:
         - variable: remember
           operation: greater than or equal
         - argument: use_authtok
           new_argument: use_authtok
+{{% endif %}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_argument_missing.fail.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+# variables = var_password_pam_remember=5
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_correct_value.pass.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+# variables = var_password_pam_remember=5
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=5 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/tests/ubuntu_wrong_value.fail.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+# variables = var_password_pam_remember=5
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=4 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"