Merge pull request #12780 from alanmcanonical/ubt24_53342

Ubuntu 24.04: Implement rule 5.3.3.4.2 Ensure pam_unix does not include remember
ComplianceAsCode · Jan 14, 2025 · bb605b8 · bb605b8
2 parents 4992cca + 869381f
commit bb605b8
Show file tree

Hide file tree

Showing 8 changed files with 162 additions and 2 deletions.
diff --git a/components/pam.yml b/components/pam.yml
@@ -65,6 +65,7 @@ rules:
 - accounts_password_pam_retry
 - accounts_password_pam_ucredit
 - accounts_password_pam_unix_enabled
+- accounts_password_pam_unix_no_remember
 - accounts_password_pam_unix_remember
 - accounts_password_pam_unix_rounds_password_auth
 - accounts_password_pam_unix_rounds_system_auth

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
@@ -2040,8 +2040,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - accounts_password_pam_unix_no_remember
+    status: automated
 
   - id: 5.3.3.4.3
     title: Ensure pam_unix includes a strong password hashing algorithm (Automated)

diff --git a/...ounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh b/...ounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
@@ -0,0 +1,15 @@
+# platform = multi_platform_ubuntu
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+{{{ bash_pam_unix_enable() }}}
+config_file="/usr/share/pam-configs/cac_unix"
+sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*\bremember=\d+\b//g
+    }
+}' "$config_file"
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/...unts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml b/...unts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml
@@ -0,0 +1,19 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("The pam_unix module should not include remember option") }}}
+    <criteria>
+      <criterion comment="make sure the remember option is not used in pam_unix.so module"
+                 test_ref="test_pam_unix_no_remember" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+                              id="test_pam_unix_no_remember"
+                              comment="make sure remember is not used in /etc/pam.d/common-auth">
+    <ind:object object_ref="object_pam_unix_no_remember" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_pam_unix_no_remember" version="1">
+    <ind:filepath operation="pattern match">^/etc/pam.d/common-(password|auth|account|session|session-noninteractive)$</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required)|(?:\[.*\]))\s+pam_unix\.so[^#]+\bremember=\d+\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/...ts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml b/...ts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+title: 'Avoid using remember in pam_unix module'
+
+description: |-
+    The <tt>remember</tt> option stores the last n passwords for each user in <tt>/etc/security/opasswd</tt>,
+    enforcing password history and preventing users from reusing the same passwords. However, this feature
+    relies on the MD5 password hash algorithm, which is less secure. Instead, the <tt>pam_pwhistory</tt>
+    module should be used. This module also stores the last n passwords in <tt>/etc/security/opasswd</tt>
+    and it uses the password hash algorithm configured in the pam_unix module, such as yescrypt or SHA512,
+    offering enhanced security.
+
+rationale: |-
+    Removing the <tt>remember</tt> argument ensures the use of a stronger password hashing algorithm.
+    A more robust hash algorithm increases the difficulty for attackers to crack stored
+    passwords in <tt>/etc/security/opasswd</tt>, thereby improving system security and
+    protecting user credentials. 
+
+severity: medium
+
+platform: package[pam]
diff --git a/...ictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember.pass.sh b/...ictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember.pass.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmpunix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm $config_file
diff --git a/.../password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented.pass.sh b/.../password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented.pass.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmpunix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt #remember=5
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt #remember=5
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm $config_file
diff --git a/...ns/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present.fail.sh b/...ns/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present.fail.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmpunix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt remember=5
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt remember=5
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+rm $config_file