Add rule accounts_password_pam_pwhistory_use_authtok

ComplianceAsCode · Jan 16, 2025 · 52bc010 · 52bc010
1 parent 041aa10
commit 52bc010
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/components/pam.yml b/components/pam.yml
@@ -59,6 +59,7 @@ rules:
 - accounts_password_pam_pwhistory_remember
 - accounts_password_pam_pwhistory_remember_password_auth
 - accounts_password_pam_pwhistory_remember_system_auth
+- accounts_password_pam_pwhistory_use_authtok
 - accounts_password_pam_pwquality_password_auth
 - accounts_password_pam_pwquality_system_auth
 - accounts_password_pam_pwquality_enabled

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
@@ -2023,8 +2023,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - accounts_password_pam_pwhistory_use_authtok
+    status: automated
 
   - id: 5.3.3.4.1
     title: Ensure pam_unix does not include nullok (Automated)

diff --git a/...locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/oval/shared.xml b/...locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/oval/shared.xml
@@ -45,7 +45,7 @@
 
   <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_use_authtok_parameter" version="1">
     <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so\s+[^#]*\buse_authtok\b.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))\s+pam_pwhistory\.so\s+[^#\n\r]*\buse_authtok\b.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>