From 4956c7ca066d5987962f3605861d1d43461d9feb Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 9 Jan 2025 14:53:46 +0000 Subject: [PATCH 1/3] Add rule accounts_password_pam_pwhistory_enforce_root into ubuntu2404 cis control 5.3.3.3.2 --- components/pam.yml | 1 + controls/cis_ubuntu2404.yml | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/components/pam.yml b/components/pam.yml index 947363ca417..8d9c642dc19 100644 --- a/components/pam.yml +++ b/components/pam.yml @@ -56,6 +56,7 @@ rules: - accounts_password_pam_minlen - accounts_password_pam_ocredit - accounts_password_pam_pwhistory_enabled +- accounts_password_pam_pwhistory_enforce_root - accounts_password_pam_pwhistory_remember - accounts_password_pam_pwhistory_remember_password_auth - accounts_password_pam_pwhistory_remember_system_auth diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index a50874b1fdf..66780e3262b 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -2019,8 +2019,9 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - accounts_password_pam_pwhistory_enforce_root + status: automated - id: 5.3.3.3.3 title: Ensure pam_pwhistory includes use_authtok (Automated) From d47766a1da9bd3207c468fdf99a0101bf1830548 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 9 Jan 2025 15:21:13 +0000 Subject: [PATCH 2/3] Implement rule 5.3.3.3.2 Ensure password history is enforced for the root user --- .../bash/ubuntu.sh | 13 +++++ .../oval/shared.xml | 52 +++++++++++++++++++ .../rule.yml | 18 +++++++ .../tests/ubuntu_argument_missing.fail.sh | 16 ++++++ .../tests/ubuntu_commented_argument.fail.sh | 16 ++++++ .../tests/ubuntu_correct_value.pass.sh | 16 ++++++ 6 files changed, 131 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_argument_missing.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_commented_argument.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_correct_value.pass.sh diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh new file mode 100644 index 00000000000..3eaa1cf5a87 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh @@ -0,0 +1,13 @@ +# platform = multi_platform_ubuntu + +{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}} +conf_file=/usr/share/pam-configs/cac_pwhistory +if ! grep -qE 'pam_pwhistory\.so\s+[^#\n]*\benforce_for_root\b' "$conf_file"; then + sed -i -E '/^Password:/,/^[^[:space:]]/ { + /pam_pwhistory\.so/ { + s/$/ enforce_for_root/g + } + }' "$conf_file" +fi + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml new file mode 100644 index 00000000000..eefe160111e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/oval/shared.xml @@ -0,0 +1,52 @@ +{{% if "sle12" in product or "debian" in product or "ubuntu" in product %}} +{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}} +{{% else %}} +{{%- set accounts_password_pam_file = '/etc/pam.d/system-auth' -%}} +{{% endif %}} + + + + {{{ oval_metadata("Enforce password history for root of pam_pwhistory.") }}} + + + + + + + + + + + + + {{{ accounts_password_pam_file }}} + + 1 + + + + + ^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so.*$ + + + + + + + + + {{{ accounts_password_pam_file }}} + ^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so[ \t]+[^#\n\r]*\benforce_for_root\b.*$ + 1 + + + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml new file mode 100644 index 00000000000..4d3b37d621c --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/rule.yml @@ -0,0 +1,18 @@ +documentation_complete: true + + +title: 'Limit Password Reuse' + +description: |- + Do not allow root to reuse recent passwords. This can be + accomplished by using the enforce_for_root option for the + pam_pwhistory PAM modules. +

+ In the file /etc/pam.d/common-password, make sure the parameters + enforce_for_root is present. + +rationale: 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.' + +severity: medium + +platform: package[pam] diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_argument_missing.fail.sh new file mode 100644 index 00000000000..48679604fd9 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_argument_missing.fail.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# platform = multi_platform_ubuntu +# packages = pam + +config_file=/usr/share/pam-configs/tmp_pwhistory + +cat << EOF > "$config_file" +Name: pwhistory password history checking +Default: yes +Priority: 1024 +Password-Type: Primary +Password: requisite pam_pwhistory.so try_first_pass use_authtok +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_commented_argument.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_commented_argument.fail.sh new file mode 100644 index 00000000000..9384286e588 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_commented_argument.fail.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# platform = multi_platform_ubuntu +# packages = pam + +config_file=/usr/share/pam-configs/tmp_pwhistory + +cat << EOF > "$config_file" +Name: pwhistory password history checking +Default: yes +Priority: 1024 +Password-Type: Primary +Password: requisite pam_pwhistory.so remember=6 try_first_pass use_authtok # enforce_for_root +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_correct_value.pass.sh new file mode 100644 index 00000000000..43bab19b4af --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/tests/ubuntu_correct_value.pass.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# platform = multi_platform_ubuntu +# packages = pam + +config_file=/usr/share/pam-configs/tmp_pwhistory + +cat << EOF > "$config_file" +Name: pwhistory password history checking +Default: yes +Priority: 1024 +Password-Type: Primary +Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory +rm "$config_file" From d05e01fa2944366865d77d8dbf1a5a7ed790f9dc Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Tue, 21 Jan 2025 14:35:51 +0000 Subject: [PATCH 3/3] Add "-Initial" replacement --- .../bash/ubuntu.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh index 3eaa1cf5a87..9fa74ae911d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enforce_root/bash/ubuntu.sh @@ -8,6 +8,12 @@ if ! grep -qE 'pam_pwhistory\.so\s+[^#\n]*\benforce_for_root\b' "$conf_file"; th s/$/ enforce_for_root/g } }' "$conf_file" + + sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ { + /pam_pwhistory\.so/ { + s/$/ enforce_for_root/g + } + }' "$conf_file" fi DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory