Use pam-auth-update to remediate the pam_unix related rules

ComplianceAsCode · Dec 2, 2024 · 728556f · 728556f
1 parent 29c7492
commit 728556f
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 9 deletions.
diff --git a/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -2,16 +2,28 @@
 
 {{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
 
-{{% if "debian" in product or "ubuntu" in product or "sle12" in product %}}
+{{% if "debian" in product or "sle12" in product %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
+{{% elif "ubuntu" in product %}}
+{{%- set accounts_password_pam_unix_remember_file = '/usr/share/pam-configs/unix' -%}}
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
 {{% endif %}}
 
-{{% if "debian" in product or "ubuntu" in product %}}
+{{% if "debian" in product %}}
 
 {{{ bash_ensure_pam_module_options(accounts_password_pam_unix_remember_file, 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}}
 
+{{% elif "ubuntu" in product %}}
+{{{ bash_pam_unix_enable() }}}
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_unix_remember"'/g
+    }
+}' "$accounts_password_pam_unix_remember_file"
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 
 {{{ bash_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,

diff --git a/...m/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/...m/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
@@ -6,18 +6,30 @@
 PAM_FILE_PATH="/etc/pam.d/common-password"
 CONTROL="required"
 {{%- elif 'ubuntu' in product -%}}
-PAM_FILE_PATH="/etc/pam.d/common-password"
+{{{ bash_pam_unix_enable() }}}
+PAM_FILE_PATH=/usr/share/pam-configs/cac_unix
 {{%- else -%}}
 PAM_FILE_PATH="/etc/pam.d/system-auth"
 CONTROL="sufficient"
 {{%- endif %}}
 
 {{% if 'ubuntu' in product -%}}
-# Can't use macro bash_ensure_pam_module_configuration because the control
-# contains special characters and is not static ([success=N default=ignore)
-if ! grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
-  sed -i -E --follow-symlinks "/\s*password\s+.*\s+pam_unix.so.*/ s/$/ $var_password_hashing_algorithm_pam/" "$PAM_FILE_PATH"
+if ! grep -qzP "Password:\s*\n\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
+  sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/$/ '"$var_password_hashing_algorithm_pam"'/g
+    }
+}' "$PAM_FILE_PATH"
+fi
+
+if ! grep -qzP "Password-Initial:\s*\n\s+.*\s+pam_unix.so\s+.*\b$var_password_hashing_algorithm_pam\b" "$PAM_FILE_PATH"; then
+  sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/$/ '"$var_password_hashing_algorithm_pam"'/g
+    }
+}' "$PAM_FILE_PATH"
 fi
+
 {{%- else -%}}
 {{{ bash_ensure_pam_module_configuration("$PAM_FILE_PATH", 'password', "$CONTROL", 'pam_unix.so', "$var_password_hashing_algorithm_pam", '', '') }}}
 {{%- endif %}}
@@ -27,8 +39,22 @@ declare -a HASHING_ALGORITHMS_OPTIONS=("sha512" "yescrypt" "gost_yescrypt" "blow
 
 for hash_option in "${HASHING_ALGORITHMS_OPTIONS[@]}"; do
   if [ "$hash_option" != "$var_password_hashing_algorithm_pam" ]; then
+    {{% if 'ubuntu' in product -%}}
+      sed -i -E '/^Password:/,/^[^[:space:]]/ {
+      /pam_unix\.so/ {
+        s/\s*'"$hash_option"'//g
+      }
+      }' "$PAM_FILE_PATH"
+      sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+      /pam_unix\.so/ {
+        s/\s*'"$hash_option"'//g
+      }
+      }' "$PAM_FILE_PATH"
+      DEBIAN_FRONTEND=noninteractive pam-auth-update
+    {{%- else -%}}
     if grep -qP "^\s*password\s+.*\s+pam_unix.so\s+.*\b$hash_option\b" "$PAM_FILE_PATH"; then
       {{{ bash_remove_pam_module_option_configuration("$PAM_FILE_PATH", 'password', ".*", 'pam_unix.so', "$hash_option") }}}
     fi
+    {{%- endif %}}
   fi
 done
diff --git a/.../system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/.../system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
@@ -11,8 +11,9 @@ for FILE in ${NULLOK_FILES}; do
    sed --follow-symlinks -i 's/\<nullok\>//g' ${FILE}
 done
 {{% elif 'ubuntu' in product %}}
-FILE="/etc/pam.d/common-password"
-sed -i 's/\(.*pam_unix\.so.*\)\s\<nullok\>\(.*\)/\1\2/g' ${FILE}
+{{{ bash_pam_unix_enable() }}}
+sed --follow-symlinks -i 's/\<nullok\>//g' /usr/share/pam-configs/cac_unix
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 if [ -f /usr/bin/authselect ]; then
     {{{ bash_enable_authselect_feature('without-nullok') }}}