Merge pull request #12800 from alanmcanonical/ubt24_53333

Ubuntu 24.04: Implement rule 5.3.3.3.3 Ensure pam_pwhistory includes use_authtok

components/pam.yml

@@ -60,6 +60,7 @@ rules:
 - accounts_password_pam_pwhistory_remember
 - accounts_password_pam_pwhistory_remember_password_auth
 - accounts_password_pam_pwhistory_remember_system_auth
+- accounts_password_pam_pwhistory_use_authtok
 - accounts_password_pam_pwquality_password_auth
 - accounts_password_pam_pwquality_system_auth
 - accounts_password_pam_pwquality_enabled

controls/cis_ubuntu2404.yml

@@ -2027,8 +2027,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - accounts_password_pam_pwhistory_use_authtok
+    status: automated
 
   - id: 5.3.3.4.1
     title: Ensure pam_unix does not include nullok (Automated)

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/ubuntu.sh

@@ -0,0 +1,13 @@
+# platform = multi_platform_ubuntu
+
+{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}
+conf_file=/usr/share/pam-configs/cac_pwhistory
+if ! grep -qE 'pam_pwhistory\.so\s+[^#]*\buse_authtok\b' "$conf_file"; then
+	sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_pwhistory\.so/ {
+        s/$/ use_authtok/g
+    }
+    }' "$conf_file"
+fi
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/oval/shared.xml

@@ -0,0 +1,60 @@
+{{% if "sle12" in product or "debian" in product or "ubuntu" in product %}}
+{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}}
+{{% else %}}
+{{%- set accounts_password_pam_file = '/etc/pam.d/system-auth' -%}}
+{{% endif %}}
+
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Configure the system to include use_authtok for pam_pwhistory common_password configuration file") }}}
+    <criteria operator="AND" comment="Check if pam_pwhistory.so is properly configured">
+      <criterion test_ref="{{{ rule_id }}}_test_pwhistory_exists"
+        comment="At least one pwhistory line exists"/>
+      <criterion test_ref="{{{ rule_id }}}_test_password_pam_pwhistory_use_authtok"
+        comment="use_authtok is configured in pam pwhistory in common_password file"/>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="{{{ rule_id }}}_test_pwhistory_exists" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="At least one pwhistory line exists">
+    <ind:object object_ref="{{{ rule_id }}}_obj_pwhistory_exists" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="{{{ rule_id }}}_obj_pwhistory_exists" version="1">
+    <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^[^#\n\r]*password[ \t]+.*pam_pwhistory\.so.*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test id="{{{ rule_id }}}_test_password_pam_pwhistory_use_authtok" version="1"
+    check="all" check_existence="any_exist" state_operator="AND"
+    comment="use_authtok is configured in pam pwhistory in common_password file">
+    <ind:object object_ref="{{{ rule_id }}}_obj_use_authtok" />
+    <ind:state state_ref="{{{ rule_id }}}_ste_use_authtok" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="{{{ rule_id }}}_obj_use_authtok" version="1">
+    <set>
+      <object_reference>{{{ rule_id }}}_obj_use_authtok_password_lines_except_first</object_reference>
+      <filter action="include">{{{ rule_id }}}_ste_use_authtok_pam_pwhistory_lines</filter>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="{{{ rule_id }}}_ste_use_authtok" version="1">
+      <ind:subexpression operation="pattern match">^[^#\n\r]*pam_pwhistory\.so[ \t]+[^#\n\r]*use_authtok.*$</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <!-- Get all password lines except the first line. This is to avoid matching a pam_pwhistory
+  line on the top of the stack, which does not need use_authtok to pass -->
+  <ind:textfilecontent54_object id="{{{ rule_id }}}_obj_use_authtok_password_lines_except_first" version="1">
+    <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^[ \t]*password[ \t]+(.+)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">2</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="{{{ rule_id }}}_ste_use_authtok_pam_pwhistory_lines" version="1">
+      <ind:subexpression operation="pattern match">^[^#\n\r]*pam_pwhistory\.so.*$</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+</def-group>

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/rule.yml

@@ -0,0 +1,18 @@
+documentation_complete: true
+
+
+title: 'Enforce Password History with use_authtok'
+
+description: |-
+    The <tt>use_authtok</tt> option ensures the pam_pwhistory module uses the new
+    password provided by a previously stacked PAM module during password
+    changes, rather than prompting the user again.
+
+rationale: |-
+    The <tt>use_authtok</tt> option allows multiple PAM modules to validate the new
+    password before it is accepted, ensuring it meets all security requirements
+    without requiring the user to re-enter it multiple times.
+
+severity: medium
+
+platform: package[pam]

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/ubuntu_argument_missing_first_line.pass.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/ubuntu_argument_missing_second_line.fail.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: 
+    requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass # use_authtok
+    [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
+    requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/ubuntu_commented_argument.fail.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: 
+    requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass # use_authtok
+    [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
+    requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass # use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/ubuntu_commented_argument_first_line.pass.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password: 
+    requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass # use_authtok
+    [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
+    requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/ubuntu_correct_first_line.pass.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_pwhistory
+
+cat << EOF > "$config_file"
+Name: pwhistory password history checking
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password-Initial: requisite pam_pwhistory.so remember=24 enforce_for_root try_first_pass
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pwhistory
+rm "$config_file"

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/tests/ubuntu_null.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+if [[ -f /usr/share/pam-configs/pwhistory ]]; then
+    pam-auth-update --disable pwhistory
+fi