Add # packages = pam

Add commented value fail and missing pam_faillock fail
ComplianceAsCode · Jan 8, 2025 · f355d80 · f355d80
1 parent a9d3f1f
commit f355d80
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 4 deletions.
diff --git a/...rd_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_commented_values.fail.sh b/...rd_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_commented_values.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+echo 'auth	requisite                       pam_faillock.so preauth' >> /etc/pam.d/common-auth
diff --git a/...ut_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_correct.pass.sh b/...ut_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_correct.pass.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# packages = pam
 
 {{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
diff --git a/...ssword_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_missing_pamd.fail.sh b/...ssword_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_missing_pamd.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+sed '/pam_faillock.so/d' /etc/pam.d/common-auth
diff --git a/...d_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_multiple_pam_unix.fail.sh b/...d_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_multiple_pam_unix.fail.sh
@@ -1,11 +1,36 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-# remediation = none
-
-{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+# packages = pam
 
 # Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
 # in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
 # in order to preserve intentional changes.
+cat << EOF > /usr/share/pam-configs/tmp_unix
+Name: Unix authentication
+Default: yes
+Priority: 257
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so nullok try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so nullok
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt
+        auth        sufficient       pam_unix.so
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 
-sed -i '/# end of pam-auth-update config/i\auth        sufficient       pam_unix.so' /etc/pam.d/common-auth
+rm -f /usr/share/pam-configs/tmp_unix