From f355d80c750c1ed18cd98a3a3b5d99207a11163b Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 8 Jan 2025 14:18:01 +0000
Subject: [PATCH] Add # packages = pam Add commented value fail and missing
 pam_faillock fail

---
 .../tests/ubuntu_commented_values.fail.sh     |  5 +++
 .../tests/ubuntu_correct.pass.sh              |  1 +
 .../tests/ubuntu_missing_pamd.fail.sh         |  5 +++
 .../tests/ubuntu_multiple_pam_unix.fail.sh    | 33 ++++++++++++++++---
 4 files changed, 40 insertions(+), 4 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_commented_values.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_missing_pamd.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_commented_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_commented_values.fail.sh
new file mode 100644
index 00000000000..70b20de9f3e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_commented_values.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+echo 'auth	requisite                       pam_faillock.so preauth' >> /etc/pam.d/common-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_correct.pass.sh
index bc1a71c7614..acac3aee099 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_correct.pass.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
+# packages = pam
 
 {{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_missing_pamd.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_missing_pamd.fail.sh
new file mode 100644
index 00000000000..fc6bd806613
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_missing_pamd.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+sed '/pam_faillock.so/d' /etc/pam.d/common-auth
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_multiple_pam_unix.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_multiple_pam_unix.fail.sh
index 20d85d14675..4e3171a9d7e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_multiple_pam_unix.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/tests/ubuntu_multiple_pam_unix.fail.sh
@@ -1,11 +1,36 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
-# remediation = none
-
-{{{ bash_enable_pam_faillock_directly_in_pam_files() }}}
+# packages = pam
 
 # Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
 # in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
 # in order to preserve intentional changes.
+cat << EOF > /usr/share/pam-configs/tmp_unix
+Name: Unix authentication
+Default: yes
+Priority: 257
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_unix.so nullok try_first_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_unix.so nullok
+Account-Type: Primary
+Account:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+        [success=end default=ignore]    pam_unix.so obscure yescrypt
+        auth        sufficient       pam_unix.so
+EOF
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 
-sed -i '/# end of pam-auth-update config/i\auth        sufficient       pam_unix.so' /etc/pam.d/common-auth
+rm -f /usr/share/pam-configs/tmp_unix