From 3c79448206105f49797740a83a9325398c80a465 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 19 Dec 2024 12:02:30 +0000 Subject: [PATCH 1/3] Implement 5.3.3.2.7 Ensure password quality checking is enforced --- controls/cis_ubuntu2404.yml | 6 ++++-- .../accounts_password_pam_enforcing/rule.yml | 9 +++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 971d4086985..3cd3528dad4 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1985,8 +1985,10 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - var_password_pam_enforcing=1 + - accounts_password_pam_enforcing + status: automated - id: 5.3.3.2.8 title: Ensure password quality is enforced for the root user (Automated) diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/rule.yml index ef9eba31a61..df8dcbb8d9f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/rule.yml @@ -42,6 +42,13 @@ ocil: |- platform: package[pam] +{{% if product == "ubuntu2404" %}} +template: + name: accounts_password + vars: + variable: enforcing + operation: equals +{{% else %}} template: name: "lineinfile" vars: @@ -49,3 +56,5 @@ template: path: "/etc/security/pwquality.conf" oval_extend_definitions: - accounts_password_pam_pwquality +{{% endif %}} + From d39c26af93add56b3cf700151bba388c86bd7b3b Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 19 Dec 2024 12:12:36 +0000 Subject: [PATCH 2/3] Add enforcing variable --- .../var_password_pam_enforcing.var | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_enforcing.var diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_enforcing.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_enforcing.var new file mode 100644 index 00000000000..09a65247e96 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_enforcing.var @@ -0,0 +1,17 @@ +documentation_complete: true + +title: enforcing + +description: |- + Disallow a password that does not meet the criteria + +type: number + +operator: equals + +interactive: false + +options: + 1: 1 + default: 1 + From 183a4c1d06c7fad5f1d5bcd0d07ec44004c012b0 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Thu, 19 Dec 2024 12:20:08 +0000 Subject: [PATCH 3/3] Align the test of accounts_password_pam_enforcing with upstream --- .../accounts_password_pam_enforcing/tests/correct.pass.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/correct.pass.sh index 4ffd4e5bb96..d2a75c5fd4e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/correct.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/tests/correct.pass.sh @@ -1,3 +1,7 @@ #!/bin/bash +{{% if product == "ubuntu2404" %}} +{{{ bash_pam_pwquality_enable() }}} +{{% endif %}} + echo 'enforcing = 1' > /etc/security/pwquality.conf