ComplianceAsCode · dodys · Dec 10, 2024 · Dec 1, 2024 · Dec 1, 2024 · Dec 1, 2024
diff --git a/...am/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh b/...am/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh
@@ -2,4 +2,5 @@
 
 {{{ bash_instantiate_variables("var_password_pam_retry") }}}
 
-{{{ bash_ensure_pam_module_options('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', 'retry', "$var_password_pam_retry", "$var_password_pam_retry") }}}
+{{{ bash_pam_pwquality_enable() }}}
+{{{ bash_pam_pwquality_parameter_value('retry', "$var_password_pam_retry") }}}
diff --git a/...m/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh b/...m/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh
@@ -15,6 +15,9 @@ for file in ${configuration_files[@]}; do
 		"/etc/authselect/custom/testingProfile/$file"
 done
 authselect select --force custom/testingProfile
+{{% elif 'ubuntu' in product %}}
+rm -f /usr/share/pam-configs/pwquality
+DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 for file in ${configuration_files[@]}; do
 	sed -i --follow-symlinks "/pam_pwquality\.so/d" "/etc/pam.d/$file"

diff --git a/...uality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh b/...uality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh
@@ -4,6 +4,19 @@
 
 source common.sh
 
+{{% if 'ubuntu' in product %}}
+cat << EOF > /usr/share/pam-configs/pwquality
+Name: Pwquality password strength checking
+Default: yes
+Priority: 1024
+Conflicts: cracklib
+Password-Type: Primary
+Password:
+    requisite                   pam_pwquality.so retry=3
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+{{% else %}}
 for file in ${configuration_files[@]}; do
 {{{ bash_ensure_pam_module_option('/etc/pam.d/$file',
                                    'password',
@@ -13,3 +26,4 @@ for file in ${configuration_files[@]}; do
 								   '3',
 								   '^\s*account') }}}
 done
+{{% endif %}}
diff --git a/..._quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh b/..._quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh
@@ -4,6 +4,19 @@
 
 source common.sh
 
+{{% if 'ubuntu' in product %}}
+cat << EOF > /usr/share/pam-configs/pwquality
+Name: Pwquality password strength checking
+Default: yes
+Priority: 1024
+Conflicts: cracklib
+Password-Type: Primary
+Password:
+    requisite                   pam_pwquality.so retry=7
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+{{% else %}}
 for file in ${configuration_files[@]}; do
 {{{ bash_ensure_pam_module_option('/etc/pam.d/$file',
                                    'password',
@@ -13,3 +26,5 @@ for file in ${configuration_files[@]}; do
 								   '7',
 								   '^\s*account') }}}
 done
+{{% endif %}}
+
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
@@ -847,6 +847,28 @@ fi
 {{%- endmacro -%}}
 
 
+{{#
+    Enable pam_pwquality.so PAM module by using pam-auth-update.
+    This option is only recommended when pam-auth-update tool is available for the system.
+#}}
+{{%- macro bash_pam_pwquality_enable() -%}}
+conf_name=cac_pwquality
+if [ ! -f /usr/share/pam-configs/"$conf_name" ]; then
+    cat << EOF > /usr/share/pam-configs/"$conf_name"
+Name: Pwquality password strength checking
+Default: yes
+Priority: 1025
+Conflicts: cracklib, pwquality
+Password-Type: Primary
+Password:
+    requisite                   pam_pwquality.so
+EOF
+fi
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+{{%- endmacro -%}}
+
+
 {{#
     Validate an authselect custom profile integrity and ensures the correct file path is defined
     in the "PAM_FILE_PATH" variable. The macros which change PAM files are the same regardless of
@@ -1052,6 +1074,38 @@ fi
 {{%- endmacro -%}}
 
 
+{{#
+    Sets PAM pwquality module options and values. The module argument is not removed from pam files
+    since it is not inserted there in Ubuntu case.
+    It also assume pam_pwquality.so is added as required module for account.
+
+:param option: pwquality option eg. retry, minlen, dcredit
+:type option: str
+:param value: value of option
+:type value: str
+
+#}}
+{{%- macro bash_pam_pwquality_parameter_value(option, value='') -%}}
+PWQUALITY_CONF="/etc/security/pwquality.conf"
+    {{%- if value == '' %}}
+    regex="^\s*{{{ option }}}"
+    line="{{{ option }}}"
+    {{%- else %}}
+    regex="^\s*{{{ option }}}\s*="
+    line="{{{ option }}} = {{{ value }}}"
+    {{%- endif %}}
+    if ! grep -q $regex $PWQUALITY_CONF; then
+        echo $line >> $PWQUALITY_CONF
+    {{%- if value == '' %}}
+    fi
+    {{%- else %}}
+    else
+        sed -i --follow-symlinks 's|^\s*\({{{ option }}}\s*=\s*\)\(\S\+\)|\1'"{{{ value }}}"'|g' $PWQUALITY_CONF
+    fi
+    {{%- endif %}}
+{{%- endmacro -%}}
+
+
 {{#
     Print a message to stderr and exit the shell