-
Notifications
You must be signed in to change notification settings - Fork 704
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #12706 from alanmcanonical/ubt24_5321
Ubuntu 24.04 5.3.2.1 Ensure pam_unix module is enabled
- Loading branch information
Showing
5 changed files
with
73 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3 changes: 3 additions & 0 deletions
3
...x_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # platform = multi_platform_ubuntu | ||
|
|
||
| {{{ bash_pam_unix_enable() }}} |
36 changes: 36 additions & 0 deletions
36
..._os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| {{% set file_stem = ["auth","account","password","session"] %}} | ||
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| {{{ oval_metadata("Ensure pam_unix.so is properly configured in PAM configuration files") }}} | ||
| <criteria operator="AND" comment="Check if pam_unix.so is properly defined in all PAM files"> | ||
| {{% for stem in file_stem %}} | ||
| <criterion test_ref="test_pam_unix_common_{{{ stem }}}" | ||
| comment="pam_unix has correctly set in common-{{{ stem }}}"/> | ||
| {{% endfor %}} | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <!-- Check occurrences of pam_unix.so in common-{auth,account,password} file --> | ||
| {{% macro test_pam_unix(stem) %}} | ||
| <ind:textfilecontent54_test check="all" id="test_pam_unix_common_{{{ stem }}}" version="1" | ||
| check_existence="only_one_exists" | ||
| comment="No more than one pam_unix.so is expected in {{{ stem }}} section of /etc/pam.d/common-{{{ stem }}}"> | ||
| <ind:object object_ref="obj_pam_unix_common_{{{ stem }}}" /> | ||
| </ind:textfilecontent54_test> | ||
| {{% endmacro %}} | ||
|
|
||
| {{% macro object_pam_unix(stem) %}} | ||
| <ind:textfilecontent54_object id="obj_pam_unix_common_{{{ stem }}}" version="1" | ||
| comment="Get the occurrences of pam_unix.so in {{{ stem }}} section of /etc/pam.d/common-{{{ stem }}}"> | ||
| <ind:filepath>/etc/pam.d/common-{{{ stem }}}</ind:filepath> | ||
| <ind:pattern operation="pattern match">^[\s]*{{{stem}}}[\s]+(required|\[(?=.*?\bsuccess=\d+\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so.*$</ind:pattern> | ||
| <ind:instance datatype="int" operation="equals">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
| {{% endmacro %}} | ||
|
|
||
| {{% for file in file_stem %}} | ||
| {{{ test_pam_unix(stem=file) }}} | ||
| {{{ object_pam_unix(stem=file) }}} | ||
| {{% endfor %}} | ||
|
|
||
| </def-group> |
30 changes: 30 additions & 0 deletions
30
linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| documentation_complete: true | ||
|
|
||
|
|
||
| title: Verify pam_unix module is activated | ||
|
|
||
| description: |- | ||
| <tt>pam_unix</tt> is the standard Unix authentication module. It uses standard calls from the | ||
| system's libraries to retrieve and set account information as well as authentication. | ||
| Usually this is obtained from the <tt>/etc/passwd</tt> and if shadow is enabled, the | ||
| <tt>/etc/shadow</tt> file as well. | ||
| <br /><br /> | ||
| The account component performs the task of establishing the status of the user's | ||
| account and password based on the following shadow elements: <tt>expire, | ||
| last_change, max_change, min_change, warn_change</tt>. In the case of the latter, it may | ||
| offer advice to the user on changing their password or, through the | ||
| <tt>PAM_AUTHTOKEN_REQD</tt> return, delay giving service to the user until they have | ||
| established a new password. The entries listed above are documented in the shadow(5) | ||
| manual page. Should the user's record not contain one or more of these entries, the | ||
| corresponding shadow check is not performed. | ||
| <br /><br /> | ||
| The authentication component performs the task of checking the users credentials | ||
| (password). The default action of this module is to not permit the user access to a | ||
| service if their official password is blank. | ||
| rationale: |- | ||
| The system should only provide access after performing authentication of a user. | ||
| severity: medium | ||
|
|
||
| platform: package[pam] |