Ubuntu 24.04: Implement 5.3.3.4.1 Ensure pam_unix does not include nullok

controls/cis_ubuntu2404.yml

@@ -2028,8 +2028,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - no_empty_passwords
+    status: automated
 
   - id: 5.3.3.4.2
     title: Ensure pam_unix does not include remember (Automated)

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml

@@ -102,3 +102,7 @@ warnings:
        container. Having user with empty password within a container is not
        considered a risk, because it should not be possible to directly login into
        a container anyway.
+
+{{% if 'ubuntu' in product %}}
+platform: package[pam]
+{{% endif %}}

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh

@@ -1,8 +1,40 @@
 #!/bin/bash
 # platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu
+# packages = pam
 
 {{% if 'ubuntu' in product %}}
-sed -i --follow-symlinks '/nullok/d' /etc/pam.d/common-password
+config_file=/usr/share/pam-configs/tmp_unix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_unix.so nullok try_first_pass
+Auth-Initial:
+	[success=end default=ignore]	pam_unix.so nullok
+Account-Type: Primary
+Account:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Account-Initial:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Session-Type: Additional
+Session:
+	required	pam_unix.so
+Session-Initial:
+	required	pam_unix.so
+Password-Type: Primary
+Password:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+	[success=end default=ignore]	pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_unix
+
+rm "$config_file"
+
 {{% else %}}
 sed -i --follow-symlinks '/nullok/d' /etc/pam.d/system-auth
 sed -i --follow-symlinks '/nullok/d' /etc/pam.d/password-auth

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh

@@ -1,7 +1,43 @@
 #!/bin/bash
-# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora
+# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu
+# packages = pam
 
+{{% if 'ubuntu' in product %}}
+config_file=/usr/share/pam-configs/tmp_unix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_unix.so nullok try_first_pass
+Auth-Initial:
+	[success=end default=ignore]	pam_unix.so nullok
+Account-Type: Primary
+Account:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Account-Initial:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Session-Type: Additional
+Session:
+	required	pam_unix.so
+Session-Initial:
+	required	pam_unix.so
+Password-Type: Primary
+Password:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt # nullok
+Password-Initial:
+	[success=end default=ignore]	pam_unix.so obscure yescrypt # nullok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_unix
+
+rm "$config_file"
+
+{{% else %}}
 for pam_file in /etc/pam.d/system-auth /etc/pam.d/password-auth; do
     sed -i --follow-symlinks '/nullok/d' $pam_file
     echo "# auth  sufficient  pam_unix.so try_first_pass nullok" >> $pam_file
 done
+{{% endif %}}

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh

@@ -1,17 +1,44 @@
 #!/bin/bash
 # platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu
+# packages = pam
 
 {{% if 'ubuntu' in product %}}
-for FILE in "/etc/pam.d/common-password"; do
-    if ! grep -q "^[^#].*pam_unix\.so.*nullok" ${FILE}; then
-        sed -i 's/\([\s]pam_unix\.so\)/\1 nullok/g' ${FILE}
-    fi
-done
+config_file=/usr/share/pam-configs/tmp_unix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_unix.so nullok try_first_pass
+Auth-Initial:
+	[success=end default=ignore]	pam_unix.so nullok
+Account-Type: Primary
+Account:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Account-Initial:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Session-Type: Additional
+Session:
+	required	pam_unix.so
+Session-Initial:
+	required	pam_unix.so
+Password-Type: Primary
+Password:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt nullok
+Password-Initial:
+	[success=end default=ignore]	pam_unix.so obscure yescrypt nullok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_unix
+
+rm "$config_file"
 {{% else %}}
 SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
 
 if ! $(grep -q "^[^#].*pam_unix\.so.*nullok" $SYSTEM_AUTH_FILE); then
-    sed -i --follow-symlinks 's/\([\s].*pam_unix\.so.*\)\s\(try_first_pass.*\)/\1nullok \2/' $SYSTEM_AUTH_FILE
+    sed -i --follow-symlinks 's/\(^[^#].*pam_unix\.so.*\)\s\(try_first_pass.*\)/\1nullok \2/' $SYSTEM_AUTH_FILE
 fi
 {{% endif %}}
 

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password_auth.fail.sh

@@ -4,5 +4,5 @@
 PASSWORD_AUTH_FILE="/etc/pam.d/password-auth"
 
 if ! $(grep -q "^[^#].*pam_unix\.so.*nullok" $PASSWORD_AUTH_FILE); then
-    sed -i --follow-symlinks 's/\([\s].*pam_unix\.so.*\)\s\(try_first_pass.*\)/\1nullok \2/' $PASSWORD_AUTH_FILE
+    sed -i --follow-symlinks 's/\(^[^#].*pam_unix\.so.*\)\s\(try_first_pass.*\)/\1nullok \2/' $PASSWORD_AUTH_FILE
 fi