From ddf8ca31759e28f4bede1bb4566d604e1dd19bcc Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Thu, 19 Dec 2024 11:05:57 +0000
Subject: [PATCH] Implement rule 5.3.3.2.1 Ensure password number of changed
 characters is configured

---
 controls/cis_ubuntu2404.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index fcfcb3e927d..2e4fa4fca7d 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -1102,7 +1102,7 @@ controls:
     status: automated
     notes: file_owner_at_deny and file_owner_at_allow currently require root as owner
            and don't accept daemon
-    
+
   - id: 3.1.1
     title: Ensure IPv6 status is identified (Manual)
     levels:
@@ -1871,7 +1871,7 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    rules: 
+    rules:
       - accounts_password_pam_pwquality_enabled
     status: automated
 
@@ -1919,8 +1919,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - var_password_pam_difok=2
+      - accounts_password_pam_difok
+    status: automated
 
   - id: 5.3.3.2.2
     title: Ensure minimum password length is configured (Automated)