From 7cc096e6967f016715fc7cc4037be495b7817c26 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 16 Dec 2024 12:30:30 +0000
Subject: [PATCH 1/3] Implement rule accounts_password_pam_pwquality_enabled

---
 components/pam.yml                            |  1 +
 .../bash/shared.sh                            |  3 ++
 .../oval/shared.xml                           | 37 +++++++++++++++++++
 .../rule.yml                                  | 21 +++++++++++
 .../tests/commented.fail.sh                   |  4 ++
 .../tests/common.sh                           | 27 ++++++++++++++
 .../tests/correct.pass.sh                     | 14 +++++++
 .../tests/missing.fail.sh                     |  4 ++
 8 files changed, 111 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/rule.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh

diff --git a/components/pam.yml b/components/pam.yml
index 0590e268d07..94eb1001ad1 100644
--- a/components/pam.yml
+++ b/components/pam.yml
@@ -59,6 +59,7 @@ rules:
 - accounts_password_pam_pwhistory_remember_system_auth
 - accounts_password_pam_pwquality_password_auth
 - accounts_password_pam_pwquality_system_auth
+- accounts_password_pam_pwquality_enabled
 - accounts_password_pam_retry
 - accounts_password_pam_ucredit
 - accounts_password_pam_unix_remember
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh
new file mode 100644
index 00000000000..38f2d36dbe2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_ubuntu
+
+{{{ bash_pam_pwquality_enable() }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml
new file mode 100644
index 00000000000..49409d6cf4b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml
@@ -0,0 +1,37 @@
+{{% if 'ubuntu' in product or 'debian' in product %}}
+{{% set configuration_files = ["common-password"] %}}
+{{% endif %}}
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="2">
+    {{{ oval_metadata("Check pam_pwquality module is enabled") }}}
+    <criteria operator="AND" comment="Check for pam_pwquality module in PAM files">
+      {{% for file in configuration_files %}}
+      <criterion comment="pam_pwquality has correctly set in {{{ file }}}"
+      test_ref="test_password_pam_pwquality_enabled_{{{ file | escape_id }}}" />
+      {{% endfor %}}
+    </criteria>
+  </definition>
+
+  {{% macro test_pwquality_enabled(path, test_ref) %}}
+  <ind:textfilecontent54_test check="all" id="test_{{{ test_ref }}}" version="1"
+  check_existence="at_least_one_exists"
+  comment="Check for pam_pwquality.so module in PAM file of {{{ path }}}">
+    <ind:object object_ref="obj_{{{ test_ref }}}" />
+  </ind:textfilecontent54_test>
+  {{% endmacro %}}
+
+  {{% macro object_pwquality_enabled(path, test_ref) %}}
+  <ind:textfilecontent54_object id="obj_{{{ test_ref }}}" version="1">
+    <ind:filepath>{{{ path }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  {{% for file in configuration_files %}}
+  {{{ test_pwquality_enabled( path="/etc/pam.d/" ~ file ,
+                             test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}}
+  {{{ object_pwquality_enabled( path="/etc/pam.d/" ~ file ,
+                               test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}}
+  {{% endfor %}}
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/rule.yml
new file mode 100644
index 00000000000..9f9a1e585ef
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+
+title: 'Verify pam_pwquality module is activated'
+
+description: |-
+    The <tt>pam_pwquality.so</tt> module ensures password quality by evaluating user-created passwords 
+    against a system dictionary and a set of rules designed to detect weak choices. Originally derived 
+    from the pam_cracklib module, this module is backward-compatible with options of pam_cracklib.
+    <br /><br />
+    The module's process includes prompting the user for a password, checking its strength, and if it 
+    meets the criteria requesting the password again for confirmation. If both entries match, the 
+    password is passed to subsequent modules to be set as the new authentication token.
+
+rationale: |-
+    Strong passwords significantly increase the time and effort required for unauthorized access, 
+    increasing overall system security.
+
+severity: medium
+
+platform: package[pam]
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh
new file mode 100644
index 00000000000..95830eba0ab
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+sed -i 's/\(^.*pam_pwquality\.so.*\)/# \1/' /etc/pam.d/common-password
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh
new file mode 100644
index 00000000000..02bd487048c
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh
@@ -0,0 +1,27 @@
+{{% if 'ubuntu' in product %}}
+configuration_files=("common-password")
+{{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+configuration_files=("password-auth" "system-auth")
+{{% else %}}
+configuration_files=("system-auth")
+{{% endif %}}
+
+
+{{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
+authselect create-profile testingProfile --base-on sssd
+
+for file in ${configuration_files[@]}; do
+	sed -i --follow-symlinks "/pam_pwquality\.so/d" \
+		"/etc/authselect/custom/testingProfile/$file"
+done
+authselect select --force custom/testingProfile
+{{% elif 'ubuntu' in product %}}
+rm -f /usr/share/pam-configs/pwquality
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+{{% else %}}
+for file in ${configuration_files[@]}; do
+	sed -i --follow-symlinks "/pam_pwquality\.so/d" "/etc/pam.d/$file"
+done
+{{% endif%}}
+
+truncate -s 0 /etc/security/pwquality.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh
new file mode 100644
index 00000000000..a74d14e7eb3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+cat << EOF > /usr/share/pam-configs/pwquality
+Name: Pwquality password strength checking
+Default: yes
+Priority: 1024
+Conflicts: cracklib
+Password-Type: Primary
+Password:
+    requisite                   pam_pwquality.so
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh
new file mode 100644
index 00000000000..feb4afc273d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source common.sh

From c1c4a4e476e05dc27c74f21657c66f712b448b6d Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 16 Dec 2024 12:31:06 +0000
Subject: [PATCH 2/3] Add rule to ubuntu2404 cis control 5.3.2.3

---
 controls/cis_ubuntu2404.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 1d692f57906..0919f14709f 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -1866,8 +1866,9 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules: 
+      - accounts_password_pam_pwquality_enabled
+    status: automated
 
   - id: 5.3.2.4
     title: Ensure pam_pwhistory module is enabled (Automated)

From a67d7c76f2c4431f1f9967894a6303bbc9cd1db5 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 18 Dec 2024 12:02:31 +0000
Subject: [PATCH 3/3] Rename oval into Ubuntu specific Remove debain check

---
 .../oval/{shared.xml => ubuntu.xml}                             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/{shared.xml => ubuntu.xml} (96%)

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/ubuntu.xml
similarity index 96%
rename from linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml
rename to linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/ubuntu.xml
index 49409d6cf4b..359d61af24b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/ubuntu.xml
@@ -1,4 +1,4 @@
-{{% if 'ubuntu' in product or 'debian' in product %}}
+{{% if 'ubuntu' in product %}}
 {{% set configuration_files = ["common-password"] %}}
 {{% endif %}}
 <def-group>