From c8ed2264eba928714b6f13880bd73be7a0591a7f Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Mon, 16 Dec 2024 19:18:44 +0000 Subject: [PATCH 1/6] Implement rule 5.3.3.2.5 Ensure password maximum sequential characters is configured Add rule to ubuntu2404 cis control 5.3.3.2.5 Rename --- components/pam.yml | 1 + controls/cis_ubuntu2404.yml | 5 +-- .../rule.yml | 32 +++++++++++++++++++ .../var_password_pam_maxsequence.var | 17 ++++++++++ 4 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxsequence/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_maxsequence.var diff --git a/components/pam.yml b/components/pam.yml index c9402fce8c3..7313f9b16aa 100644 --- a/components/pam.yml +++ b/components/pam.yml @@ -51,6 +51,7 @@ rules: - accounts_password_pam_lcredit - accounts_password_pam_maxclassrepeat - accounts_password_pam_maxrepeat +- accounts_password_pam_maxsequence - accounts_password_pam_minclass - accounts_password_pam_minlen - accounts_password_pam_ocredit diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index eb170820541..2f0e12cb7cd 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1962,8 +1962,9 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - accounts_password_pam_maxsequence + status: automated - id: 5.3.3.2.6 title: Ensure password dictionary check is enabled (Automated) diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxsequence/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxsequence/rule.yml new file mode 100644 index 00000000000..6d57fc1b731 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxsequence/rule.yml @@ -0,0 +1,32 @@ +documentation_complete: true + + +title: 'Limit the maximum number of sequential characters in passwords' + +description: |- + The pwquality maxsequence setting defines the maximum allowable length for consecutive + character sequences in a new password. Such sequences can be, e.g., 123 or abc. If the value is + set to 0, this check will be turned off. +

+ Note: Passwords that consist mainly of such sequences are unlikely to meet the simplicity criteria + unless the sequence constitutes only a small portion of the overall password. + +rationale: |- + Use of a strong password helps to increase the time and resources required to + compromise the password. Password complexity, or strength, is a measure of the + effectiveness of a password in resisting attempts at guessing and brute-force attacks. +

+ Password complexity is one important factor that determines the duration required to crack it. + A more intricate password results in a larger number of potential combinations that must be + tested before successfully compromising the password. + +severity: medium + +platform: package[pam] + +template: + name: accounts_password + vars: + variable: maxsequence + operation: less than or equal + zero_comparison_operation: greater than diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_maxsequence.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_maxsequence.var new file mode 100644 index 00000000000..70238a00705 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_maxsequence.var @@ -0,0 +1,17 @@ +documentation_complete: true + +title: maxsequence + +description: 'Maximum Number of Consecutive Character Sequences in a Password' + +type: number + +operator: equals + +interactive: false + +options: + 1: 1 + 2: 2 + 3: 3 + default: 3 From 5585978f870f606294b51fb50a3e3a7dda525dda Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Tue, 17 Dec 2024 13:39:42 +0000 Subject: [PATCH 2/6] Apply bash_pam_pwquality_enable before parameter remediation for template accounts_password --- shared/templates/accounts_password/bash.template | 4 ++++ .../templates/accounts_password/tests/correct_value.pass.sh | 4 ++++ .../accounts_password/tests/correct_value_directory.pass.sh | 4 ++++ .../accounts_password/tests/duplicated_values.pass.sh | 4 ++++ .../accounts_password/tests/multiple_correct_value.pass.sh | 4 ++++ 5 files changed, 20 insertions(+) diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template index 372db9e6140..9bc43015f8e 100644 --- a/shared/templates/accounts_password/bash.template +++ b/shared/templates/accounts_password/bash.template @@ -21,4 +21,8 @@ fi }}} {{% endif %}} +{{% if product == "ubuntu2404" %}} +{{{ bash_pam_pwquality_enable() }}} +{{% endif %}} + {{{ bash_replace_or_append('/etc/security/pwquality.conf', '^' ~ VARIABLE , '$var_password_pam_' ~ VARIABLE , '%s = %s') }}} diff --git a/shared/templates/accounts_password/tests/correct_value.pass.sh b/shared/templates/accounts_password/tests/correct_value.pass.sh index fb462aa575d..286116a54d8 100644 --- a/shared/templates/accounts_password/tests/correct_value.pass.sh +++ b/shared/templates/accounts_password/tests/correct_value.pass.sh @@ -1,6 +1,10 @@ #!/bin/bash # variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}} +{{% if product == "ubuntu2404" %}} +{{{ bash_pam_pwquality_enable() }}} +{{% endif %}} + truncate -s 0 /etc/security/pwquality.conf echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf diff --git a/shared/templates/accounts_password/tests/correct_value_directory.pass.sh b/shared/templates/accounts_password/tests/correct_value_directory.pass.sh index 1d12e365537..60b92709f2a 100644 --- a/shared/templates/accounts_password/tests/correct_value_directory.pass.sh +++ b/shared/templates/accounts_password/tests/correct_value_directory.pass.sh @@ -6,6 +6,10 @@ # This test will ensure that OVAL also checks the configuration in # /etc/security/pwquality.conf.d/*.conf files +{{% if product == "ubuntu2404" %}} +{{{ bash_pam_pwquality_enable() }}} +{{% endif %}} + truncate -s 0 /etc/security/pwquality.conf config_dir="/etc/security/pwquality.conf.d" diff --git a/shared/templates/accounts_password/tests/duplicated_values.pass.sh b/shared/templates/accounts_password/tests/duplicated_values.pass.sh index e7b7f957d3d..9c7d2cd8d38 100644 --- a/shared/templates/accounts_password/tests/duplicated_values.pass.sh +++ b/shared/templates/accounts_password/tests/duplicated_values.pass.sh @@ -1,6 +1,10 @@ #!/bin/bash # variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}} +{{% if product == "ubuntu2404" %}} +{{{ bash_pam_pwquality_enable() }}} +{{% endif %}} + truncate -s 0 /etc/security/pwquality.conf echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf diff --git a/shared/templates/accounts_password/tests/multiple_correct_value.pass.sh b/shared/templates/accounts_password/tests/multiple_correct_value.pass.sh index ee5f88b4886..def17658cf5 100644 --- a/shared/templates/accounts_password/tests/multiple_correct_value.pass.sh +++ b/shared/templates/accounts_password/tests/multiple_correct_value.pass.sh @@ -3,6 +3,10 @@ # platform = Oracle Linux 8 # variables = var_password_pam_{{{ VARIABLE }}}={{{ TEST_VAR_VALUE }}} +{{% if product == "ubuntu2404" %}} +{{{ bash_pam_pwquality_enable() }}} +{{% endif %}} + truncate -s 0 /etc/security/pwquality.conf echo "{{{ VARIABLE }}} = {{{ TEST_CORRECT_VALUE }}}" >> /etc/security/pwquality.conf From aa57ff2b2552da39ef4f7c4e47f07a88ebbe4645 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Wed, 18 Dec 2024 17:01:58 +0000 Subject: [PATCH 3/6] Add macro ansible_apply_pam_auth_update_changes --- shared/macros/10-ansible.jinja | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index d8726a40bba..7428306fc98 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -847,6 +847,23 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul {{%- endif %}} {{%- endmacro %}} +{{# + Macro used to apply changes on pam-auth-update profiles. If the "profile_name" parameter is not defined, the + pam-auth-update will apply all profile changes by default. + +:param profile_name: Changes the default profile used by pam-auth-update. +:type profile_name: str + +#}} +{{% macro ansible_apply_pam_auth_update_changes(profile_name='') -%}} +- name: '{{{ rule_title }}} - Ensure pam-auth-update profile changes are applied' + ansible.builtin.command: + {{%- if profile_name == '' %}} + cmd: pam-auth-update + {{%- else %}} + cmd: pam-auth-update --enable {{{ profile_name }}} + {{%- endif %}} +{{%- endmacro %}} {{# Disable authselect feature if the authselect current profile is intact or inform that its From 4b3d00d62e0fda0edf8f684849719ef792142389 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Wed, 18 Dec 2024 17:02:32 +0000 Subject: [PATCH 4/6] Add macro ansible_pam_pwquality_enable --- shared/macros/10-ansible.jinja | 40 ++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 7428306fc98..b0c17664cb0 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1269,6 +1269,46 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul - not result_faillock_conf_check.stat.exists {{%- endmacro -%}} +{{# + This macro ensures the pam_pwquality.so PAM module is enabled. + It is enabled using the pam-auth-update tool. + +:param path: The path of pam-auth-update configuration for pam_pwquality.so. +:type parameter: str + +#}} +{{%- macro ansible_pam_pwquality_enable(path) -%}} + +{{{ ansible_check_pam_auth_update_presence() }}} + +- name: {{{ rule_title }}} - Remediation where pam-auth-update tool is present + block: + - name: Check if {{{ path }}} exists + stat: + path: {{{ path }}} + register: pwquality_file_stat + + - name: Put the content into {{{ path }}} if it does not exist + copy: + dest: {{{ path }}} + content: |+ + Name: Pwquality password strength checking + Default: yes + Priority: 1024 + Conflicts: cracklib + Password-Type: Primary + Password: + requisite pam_pwquality.so retry=3 + force: yes + when: not pwquality_file_stat.stat.exists + + {{{ ansible_apply_pam_auth_update_changes('cac_pwquality') | indent(4) }}} + + when: + - result_pam_auth_update_present.stat.exists + +{{%- endmacro -%}} + {{# Macro for Ansible remediation for adding a kernel command line argument to the GRUB 2 bootloader. From 54dfd3fce926961712f7b7121c17f60339a1634e Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Wed, 18 Dec 2024 17:02:53 +0000 Subject: [PATCH 5/6] Add macro ansible_check_pam_auth_update_presence --- shared/macros/10-ansible.jinja | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index b0c17664cb0..7baec3a04a5 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -939,6 +939,17 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul register: result_authselect_present {{%- endmacro -%}} +{{# + Used to identify if pam-auth-update is present or not in the system. + Some macros can change the remediation behavior based on the presence of authselect. + +#}} +{{%- macro ansible_check_pam_auth_update_presence() -%}} +- name: '{{{ rule_title }}} - Check if system relies on pam-auth-update tool' + ansible.builtin.stat: + path: /usr/sbin/pam-auth-update + register: result_pam_auth_update_present +{{%- endmacro -%}} {{# Ensure pam_lastlog.so PAM module shows the failed logins according to the system capabilities. From ea51068f221e8afbb6ea1c6886f367ee486e2ab7 Mon Sep 17 00:00:00 2001 From: Alan Moore Date: Wed, 18 Dec 2024 17:03:50 +0000 Subject: [PATCH 6/6] Make sure to enable pwquality module on Ubuntu when do ansible remediation --- shared/templates/accounts_password/ansible.template | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/shared/templates/accounts_password/ansible.template b/shared/templates/accounts_password/ansible.template index f25e7cc5428..858f462f33a 100644 --- a/shared/templates/accounts_password/ansible.template +++ b/shared/templates/accounts_password/ansible.template @@ -29,6 +29,10 @@ }}} {{% endif %}} +{{% if "ubuntu" in product %}} +{{{ ansible_pam_pwquality_enable('/usr/share/pam-configs/cac_pwquality') }}} +{{% endif %}} + - name: {{{ rule_title }}} - Ensure PAM variable {{{ VARIABLE }}} is set accordingly ansible.builtin.lineinfile: create: yes