diff --git a/components/pam.yml b/components/pam.yml
index af9441e878a..f4e85c501c8 100644
--- a/components/pam.yml
+++ b/components/pam.yml
@@ -66,6 +66,7 @@ rules:
- accounts_password_pam_ucredit
- accounts_password_pam_unix_enabled
- accounts_password_pam_unix_no_remember
+- accounts_password_pam_unix_authtok
- accounts_password_pam_unix_remember
- accounts_password_pam_unix_rounds_password_auth
- accounts_password_pam_unix_rounds_system_auth
diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index a65a4d83f94..6641ab732c9 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -2059,8 +2059,9 @@ controls:
levels:
- l1_server
- l1_workstation
- status: planned
- notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+ rules:
+ - accounts_password_pam_unix_authtok
+ status: automated
- id: 5.4.1.1
title: Ensure password expiration is configured (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh
new file mode 100644
index 00000000000..57008e0168a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/shared.sh
@@ -0,0 +1,14 @@
+# platform = multi_platform_ubuntu
+
+config_file="/usr/share/pam-configs/cac_unix"
+{{{ bash_pam_unix_enable() }}}
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+ /pam_unix\.so/ {
+ /use_authtok/! s/$/ use_authtok/g
+ }
+}' "$config_file"
+
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable cac_unix
+
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml
new file mode 100644
index 00000000000..b87d8152982
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/oval/shared.xml
@@ -0,0 +1,42 @@
+{{%- set accounts_password_pam_unix_file = '/etc/pam.d/common-password' -%}}
+
+
+
+ {{{ oval_metadata("Configure the system to include use_authtok in pam common_password configuration file") }}}
+
+
+
+
+
+
+
+
+
+
+
+
+ obj_test_use_authtok_password_lines_except_first
+ ste_test_use_authtok_pam_unix_lines
+
+
+
+
+ ^[^#\n\r]+[ \t]+pam_unix\.so[ \t]+[^#\n\r]+use_authtok.*$
+
+
+
+
+ {{{ accounts_password_pam_unix_file }}}
+ ^[ \t]*password[ \t]+(.+)$
+ 2
+
+
+
+ ^[^#\n\r]+[ \t]+pam_unix\.so.*$
+
+
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml
new file mode 100644
index 00000000000..e4afb5cacce
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+
+title: 'Require use_authtok for pam_unix.so'
+
+{{% set configFile = "/etc/pam.d/common-password" %}}
+
+description: |-
+ When password changing enforce the module to set the new password to the one
+ provided by a previously stacked password module
+
+rationale: |-
+ Require use_authtok in pam_unix.so configuration
+
+severity: medium
+
+ocil_clause: 'Usage of use_authtok for pam_unix.so is required'
+
+ocil: |-
+ To verify the password reuse setting is compliant, run the following command:
+ $ grep use_authtok {{{ configFile }}}
+ The output should show use_authtok on the line.
+
+fixtext: |-
+ To configure the use_authtok option for the pam_unix
+ PAM modules, in the file {{{ configFile }}}, append use_authtok
+ to the line which refers to the pam_unix.so, as
+ shown below:
+
+ password [success=1 default=ignore] pam_unix.so ...existing_options... use_authtok
+
+platform: package[pam]
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh
new file mode 100644
index 00000000000..8bc825f2336
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_common.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+# remove all pam-auth-update configs which update the
+# primary password block and create a config with well defined
+# high priority to ensure correct stacking of our module
+grep -il "Password-Type: Primary" /usr/share/pam-configs/* | grep -v "/unix$" | xargs rm -f
+
+cat << EOF > /usr/share/pam-configs/cac_test_echo
+Name: Echo
+Default: yes
+Priority: 10000
+Password-Type: Primary
+Password:
+ password optional pam_echo.so
+Password-Initial:
+ password optional pam_echo.so
+EOF
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh
new file mode 100644
index 00000000000..80394934931
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values.fail.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+config_file=/usr/share/pam-configs/tmpunix
+
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 1024
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so try_first_pass
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
+ [success=end default=ignore] pam_unix.so obscure try_first_pass yescrypt
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh
new file mode 100644
index 00000000000..6aff7903b99
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_conflicting_values2.fail.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+config_file=/usr/share/pam-configs/tmpunix
+
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 1024
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so try_first_pass
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure try_first_pass yescrypt
+ [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh
new file mode 100644
index 00000000000..1a8af633232
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_correct_value.pass.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+config_file=/usr/share/pam-configs/tmpunix
+
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 1024
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so try_first_pass
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh
new file mode 100644
index 00000000000..42d499b7c2f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value.fail.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+config_file=/usr/share/pam-configs/tmpunix
+
+# lower priority to ensure the config is below the cac_test_echo
+# on the stack, thus using the "Password:" configuration
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 1024
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so try_first_pass
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure try_first_pass yescrypt
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh
new file mode 100644
index 00000000000..a8ef5c3e10e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/tests/ubuntu_missing_value_initial.pass.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+config_file=/usr/share/pam-configs/tmpunix
+
+# higher priority to ensure the config is above the cac_test_echo
+# on the stack, thus using the "Password-Initial:" configuration
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 1000000
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so try_first_pass
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure try_first_pass yescrypt
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 17ed7a13c7a..302deb02c94 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -913,8 +913,8 @@ if [ ! -f "$conf_path"/"$conf_name" ]; then
if [ -f "$conf_path"/unix ]; then
if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
cp "$conf_path"/unix "$conf_path"/"$conf_name"
- sed -i '/Default: yes/a Priority: 257\
-Conflicts: unix' "$conf_path"/"$conf_name"
+ sed -i 's/Priority: [0-9]\+/Priority: 257\
+Conflicts: unix/' "$conf_path"/"$conf_name"
DEBIAN_FRONTEND=noninteractive pam-auth-update
else
echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2