From 7b71e3e6d2ff3408675f019e761e9fdfa3a5905b Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Fri, 5 Jun 2026 22:32:04 +0100 Subject: [PATCH 1/4] Add Debian 13 PAM support to existing rules Add Debian-specific bash remediations and OVAL checks for PAM rules that previously lacked Debian support: - accounts_password_pam_pwhistory_remember: add bash/debian.sh and oval/debian.xml using /etc/pam.d/common-password directly. - accounts_password_pam_pwhistory_use_authtok: add bash/debian.sh. - accounts_password_pam_unix_authtok: add bash/debian.sh. - accounts_password_pam_pwquality_enabled: add oval/debian.xml checking pam_pwquality.so in /etc/pam.d/common-password. Extend existing shared remediations to cover Debian: - accounts_password_pam_unix_enabled/bash/shared.sh: add multi_platform_debian. - accounts_password_pam_pwhistory_enabled/bash/shared.sh: add multi_platform_debian. - accounts_passwords_pam_faillock_enabled/bash/shared.sh: add multi_platform_debian. - accounts_password_pam_unix_no_remember/bash/shared.sh: add multi_platform_debian. - no_empty_passwords_unix/bash/shared.sh: add fallback that removes nullok directly from /etc/pam.d/common-* files in case pam-auth-update is blocked by local modifications. Add CIS Debian 13 options to password hashing algorithm variables: - var_password_hashing_algorithm.var: add cis_debian13=YESCRYPT|SHA512 - var_password_hashing_algorithm_pam.var: add cis_debian13=yescrypt|sha512 Co-Authored-By: Claude Sonnet 4.6 --- .../bash/shared.sh | 2 +- .../bash/shared.sh | 2 +- .../bash/debian.sh | 21 +++++++ .../oval/debian.xml | 58 +++++++++++++++++++ .../bash/debian.sh | 13 +++++ .../bash/debian.sh | 12 ++++ .../bash/shared.sh | 2 +- .../oval/debian.xml | 37 ++++++++++++ .../var_password_hashing_algorithm.var | 1 + .../var_password_hashing_algorithm_pam.var | 1 + .../bash/shared.sh | 2 +- .../no_empty_passwords_unix/bash/shared.sh | 8 +++ 12 files changed, 155 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/debian.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/debian.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/debian.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml diff --git a/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/bash/shared.sh index d3ed274a302a..c3d13462234b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ubuntu +# platform = multi_platform_ubuntu,multi_platform_debian {{% if 'ubuntu' in product or 'debian' in product %}} {{{ bash_pam_unix_enable() }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh index bd7ef67ddd77..eddf0d6281bb 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_ubuntu +# platform = multi_platform_ubuntu,multi_platform_debian {{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/debian.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/debian.sh new file mode 100644 index 000000000000..519e94d8077b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/debian.sh @@ -0,0 +1,21 @@ +# platform = multi_platform_debian + +{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}} + +{{{ bash_instantiate_variables("var_password_pam_remember") }}} + +sed -i -E '/^Password:/,/^[^[:space:]]/ { + /pam_pwhistory\.so/ { + s/\s*remember=[^[:space:]]*//g + s/$/ remember='"$var_password_pam_remember"'/g + } +}' /usr/share/pam-configs/cac_pwhistory + +sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ { + /pam_pwhistory\.so/ { + s/\s*remember=[^[:space:]]*//g + s/$/ remember='"$var_password_pam_remember"'/g + } +}' /usr/share/pam-configs/cac_pwhistory + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml new file mode 100644 index 000000000000..739ade74c36e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml @@ -0,0 +1,58 @@ +{{% if "debian" in product %}} +{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}} +{{% endif %}} + + + + {{{ oval_metadata("The passwords to remember of pam_pwhistory should be set correctly.", rule_title=rule_title) }}} + + + + + + + + + + + + + + + {{{ accounts_password_pam_file }}} + + 1 + + + + + ^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so.*$ + + + + + + + + + + + + + + {{{ accounts_password_pam_file }}} + ^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so[ \t]+[^#\n\r]*\bremember=([0-9]*)\b.*$ + 1 + + + diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/debian.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/debian.sh new file mode 100644 index 000000000000..6696cccfdb36 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/debian.sh @@ -0,0 +1,13 @@ +# platform = multi_platform_debian + +{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}} +conf_file=/usr/share/pam-configs/cac_pwhistory +if ! grep -qE 'pam_pwhistory\.so\s+[^#]*\buse_authtok\b' "$conf_file"; then + sed -i -E '/^Password:/,/^[^[:space:]]/ { + /pam_pwhistory\.so/ { + s/$/ use_authtok/g + } + }' "$conf_file" +fi + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/debian.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/debian.sh new file mode 100644 index 000000000000..bb9b98b0a059 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/debian.sh @@ -0,0 +1,12 @@ +# platform = multi_platform_debian + +config_file="/usr/share/pam-configs/cac_unix" +{{{ bash_pam_unix_enable() }}} +sed -i -E '/^Password:/,/^[^[:space:]]/ { + /pam_unix\.so/ { + /use_authtok/! s/$/ use_authtok/g + } +}' "$config_file" + + +DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable cac_unix diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh index 43feff6ed1e8..d3d6d6c575b0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh @@ -1,3 +1,3 @@ -# platform = multi_platform_ubuntu +# platform = multi_platform_ubuntu,multi_platform_debian {{{ bash_pam_faillock_enable() }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml new file mode 100644 index 000000000000..860c199a4ca7 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml @@ -0,0 +1,37 @@ +{{% if 'debian' in product %}} +{{% set configuration_files = ["common-password"] %}} +{{% endif %}} + + + {{{ oval_metadata("Check pam_pwquality module is enabled", rule_title=rule_title) }}} + + {{% for file in configuration_files %}} + + {{% endfor %}} + + + + {{% macro test_pwquality_enabled(path, test_ref) %}} + + + + {{% endmacro %}} + + {{% macro object_pwquality_enabled(path, test_ref) %}} + + {{{ path }}} + ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ + 1 + + {{% endmacro %}} + + {{% for file in configuration_files %}} + {{{ test_pwquality_enabled( path="/etc/pam.d/" ~ file , + test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}} + {{{ object_pwquality_enabled( path="/etc/pam.d/" ~ file , + test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}} + {{% endfor %}} + diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var index d955dbe9c17d..2238e4df257e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var +++ b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var @@ -22,3 +22,4 @@ options: cis_rhel8: YESCRYPT|SHA512 cis_rhel10: YESCRYPT|SHA512 cis_fedora: YESCRYPT|SHA512 + cis_debian13: YESCRYPT|SHA512 diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var index b6e46765560f..52a076c46313 100644 --- a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var +++ b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var @@ -18,3 +18,4 @@ options: yescrypt: yescrypt cis_rhel8: yescrypt|sha512 cis_rhel10: yescrypt|sha512 + cis_debian13: yescrypt|sha512 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh index 03336f17073a..0b60e18bc2d9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu,multi_platform_debian # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh index 39767a05643b..d85a76cd1567 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh @@ -9,3 +9,11 @@ config_file="/usr/share/pam-configs/cac_unix" sed -i '/pam_unix\.so/s/nullok//g' "$config_file" DEBIAN_FRONTEND=noninteractive pam-auth-update + +# Fallback: remove nullok directly in case pam-auth-update was blocked +# by local modifications to /etc/pam.d/common-* +for pam_file in /etc/pam.d/common-password /etc/pam.d/common-auth \ + /etc/pam.d/common-account /etc/pam.d/common-session \ + /etc/pam.d/common-session-noninteractive; do + [ -f "$pam_file" ] && sed -i '/pam_unix\.so/s/\bnullok\b//g' "$pam_file" +done From d066b18993a0340f59cb7c8f2f618a624abd0add Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Tue, 9 Jun 2026 22:14:48 +0100 Subject: [PATCH 2/4] Consolidate per-distro OVAL files into shared.xml for two PAM rules accounts_password_pam_pwhistory_remember: merge debian.xml and ubuntu.xml into a single shared.xml covering sle12, debian, and ubuntu products. accounts_password_pam_pwquality_enabled: merge debian.xml, ubuntu.xml, and sle.xml into a single shared.xml covering debian, ubuntu, sle15, and sle16. Co-Authored-By: Claude Sonnet 4.6 --- .../oval/debian.xml | 58 ------------------- .../oval/{ubuntu.xml => shared.xml} | 0 .../oval/debian.xml | 37 ------------ .../oval/{sle.xml => shared.xml} | 2 +- .../oval/ubuntu.xml | 37 ------------ 5 files changed, 1 insertion(+), 133 deletions(-) delete mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml rename linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/{ubuntu.xml => shared.xml} (100%) delete mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml rename linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/{sle.xml => shared.xml} (95%) delete mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/ubuntu.xml diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml deleted file mode 100644 index 739ade74c36e..000000000000 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml +++ /dev/null @@ -1,58 +0,0 @@ -{{% if "debian" in product %}} -{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}} -{{% endif %}} - - - - {{{ oval_metadata("The passwords to remember of pam_pwhistory should be set correctly.", rule_title=rule_title) }}} - - - - - - - - - - - - - - - {{{ accounts_password_pam_file }}} - - 1 - - - - - ^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so.*$ - - - - - - - - - - - - - - {{{ accounts_password_pam_file }}} - ^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so[ \t]+[^#\n\r]*\bremember=([0-9]*)\b.*$ - 1 - - - diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml similarity index 100% rename from linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/ubuntu.xml rename to linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml deleted file mode 100644 index 860c199a4ca7..000000000000 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml +++ /dev/null @@ -1,37 +0,0 @@ -{{% if 'debian' in product %}} -{{% set configuration_files = ["common-password"] %}} -{{% endif %}} - - - {{{ oval_metadata("Check pam_pwquality module is enabled", rule_title=rule_title) }}} - - {{% for file in configuration_files %}} - - {{% endfor %}} - - - - {{% macro test_pwquality_enabled(path, test_ref) %}} - - - - {{% endmacro %}} - - {{% macro object_pwquality_enabled(path, test_ref) %}} - - {{{ path }}} - ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ - 1 - - {{% endmacro %}} - - {{% for file in configuration_files %}} - {{{ test_pwquality_enabled( path="/etc/pam.d/" ~ file , - test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}} - {{{ object_pwquality_enabled( path="/etc/pam.d/" ~ file , - test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}} - {{% endfor %}} - diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/sle.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml similarity index 95% rename from linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/sle.xml rename to linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml index 26121be21256..9bad5d18aa99 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/sle.xml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if product in ['sle15', 'sle16'] %}} +{{% if 'debian' in product or 'ubuntu' in product or product in ['sle15', 'sle16'] %}} {{% set configuration_files = ["common-password"] %}} {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/ubuntu.xml deleted file mode 100644 index b481c3e7561a..000000000000 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/ubuntu.xml +++ /dev/null @@ -1,37 +0,0 @@ -{{% if 'ubuntu' in product %}} -{{% set configuration_files = ["common-password"] %}} -{{% endif %}} - - - {{{ oval_metadata("Check pam_pwquality module is enabled", rule_title=rule_title) }}} - - {{% for file in configuration_files %}} - - {{% endfor %}} - - - - {{% macro test_pwquality_enabled(path, test_ref) %}} - - - - {{% endmacro %}} - - {{% macro object_pwquality_enabled(path, test_ref) %}} - - {{{ path }}} - ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ - 1 - - {{% endmacro %}} - - {{% for file in configuration_files %}} - {{{ test_pwquality_enabled( path="/etc/pam.d/" ~ file , - test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}} - {{{ object_pwquality_enabled( path="/etc/pam.d/" ~ file , - test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}} - {{% endfor %}} - From deb521fb506476ccd2c2f2c62b7bf361a75d39b0 Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Tue, 9 Jun 2026 22:23:51 +0100 Subject: [PATCH 3/4] Remove dead sle12 condition from pwhistory_remember shared.xml The sle12 condition was carried over from the original ubuntu.xml but was never reachable there (the build system only applies ubuntu.xml to ubuntu products). Keeping only debian and ubuntu which are the actual consumers. Co-Authored-By: Claude Sonnet 4.6 --- .../accounts_password_pam_pwhistory_remember/oval/shared.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml index 369f632be9fa..7181996548d0 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if "sle12" in product or "debian" in product or "ubuntu" in product %}} +{{% if "debian" in product or "ubuntu" in product %}} {{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}} {{% endif %}} From df71da3a40d757aa4a81dfbd301bd8db185b8320 Mon Sep 17 00:00:00 2001 From: Israel Villar Boillos Date: Fri, 12 Jun 2026 20:27:35 +0100 Subject: [PATCH 4/4] Guard OVAL def-group for debian/ubuntu/sle products only Wrap inside the existing {{% if %}} block in pwhistory_remember and pwquality_enabled shared.xml files so that products without /etc/pam.d/common-password (e.g. RHEL8/UBI8) produce empty OVAL output instead of a Jinja2 undefined-variable error. Co-Authored-By: Claude Sonnet 4.6 --- .../accounts_password_pam_pwhistory_remember/oval/shared.xml | 2 +- .../accounts_password_pam_pwquality_enabled/oval/shared.xml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml index 7181996548d0..dbb647bad51a 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/shared.xml @@ -1,6 +1,5 @@ {{% if "debian" in product or "ubuntu" in product %}} {{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}} -{{% endif %}} @@ -56,3 +55,4 @@ +{{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml index 9bad5d18aa99..65c41013c6d3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/shared.xml @@ -1,6 +1,6 @@ {{% if 'debian' in product or 'ubuntu' in product or product in ['sle15', 'sle16'] %}} {{% set configuration_files = ["common-password"] %}} -{{% endif %}} + {{{ oval_metadata("Check pam_pwquality module is enabled", rule_title=rule_title) }}} @@ -35,3 +35,4 @@ test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}} {{% endfor %}} +{{% endif %}}