Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# platform = multi_platform_ubuntu
# platform = multi_platform_ubuntu,multi_platform_debian

{{% if 'ubuntu' in product or 'debian' in product %}}
{{{ bash_pam_unix_enable() }}}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# platform = multi_platform_ubuntu
# platform = multi_platform_ubuntu,multi_platform_debian

{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# platform = multi_platform_debian

{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}

{{{ bash_instantiate_variables("var_password_pam_remember") }}}

sed -i -E '/^Password:/,/^[^[:space:]]/ {
/pam_pwhistory\.so/ {
s/\s*remember=[^[:space:]]*//g
s/$/ remember='"$var_password_pam_remember"'/g
}
}' /usr/share/pam-configs/cac_pwhistory

sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
/pam_pwhistory\.so/ {
s/\s*remember=[^[:space:]]*//g
s/$/ remember='"$var_password_pam_remember"'/g
}
}' /usr/share/pam-configs/cac_pwhistory

DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{{% if "sle12" in product or "debian" in product or "ubuntu" in product %}}
{{% if "debian" in product or "ubuntu" in product %}}
{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}}
{{% endif %}}

<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="2">
Expand Down Expand Up @@ -56,3 +55,4 @@
</ind:textfilecontent54_object>

</def-group>
{{% endif %}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# platform = multi_platform_debian

{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}
conf_file=/usr/share/pam-configs/cac_pwhistory
if ! grep -qE 'pam_pwhistory\.so\s+[^#]*\buse_authtok\b' "$conf_file"; then
sed -i -E '/^Password:/,/^[^[:space:]]/ {
/pam_pwhistory\.so/ {
s/$/ use_authtok/g
}
}' "$conf_file"
fi

DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# platform = multi_platform_debian

config_file="/usr/share/pam-configs/cac_unix"
{{{ bash_pam_unix_enable() }}}
sed -i -E '/^Password:/,/^[^[:space:]]/ {
/pam_unix\.so/ {
/use_authtok/! s/$/ use_authtok/g
}
}' "$config_file"


DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable cac_unix
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# platform = multi_platform_ubuntu
# platform = multi_platform_ubuntu,multi_platform_debian

{{{ bash_pam_faillock_enable() }}}
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{{% if product in ['sle15', 'sle16'] %}}
{{% if 'debian' in product or 'ubuntu' in product or product in ['sle15', 'sle16'] %}}
{{% set configuration_files = ["common-password"] %}}
{{% endif %}}

<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="2">
{{{ oval_metadata("Check pam_pwquality module is enabled", rule_title=rule_title) }}}
Expand Down Expand Up @@ -35,3 +35,4 @@
test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}}
{{% endfor %}}
</def-group>
{{% endif %}}

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,4 @@ options:
cis_rhel8: YESCRYPT|SHA512
cis_rhel10: YESCRYPT|SHA512
cis_fedora: YESCRYPT|SHA512
cis_debian13: YESCRYPT|SHA512
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,4 @@ options:
yescrypt: yescrypt
cis_rhel8: yescrypt|sha512
cis_rhel10: yescrypt|sha512
cis_debian13: yescrypt|sha512
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu,multi_platform_debian
# reboot = false
# strategy = configure
# complexity = low
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,11 @@ config_file="/usr/share/pam-configs/cac_unix"
sed -i '/pam_unix\.so/s/nullok//g' "$config_file"

DEBIAN_FRONTEND=noninteractive pam-auth-update

# Fallback: remove nullok directly in case pam-auth-update was blocked
# by local modifications to /etc/pam.d/common-*
for pam_file in /etc/pam.d/common-password /etc/pam.d/common-auth \
/etc/pam.d/common-account /etc/pam.d/common-session \
/etc/pam.d/common-session-noninteractive; do
[ -f "$pam_file" ] && sed -i '/pam_unix\.so/s/\bnullok\b//g' "$pam_file"
done
Loading