Merge pull request ComplianceAsCode#11061 from dexterle/add-rule-ubtu…

…-20-010463 Add UBTU-20-010463 to ensure system does not allow accounts configure…
rumch-se · Sep 13, 2023 · f93f87d · f93f87d
2 parents 6c0bb44 + c0499cb
commit f93f87d
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 10 deletions.
diff --git a/...tem/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml b/...tem/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml
@@ -1,8 +1,14 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
 # reboot = false
 # strategy = configure
 # complexity = low
 # disruption = medium
+{{% if 'ubuntu' in product %}}
+{{%- set pam_config_paths = "['/etc/pam.d/common-password']" %}}
+{{% else %}}
+{{%- set pam_config_paths = "['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']" -%}}
+{{% endif %}}
+
 - name: '{{{ rule_title }}} - Check if system relies on authselect'
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -18,8 +24,6 @@
   ansible.builtin.replace:
     dest: "{{ item }}"
     regexp: 'nullok'
-  loop:
-    - /etc/pam.d/system-auth
-    - /etc/pam.d/password-auth
+  loop: {{{ pam_config_paths }}}
   when:
     - not result_authselect_present.stat.exists
diff --git a/.../system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/.../system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
 # reboot = false
 # strategy = configure
 # complexity = low
@@ -10,6 +10,11 @@ NULLOK_FILES=$(grep -rl ".*pam_unix\\.so.*nullok.*" ${PAM_PATH})
 for FILE in ${NULLOK_FILES}; do
    sed --follow-symlinks -i 's/\<nullok\>//g' ${FILE}
 done
+{{% elif 'ubuntu' in product %}}
+COMMON_PASSWORD_PATH="/etc/pam.d/common-password"
+if grep -l "nullok.*" ${COMMON_PASSWORD_PATH}; then
+    sed -i 's/nullok.*//g' ${COMMON_PASSWORD_PATH}
+fi
 {{% else %}}
 if [ -f /usr/bin/authselect ]; then
     {{{ bash_enable_authselect_feature('without-nullok') }}}

diff --git a/...system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml b/...system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
@@ -14,6 +14,8 @@
   <ind:textfilecontent54_object id="object_no_empty_passwords" version="1">
 {{% if product in ['sle12', 'sle15'] %}}
     <ind:filepath operation="pattern match">^/etc/pam.d/.*$</ind:filepath>
+{{% elif 'ubuntu' in product %}}
+    <ind:filepath operation="pattern match">^/etc/pam.d/common-password</ind:filepath>
 {{% else %}}
     <ind:filepath operation="pattern match">^/etc/pam.d/(system|password)-auth$</ind:filepath>
 {{% endif %}}

diff --git a/.../guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/.../guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
@@ -9,6 +9,8 @@ description: |-
     <tt>nullok</tt> in
     {{% if product in ["sle12", "sle15"] %}}
     password authentication configurations in <tt>/etc/pam.d/</tt>
+    {{% elif 'ubuntu' in product %}}
+    <tt>/etc/pam.d/common-password</tt>
     {{% else %}}
     <tt>/etc/pam.d/system-auth</tt> and
     <tt>/etc/pam.d/password-auth</tt>
@@ -57,13 +59,16 @@ references:
     stigid@rhel8: RHEL-08-020331,RHEL-08-020332
     stigid@sle12: SLES-12-010231
     stigid@sle15: SLES-15-020300
+    stigid@ubuntu2004: UBTU-20-010463
 
 ocil_clause: 'NULL passwords can be used'
 
 ocil: |-
     To verify that null passwords cannot be used, run the following command:
     {{% if product in ["sle12", "sle15"] %}}
     <pre>$ grep pam_unix.so /etc/pam.d/* | grep nullok</pre>
+    {{% elif 'ubuntu' in product %}}
+    <pre>grep nullok /etc/pam.d/common-password</pre>
     {{% else %}}
     <pre>$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth</pre>
     {{% endif %}}
@@ -72,17 +77,21 @@ ocil: |-
     prevent logins with empty passwords.
 
 fixtext: |-
-    Configure {{{ full_name }}} in the system-auth and password-auth files to not allow null
+    Configure {{{ full_name }}} in the {{% if 'ubuntu' in product %}}common-password file {{% else %}}system-auth and password-auth files {{% endif %}} to not allow null
     passwords.
-
+    {{% if 'ubuntu' in product %}}
+    Remove any instances of the "nullok" option in "/etc/pam.d/common-password"
+    {{% else %}}
     Remove any instances of the "nullok" option in the "/etc/pam.d/system-auth" and
-    "/etc/pam.d/password-auth" files to prevent logons with empty passwords.
+    "/etc/pam.d/password-auth" files 
+    {{% endif %}} 
+    to prevent logons with empty passwords.
 
     Note: Manual changes to the listed file may be overwritten by the "authselect" program.
 
 srg_requirement: |-
-    '{{{ full_name }}} must not allow blank or null passwords in the system-auth file nor
-    password-auth.'
+    '{{{ full_name }}} must not allow blank or null passwords in the {{% if 'ubuntu' in product %}} common-password file.{{% else %}} system-auth file nor
+    password-auth. {{% endif %}}'
 
 warnings:
     - general: |-

diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
@@ -596,3 +596,6 @@ selections:
 
     # UBTU-20-010461 The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.
     - kernel_module_usb-storage_disabled
+
+    # UBTU-20-010463 The Ubuntu operating system must not allow accounts configured with blank or null passwords.
+    - no_empty_passwords