Merge pull request #11282 from mpurg/fix_no_empty_passwords

Fix and modify UBTU-20-010463 (no_empty_passwords)
ComplianceAsCode · Nov 21, 2023 · a195365 · a195365
2 parents 117b7be + eed70c3
commit a195365
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 11 deletions.
diff --git a/...tem/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml b/...tem/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml
@@ -4,7 +4,7 @@
 # complexity = low
 # disruption = medium
 {{% if 'ubuntu' in product %}}
-{{%- set pam_config_paths = "['/etc/pam.d/common-password']" %}}
+{{%- set pam_config_paths = "['/etc/pam.d/common-password', '/etc/pam.d/common-auth']" %}}
 {{% else %}}
 {{%- set pam_config_paths = "['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']" -%}}
 {{% endif %}}

diff --git a/.../system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/.../system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
@@ -11,10 +11,9 @@ for FILE in ${NULLOK_FILES}; do
    sed --follow-symlinks -i 's/\<nullok\>//g' ${FILE}
 done
 {{% elif 'ubuntu' in product %}}
-COMMON_PASSWORD_PATH="/etc/pam.d/common-password"
-if grep -l "nullok.*" ${COMMON_PASSWORD_PATH}; then
-    sed -i 's/nullok.*//g' ${COMMON_PASSWORD_PATH}
-fi
+for FILE in "/etc/pam.d/common-auth" "/etc/pam.d/common-password"; do
+    sed -i 's/\(.*pam_unix\.so.*\)\s\<nullok\>\(.*\)/\1\2/g' ${FILE}
+done
 {{% else %}}
 if [ -f /usr/bin/authselect ]; then
     {{{ bash_enable_authselect_feature('without-nullok') }}}

diff --git a/...system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml b/...system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
@@ -15,7 +15,7 @@
 {{% if product in ['sle12', 'sle15'] %}}
     <ind:filepath operation="pattern match">^/etc/pam.d/.*$</ind:filepath>
 {{% elif 'ubuntu' in product %}}
-    <ind:filepath operation="pattern match">^/etc/pam.d/common-password</ind:filepath>
+    <ind:filepath operation="pattern match">^/etc/pam.d/common-(auth|password)</ind:filepath>
 {{% else %}}
     <ind:filepath operation="pattern match">^/etc/pam.d/(system|password)-auth$</ind:filepath>
 {{% endif %}}

diff --git a/...ccounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh b/...ccounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh
@@ -1,5 +1,10 @@
 #!/bin/bash
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu
 
+{{% if 'ubuntu' in product %}}
+sed -i --follow-symlinks '/nullok/d' /etc/pam.d/common-auth
+sed -i --follow-symlinks '/nullok/d' /etc/pam.d/common-password
+{{% else %}}
 sed -i --follow-symlinks '/nullok/d' /etc/pam.d/system-auth
 sed -i --follow-symlinks '/nullok/d' /etc/pam.d/password-auth
+{{% endif %}}
diff --git a/...ts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh b/...ts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh
@@ -1,8 +1,17 @@
 #!/bin/bash
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu
 
+{{% if 'ubuntu' in product %}}
+for FILE in "/etc/pam.d/common-auth" "/etc/pam.d/common-password"; do
+    if ! grep -q "^[^#].*pam_unix\.so.*nullok" ${FILE}; then
+        sed -i 's/\([\s]pam_unix\.so\)/\1 nullok/g' ${FILE}
+    fi
+done
+{{% else %}}
 SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
 
 if ! $(grep -q "^[^#].*pam_unix\.so.*nullok" $SYSTEM_AUTH_FILE); then
     sed -i --follow-symlinks 's/\([\s].*pam_unix\.so.*\)\s\(try_first_pass.*\)/\1nullok \2/' $SYSTEM_AUTH_FILE
 fi
+{{% endif %}}
+
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
@@ -591,11 +591,11 @@ selections:
     - disable_ctrlaltdel_reboot
     - disable_ctrlaltdel_burstaction
 
-    # UBTU-20-010462 The Ubuntu operating system must not have accounts configured with blank or null passwords.
-    - no_empty_passwords_etc_shadow
-
     # UBTU-20-010461 The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.
     - kernel_module_usb-storage_disabled
 
+    # UBTU-20-010462 The Ubuntu operating system must not have accounts configured with blank or null passwords.
+    - no_empty_passwords_etc_shadow
+
     # UBTU-20-010463 The Ubuntu operating system must not allow accounts configured with blank or null passwords.
     - no_empty_passwords