Merge pull request #14222 from jan-cerny/accounts_password_pam_unix_enabled

Add accounts_password_pam_unix_enabled to RHEL 10 CIS

Author: Mab879

controls/cis_rhel10.yml

@@ -1930,13 +1930,11 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: partial
-      notes: |-
-          This module is always present by default. It is necessary to investigate if a new rule to
-          check its existence needs to be created. But so far the rule no_empty_passwords, used in
-          5.3.3.4 can ensure this requirement is attended.
+      status: automated
       related_rules:
           - no_empty_passwords
+      rules:
+          - accounts_password_pam_unix_enabled
 
     - id: 5.3.2.1.1
       title: Ensure password failed attempts lockout is configured (Automated)

linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/oval/shared.xml

@@ -1,36 +1,52 @@
-{{% set file_stem = ["auth","account","password","session"] %}}
+{{% if product == "rhel10" %}}
+{{% set pam_files = ["password-auth", "system-auth"] %}}
+{{% else %}}
+{{% set pam_files = ["common"] %}}
+{{% endif %}}
+{{% set pam_sections = ["auth","account","password","session"] %}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
   {{{ oval_metadata("Ensure pam_unix.so is properly configured in PAM configuration files", rule_title=rule_title) }}}
-    <criteria operator="AND" comment="Check if pam_unix.so is properly defined in all PAM files">      
-      {{% for stem in file_stem %}}
-      <criterion test_ref="test_pam_unix_common_{{{ stem }}}"
-          comment="pam_unix has correctly set in common-{{{ stem }}}"/>
+    <criteria operator="AND" comment="Check if pam_unix.so is properly defined in all PAM files">
+      {{% for pam_file in pam_files %}}
+        {{% for pam_section in pam_sections %}}
+          <criterion test_ref="test_pam_unix_{{{ pam_file }}}_{{{ pam_section }}}" comment="pam_unix is configured in {{{ pam_section }}} section in {{{ pam_file }}}" />
+        {{% endfor %}}
       {{% endfor %}}
     </criteria>
   </definition>
 
   <!-- Check occurrences of pam_unix.so in common-{auth,account,password} file -->
-  {{% macro test_pam_unix(stem) %}}
-  <ind:textfilecontent54_test check="all" id="test_pam_unix_common_{{{ stem }}}" version="1"
+  {{% macro test_pam_unix(full_path, pam_file, pam_section) %}}
+  <ind:textfilecontent54_test check="all" id="test_pam_unix_{{{ pam_file }}}_{{{ pam_section }}}" version="1"
         check_existence="only_one_exists"
-        comment="No more than one pam_unix.so is expected in {{{ stem }}} section of /etc/pam.d/common-{{{ stem }}}">
-    <ind:object object_ref="obj_pam_unix_common_{{{ stem }}}" />
+        comment="No more than one pam_unix.so is expected in {{{ pam_section }}} section of {{{ full_path }}}">
+    <ind:object object_ref="obj_pam_unix_{{{ pam_file }}}_{{{ pam_section }}}" />
   </ind:textfilecontent54_test>
   {{% endmacro %}}
 
-  {{% macro object_pam_unix(stem) %}}
-  <ind:textfilecontent54_object id="obj_pam_unix_common_{{{ stem }}}" version="1"
-        comment="Get the occurrences of pam_unix.so in {{{ stem }}} section of /etc/pam.d/common-{{{ stem }}}">
-    <ind:filepath>/etc/pam.d/common-{{{ stem }}}</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*{{{stem}}}[\s]+(required|\[(?=.*?\bsuccess=\d+\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so.*$</ind:pattern>
+  {{% macro object_pam_unix(full_path, pam_file, pam_section) %}}
+  <ind:textfilecontent54_object id="obj_pam_unix_{{{ pam_file }}}_{{{ pam_section }}}" version="1"
+        comment="Get the occurrences of pam_unix.so in {{{ pam_section }}} section of {{{ full_path }}}">
+    <ind:filepath>{{{ full_path }}}</ind:filepath>
+{{% if product == "rhel10" %}}
+    <ind:pattern operation="pattern match">^[\s]*{{{ pam_section }}}[\s]+(required|sufficient)[\s]+pam_unix\.so.*$</ind:pattern>
+{{% else %}}
+    <ind:pattern operation="pattern match">^[\s]*{{{ pam_section }}}[\s]+(required|\[(?=.*?\bsuccess=\d+\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so.*$</ind:pattern>
+{{% endif %}}
     <ind:instance datatype="int" operation="equals">1</ind:instance>
   </ind:textfilecontent54_object>
   {{% endmacro %}}
 
-  {{% for file in file_stem %}}
-  {{{ test_pam_unix(stem=file) }}}
-  {{{ object_pam_unix(stem=file) }}}
+  {{% for pam_file in pam_files %}}
+    {{% for pam_section in pam_sections %}}
+      {{% if product == "rhel10" %}}
+        {{% set full_path = "/etc/pam.d/" + pam_file %}}
+      {{% else %}}
+        {{% set full_path = "/etc/pam.d/" + pam_file + "-" + pam_section %}}
+      {{% endif %}}
+      {{{ test_pam_unix(full_path, pam_file, pam_section) }}}
+      {{{ object_pam_unix(full_path, pam_file, pam_section) }}}
+    {{% endfor %}}
   {{% endfor %}}
-
 </def-group>

linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/rule.yml

@@ -25,6 +25,15 @@ description: |-
 rationale: |-
     The system should only provide access after performing authentication of a user.
 
+identifiers:
+    cce@rhel10: CCE-87536-9
+
 severity: medium
 
 platform: package[pam]
+
+{{% if product == "rhel10" %}}
+warnings:
+    - general: |-
+        Automated remediation of this rule isn't available, you should use authselect to manage PAM settings.
+{{% endif %}}

linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/tests/correct.pass.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_rhel
+
+# Ensure pam_unix.so is present in all sections of both PAM files
+for pam_file in /etc/pam.d/system-auth /etc/pam.d/password-auth; do
+    {{{ bash_ensure_pam_module_line("$pam_file", "auth", "sufficient", "pam_unix.so") }}}
+    {{{ bash_ensure_pam_module_line("$pam_file", "account", "required", "pam_unix.so") }}}
+    {{{ bash_ensure_pam_module_line("$pam_file", "password", "sufficient", "pam_unix.so") }}}
+    {{{ bash_ensure_pam_module_line("$pam_file", "session", "required", "pam_unix.so") }}}
+done

shared/references/cce-redhat-avail.txt

@@ -469,7 +469,6 @@ CCE-87529-4
 CCE-87530-2
 CCE-87532-8
 CCE-87533-6
-CCE-87536-9
 CCE-87537-7
 CCE-87538-5
 CCE-87539-3

tests/data/profile_stability/rhel10/cis.profile

@@ -22,6 +22,7 @@ accounts_password_pam_pwhistory_use_authtok
 accounts_password_pam_pwquality_password_auth
 accounts_password_pam_pwquality_system_auth
 accounts_password_pam_unix_authtok
+accounts_password_pam_unix_enabled
 accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_min_life_existing

tests/data/profile_stability/rhel10/cis_server_l1.profile

@@ -21,6 +21,7 @@ accounts_password_pam_pwhistory_use_authtok
 accounts_password_pam_pwquality_password_auth
 accounts_password_pam_pwquality_system_auth
 accounts_password_pam_unix_authtok
+accounts_password_pam_unix_enabled
 accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_warn_age_existing

tests/data/profile_stability/rhel10/cis_workstation_l1.profile

@@ -21,6 +21,7 @@ accounts_password_pam_pwhistory_use_authtok
 accounts_password_pam_pwquality_password_auth
 accounts_password_pam_pwquality_system_auth
 accounts_password_pam_unix_authtok
+accounts_password_pam_unix_enabled
 accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_warn_age_existing

tests/data/profile_stability/rhel10/cis_workstation_l2.profile

@@ -22,6 +22,7 @@ accounts_password_pam_pwhistory_use_authtok
 accounts_password_pam_pwquality_password_auth
 accounts_password_pam_pwquality_system_auth
 accounts_password_pam_unix_authtok
+accounts_password_pam_unix_enabled
 accounts_password_pam_unix_no_remember
 accounts_password_set_max_life_existing
 accounts_password_set_min_life_existing