diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh
index 29bfc7be7d2..d9f12fbe2d7 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
{{{ bash_fix_audit_watch_rule("auditctl", "/sbin/insmod", "x", "modules") }}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh
index ed9771d0dfd..59dbba17482 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_rhel,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_ubuntu,multi_platform_debian
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
{{{ bash_fix_audit_watch_rule("auditctl", "/sbin/modprobe", "x", "modules") }}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh
index bf0a58b4336..afade41bccb 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
{{{ bash_fix_audit_watch_rule("auditctl", "/sbin/rmmod", "x", "modules") }}}
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
index 035ad30cef6..386996adf55 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}}
{{%- set perm_x="-F perm=x " %}}
{{%- endif %}}
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
index 10bac615f95..9203aa90bcb 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
@@ -36,6 +36,7 @@ template:
name: package_removed
vars:
pkgname: ypbind
+ pkgname@debian12: ypbind-mt
{{% if product in ["rhel9"] %}}
warnings:
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
index 658f8a3e475..be1d7c5e0f2 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
@@ -1,21 +1,69 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_all
# reboot = false
# strategy = configure
# complexity = low
# disruption = medium
-{{% if product in [ "sle12", "sle15" ] %}}
-{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
+{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
+
+{{% if "ubuntu" in product or "debian" in product %}}
+{{% set pam_file='/etc/pam.d/common-password' %}}
+{{% set group='password' %}}
+{{% set control='\[success=[A-Za-z0-9].*\]' %}}
+{{% set module='pam_unix.so' %}}
+{{% set option='remember' %}}
+{{% set value='{{ var_password_pam_unix_remember }}' %}}
+{{% elif product in [ "sle12", "sle15" ] %}}
+{{% set pam_file='/etc/pam.d/common-password' %}}
{{% else %}}
-{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
+{{% set pam_file='/etc/pam.d/system-auth' %}}
{{% endif %}}
-{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
+{{% if "ubuntu" in product or "debian" in product %}}
+
+# Modified version of macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='').
+# The original macro is designed to search/replace also the control field thus treating the field as a constant and escaping the regex.
+# Here we adapt the code to allow using regex on the control field.
+
+- name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}'
+ ansible.builtin.lineinfile:
+ path: "{{{ pam_file }}}"
+ regexp: ^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_module_{{{ option }}}_option_present
+
+- name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" PAM option for "{{{ module }}}" is included in {{{ pam_file }}}'
+ ansible.builtin.lineinfile:
+ path: "{{{ pam_file }}}"
+ backrefs: true
+ regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*)
+ line: \1 {{{ option }}}={{{ value }}}
+ state: present
+ register: result_pam_{{{ option }}}_add
+ when:
+ - result_pam_module_{{{ option }}}_option_present.found == 0
-{{{ ansible_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,
+- name: '{{{ rule_title }}} - Ensure the required value for "{{{ option }}}" PAM option from "{{{ module }}}" in {{{ pam_file }}}'
+ ansible.builtin.lineinfile:
+ path: "{{{ pam_file }}}"
+ backrefs: true
+ regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*)
+ line: \1\2={{{ value }}} \3
+ register: result_pam_{{{ option }}}_edit
+ when:
+ - result_pam_module_{{{ option }}}_option_present.found > 0
+
+
+{{% else %}}
+
+{{{ ansible_pam_pwhistory_enable(pam_file,
'requisite',
'^password.*requisite.*pam_pwquality\.so') }}}
-{{{ ansible_pam_pwhistory_parameter_value(accounts_password_pam_unix_remember_file,
+{{{ ansible_pam_pwhistory_parameter_value(pam_file,
'remember',
'{{ var_password_pam_unix_remember }}') }}}
+
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml
deleted file mode 100644
index 1532858150a..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-# platform = multi_platform_ubuntu
-# reboot = false
-# strategy = configure
-# complexity = low
-# disruption = medium
-
-{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
-
-# Modified version of macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='').
-# The original macro is designed to search/replace also the control field thus treating the field as a constant and escaping the regex.
-# Here we adapt the code to allow using regex on the control field.
-
-{{% set pam_file='/etc/pam.d/common-password' %}}
-{{% set group='password' %}}
-{{% set control='\[success=[A-Za-z0-9].*\]' %}}
-{{% set module='pam_unix.so' %}}
-{{% set option='remember' %}}
-{{% set value='{{ var_password_pam_unix_remember }}' %}}
-
-- name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}'
- ansible.builtin.lineinfile:
- path: "{{{ pam_file }}}"
- regexp: ^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b
- state: absent
- check_mode: true
- changed_when: false
- register: result_pam_module_{{{ option }}}_option_present
-
-- name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" PAM option for "{{{ module }}}" is included in {{{ pam_file }}}'
- ansible.builtin.lineinfile:
- path: "{{{ pam_file }}}"
- backrefs: true
- regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*)
- line: \1 {{{ option }}}={{{ value }}}
- state: present
- register: result_pam_{{{ option }}}_add
- when:
- - result_pam_module_{{{ option }}}_option_present.found == 0
-
-- name: '{{{ rule_title }}} - Ensure the required value for "{{{ option }}}" PAM option from "{{{ module }}}" in {{{ pam_file }}}'
- ansible.builtin.lineinfile:
- path: "{{{ pam_file }}}"
- backrefs: true
- regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*)
- line: \1\2={{{ value }}} \3
- register: result_pam_{{{ option }}}_edit
- when:
- - result_pam_module_{{{ option }}}_option_present.found > 0
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
index c830c07aa2e..d012e29c415 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -1,12 +1,18 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_all
-{{% if product in [ "sle12", "sle15" ] %}}
+{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
+
+{{% if "debian" in product or "ubuntu" in product or product in ["sle12", "sle15" ] %}}
{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
{{% else %}}
{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
{{% endif %}}
-{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
+{{% if "debian" in product or "ubuntu" in product %}}
+
+{{{ bash_ensure_pam_module_options(accounts_password_pam_unix_remember_file, 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}}
+
+{{% else %}}
{{{ bash_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,
'requisite',
@@ -15,3 +21,6 @@
{{{ bash_pam_pwhistory_parameter_value(accounts_password_pam_unix_remember_file,
'remember',
"$var_password_pam_unix_remember") }}}
+
+{{% endif %}}
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh
deleted file mode 100644
index dedfc48a1e9..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# platform = multi_platform_ubuntu
-
-{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
-
-{{{ bash_ensure_pam_module_options('/etc/pam.d/common-password', 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
index eae79c23ea6..945e014deb0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product in [ "sle12", "sle15" ] %}}
+{{% if product in [ "sle12", "sle15" ] or "debian" in product or "ubuntu" in product %}}
{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
{{% else %}}
{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
@@ -9,150 +9,154 @@
{{{ oval_metadata("The passwords to remember should be set correctly.") }}}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ comment="Remember parameter of pam_unix.so is properly configured"/>
+
+
+ check="all" version="1" comment="Check pam_pwhistory.so presence in PAM file">
+ version="1">
{{{ accounts_password_pam_unix_remember_file }}}
+ var_check="at least one" operation="pattern match"/>
1
+ id="test_accounts_password_pam_unix_remember_pamd" check="all" version="1"
+ comment="Check remember parameter is present and correct in PAM file">
+ id="object_accounts_password_pam_unix_remember_pamd" version="1">
{{{ accounts_password_pam_unix_remember_file }}}
+ var_ref="var_accounts_password_pam_unix_remember_pam_param_regex"/>
1
+ id="state_accounts_password_pam_unix_remember" version="1">
+ var_ref="var_password_pam_unix_remember"/>
+ datatype="int" comment="number of passwords that should be remembered"/>
+
+ id="test_accounts_password_pam_unix_remember_no_pwhistory_conf"
+ comment="Check the absence of remember parameter in /etc/security/pwhistory.conf">
+ object_ref="object_accounts_password_pam_unix_remember_param_conf"/>
+ id="object_accounts_password_pam_unix_remember_param_conf" version="1"
+ comment="Collect the pam_pwhistory.so remember parameter from /etc/security/pwhistory.conf">
^/etc/security/pwhistory.conf$
+ var_ref="var_accounts_password_pam_unix_remember_conf_param_regex"/>
1
+ id="test_accounts_password_pam_unix_remember_no_pamd" version="1"
+ check="all" check_existence="none_exist"
+ comment="Check remember parameter is absent in PAM file">
+ id="test_accounts_password_pam_unix_remember_pwhistory_conf" version="1"
+ check="all" check_existence="all_exist"
+ comment="Check remember parameter is present and correct in /etc/security/pwhistory.conf">
+ datatype="string" version="1"
+ comment="The regex is to confirm the pam_pwhistory.so module is enabled">
^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*$
+ datatype="string" version="1"
+ comment="The regex is to collect the pam_pwhistory.so remember paramerter from PAM files">
^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$
+ datatype="string" version="1"
+ comment="The regex is to collect the pam_pwhistory.so remember paramerter in pwhistory.conf">
^\s*remember\s*=\s*([0-9]+)
+ check="all" check_existence="all_exist"
+ comment="Test if remember attribute of pam_unix.so is set correctly in {{{ accounts_password_pam_unix_remember_file }}}">
- /etc/pam.d/system-auth
- ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$
+ {{{ accounts_password_pam_unix_remember_file }}}
+ ^\s*password\s+(?:(?:sufficient)|(?:required)|(?:\[.*\]))\s+pam_unix\.so.*remember=([0-9]*).*$
1
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/ubuntu.xml
deleted file mode 100644
index 13ca8a977b7..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/ubuntu.xml
+++ /dev/null
@@ -1,28 +0,0 @@
-
-
- {{{ oval_metadata("The passwords to remember should be set correctly.") }}}
-
-
-
-
-
-
-
-
-
-
-
-
- /etc/pam.d/common-password
- ^\s*password\s+\[.*\]\s+pam_unix\.so.*remember=([0-9]*).*$
- 1
-
-
-
-
-
-
-
-
-
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
index 3b8210eaea5..99fb2b5abfa 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'Limit Password Reuse'
-{{% if 'ubuntu' not in product %}}
+{{% if 'ubuntu' not in product and 'debian' not in product %}}
{{% set configFile = "/etc/pam.d/system-auth" %}}
{{% else %}}
{{% set configFile = "/etc/pam.d/common-password" %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
deleted file mode 100644
index 8ab749d4f7c..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ ansible_pam_faillock_enable() }}}
-{{{ ansible_pam_faillock_parameter_value("deny", "var_accounts_passwords_pam_faillock_deny") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
deleted file mode 100644
index 449d912d0dd..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
-
-{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}}
-
-{{{ bash_pam_faillock_enable() }}}
-{{{ bash_pam_faillock_parameter_value("deny", "$var_accounts_passwords_pam_faillock_deny") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml
deleted file mode 100644
index 0abb80d8d5d..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml
+++ /dev/null
@@ -1,291 +0,0 @@
-
-
- {{{ oval_metadata("Lockout account after failed login attempts") }}}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^[\s]*auth\N+pam_unix\.so
-
-
-
- ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail
-
-
-
- ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so
-
-
-
- ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)
-
-
-
- ^[\s]*deny[\s]*=[\s]*([0-9]+)
-
-
-
-
- ^/etc/pam.d/system-auth$
-
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 0
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/security/faillock.conf$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
deleted file mode 100644
index 4c3b56ba06c..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
+++ /dev/null
@@ -1,291 +0,0 @@
-
-
- {{{ oval_metadata("Lockout account after failed login attempts") }}}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^[\s]*auth\N+pam_unix\.so
-
-
-
- ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail
-
-
-
- ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so
-
-
-
- ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)
-
-
-
- ^[\s]*deny[\s]*=[\s]*([0-9]+)
-
-
-
-
- ^/etc/pam.d/system-auth$
-
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 0
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/security/faillock.conf$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml
deleted file mode 100644
index 443a85b2934..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml
+++ /dev/null
@@ -1,201 +0,0 @@
-{{# Very similar OVAL is used in several rules, differing primarily in faillock.so parameter. #}}
-{{# For transferability, we define the parameter and corresponding regular expressions in jinja. #}}
-{{# The rules should ideally use a single template. #}}
-
-{{% set prm_name = "deny" %}}
-{{% set prm_regex_conf = "^[\s]*deny[\s]*=[\s]*([0-9]+)" %}}
-{{% set prm_regex_pamd = "^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)" %}}
-{{% set ext_variable = "var_accounts_passwords_pam_faillock_deny" %}}
-{{% set description = "Lockout account after failed login attempts." %}}
-
-
-
- {{{ oval_metadata(description) }}}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^\s*auth.*pam_unix\.so
-
-
-
- ^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc
-
-
-
- ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$
-
-
-
- {{{ prm_regex_pamd }}}
-
-
-
- {{{ prm_regex_conf }}}
-
-
-
-
-
-
-
-
- /etc/pam.d/common-auth
-
- 1
-
-
-
-
-
-
-
-
- /etc/pam.d/common-auth
-
- 1
-
-
-
-
-
-
-
-
- /etc/pam.d/common-account
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
- 0
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- /etc/pam.d/common-auth
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- /etc/security/faillock.conf
-
- 1
-
-
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
index 41fba880482..dd724d1625d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -19,7 +19,7 @@ description: |-
Where count should be less than or equal to
{{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} and greater than 0.
{{% endif %}}
- {{% if 'ubuntu' not in product %}}
+ {{% if 'ubuntu' not in product and 'debian' not in product %}}
In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.
@@ -95,7 +95,7 @@ fixtext: |-
edit the deny parameter in the following line after the pam_unix.so
statement in the auth section, like this:
auth required pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
- {{% elif 'ubuntu' in product %}}
+ {{% elif 'ubuntu' in product or 'debian' in product %}}
Edit /etc/pam.d/common-auth and ensure that faillock is configured.
The pam_faillock.so lines surround the pam_unix.so line. The comment
"Added to enable faillock" is shown to highlight the additional lines
@@ -129,3 +129,14 @@ warnings:
srg_requirement: |-
{{{ full_name }}} must automatically lock an account when three unsuccessful logon attempts occur.
+
+template:
+ name: pam_account_password_faillock
+ vars:
+ prm_name: deny
+ prm_regex_conf: ^[\s]*deny[\s]*=[\s]*([0-9]+)
+ prm_regex_pamd: ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)
+ ext_variable: var_accounts_passwords_pam_faillock_deny
+ description: Lockout account after failed login attempts.
+ variable_upper_bound: use_ext_variable
+ variable_lower_bound: 0
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
deleted file mode 100644
index 039fc519182..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ ansible_pam_faillock_enable() }}}
-{{{ ansible_pam_faillock_parameter_value("fail_interval", "var_accounts_passwords_pam_faillock_fail_interval") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh
deleted file mode 100644
index e7a0882f25c..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
-
-{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}}
-
-{{{ bash_pam_faillock_enable() }}}
-{{{ bash_pam_faillock_parameter_value("fail_interval", "$var_accounts_passwords_pam_faillock_fail_interval") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml
deleted file mode 100644
index 1e22214cf84..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml
+++ /dev/null
@@ -1,285 +0,0 @@
-
-
- {{{ oval_metadata("The number of allowed failed logins should be set correctly.") }}}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^[\s]*auth\N+pam_unix\.so
-
-
-
- ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail
-
-
-
- ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so
-
-
-
- ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)
-
-
-
- ^[\s]*fail_interval[\s]*=[\s]*([0-9]+)
-
-
-
-
- ^/etc/pam.d/system-auth$
-
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/security/faillock.conf$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml
deleted file mode 100644
index 02a8568e010..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml
+++ /dev/null
@@ -1,195 +0,0 @@
-{{# Very similar OVAL is used in several rules, differing primarily in faillock.so parameter. #}}
-{{# For transferability, we define the parameter and corresponding regular expressions in jinja. #}}
-{{# The rules should ideally use a single template. #}}
-
-{{% set prm_name = "fail_interval" %}}
-{{% set prm_regex_conf = "^[\s]*fail_interval[\s]*=[\s]*([0-9]+)" %}}
-{{% set prm_regex_pamd = "^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)" %}}
-{{% set ext_variable = "var_accounts_passwords_pam_faillock_fail_interval" %}}
-{{% set description = "The number of allowed failed logins should be set correctly." %}}
-
-
-
- {{{ oval_metadata(description) }}}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^\s*auth.*pam_unix\.so
-
-
-
- ^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc
-
-
-
- ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$
-
-
-
- {{{ prm_regex_pamd }}}
-
-
-
- {{{ prm_regex_conf }}}
-
-
-
-
-
-
-
-
- /etc/pam.d/common-auth
-
- 1
-
-
-
-
-
-
-
-
- /etc/pam.d/common-auth
-
- 1
-
-
-
-
-
-
-
-
- /etc/pam.d/common-account
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- /etc/pam.d/common-auth
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- /etc/security/faillock.conf
-
- 1
-
-
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
index f4e2cc50c93..7d785f2d9a3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -17,7 +17,7 @@ description: |-
Ensure that the file /etc/security/faillock.conf contains the following entry:
fail_interval = <interval-in-seconds> where interval-in-seconds is {{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}} or greater.
{{% endif %}}
- {{% if 'ubuntu' not in product %}}
+ {{% if 'ubuntu' not in product and 'debian' not in product %}}
In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.
@@ -120,3 +120,13 @@ warnings:
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file.
+
+template:
+ name: pam_account_password_faillock
+ vars:
+ prm_name: fail_interval
+ prm_regex_conf: ^[\s]*fail_interval[\s]*=[\s]*([0-9]+)
+ prm_regex_pamd: ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)
+ ext_variable: var_accounts_passwords_pam_faillock_fail_interval
+ description: The number of allowed failed logins should be set correctly.
+ variable_lower_bound: use_ext_variable
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
deleted file mode 100644
index 230ff5eaa3d..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ ansible_pam_faillock_enable() }}}
-{{{ ansible_pam_faillock_parameter_value("unlock_time", "var_accounts_passwords_pam_faillock_unlock_time") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
deleted file mode 100644
index 3a32aad36c0..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
-
-{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}}
-
-{{{ bash_pam_faillock_enable() }}}
-{{{ bash_pam_faillock_parameter_value("unlock_time", "$var_accounts_passwords_pam_faillock_unlock_time") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml
deleted file mode 100644
index 94c1ecaa55c..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/openeuler.xml
+++ /dev/null
@@ -1,285 +0,0 @@
-
-
- {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^[\s]*auth\N+pam_unix\.so
-
-
-
- ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail
-
-
-
- ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so
-
-
-
- ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)
-
-
-
- ^[\s]*unlock_time[\s]*=[\s]*([0-9]+)
-
-
-
-
- ^/etc/pam.d/system-auth$
-
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/security/faillock.conf$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
deleted file mode 100644
index 5dd850d8caf..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
+++ /dev/null
@@ -1,285 +0,0 @@
-
-
- {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^[\s]*auth\N+pam_unix\.so
-
-
-
- ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail
-
-
-
- ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so
-
-
-
- ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)
-
-
-
- ^[\s]*unlock_time[\s]*=[\s]*([0-9]+)
-
-
-
-
- ^/etc/pam.d/system-auth$
-
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/pam.d/system-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/pam.d/password-auth$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^/etc/security/faillock.conf$
-
- 1
-
-
-
-
-
-
-
-
-
-
-
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/ubuntu.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/ubuntu.xml
deleted file mode 100644
index 6f90a6e6a5f..00000000000
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/ubuntu.xml
+++ /dev/null
@@ -1,195 +0,0 @@
-{{# Very similar OVAL is used in several rules, differing primarily in faillock.so parameter. #}}
-{{# For transferability, we define the parameter and corresponding regular expressions in jinja. #}}
-{{# The rules should ideally use a single template. #}}
-
-{{% set prm_name = "unlock_time" %}}
-{{% set prm_regex_conf = "^[\s]*unlock_time[\s]*=[\s]*([0-9]+)" %}}
-{{% set prm_regex_pamd = "^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)" %}}
-{{% set ext_variable = "var_accounts_passwords_pam_faillock_unlock_time" %}}
-{{% set description = "The unlock time after number of failed logins should be set correctly." %}}
-
-
-
- {{{ oval_metadata(description) }}}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ^\s*auth.*pam_unix\.so
-
-
-
- ^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc
-
-
-
- ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$
-
-
-
- {{{ prm_regex_pamd }}}
-
-
-
- {{{ prm_regex_conf }}}
-
-
-
-
-
-
-
-
- /etc/pam.d/common-auth
-
- 1
-
-
-
-
-
-
-
-
- /etc/pam.d/common-auth
-
- 1
-
-
-
-
-
-
-
-
- /etc/pam.d/common-account
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- /etc/pam.d/common-auth
-
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- /etc/security/faillock.conf
-
- 1
-
-
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
index ea9414e6b07..e20bb698663 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -127,3 +127,13 @@ warnings:
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file.
+
+template:
+ name: pam_account_password_faillock
+ vars:
+ prm_name: unlock_time
+ prm_regex_conf: ^[\s]*unlock_time[\s]*=[\s]*([0-9]+)
+ prm_regex_pamd: ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)
+ ext_variable: var_accounts_passwords_pam_faillock_unlock_time
+ description: The unlock time after number of failed logins should be set correctly.
+ variable_lower_bound: use_ext_variable
diff --git a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml
index 284f24ca7a4..544f370e22c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml
@@ -4,7 +4,7 @@ documentation_complete: true
title: 'Install pam_pwquality Package'
description: |-
- {{% if 'ubuntu' not in product %}}
+ {{% if 'ubuntu' not in product and 'debian' not in product %}}
{{{ describe_package_install(package="libpwquality") }}}
{{% else %}}
{{{ describe_package_install(package="libpam-pwquality") }}}
@@ -35,7 +35,7 @@ references:
ocil_clause: 'the package is not installed'
ocil: |-
-{{%- if 'ubuntu' not in product %}}
+{{%- if 'ubuntu' not in product and 'debian' not in product %}}
{{{ ocil_package(package="libpwquality") }}}
{{%- else %}}
{{{ ocil_package(package="libpam-pwquality") }}}
@@ -47,5 +47,6 @@ template:
pkgname: libpwquality
pkgname@ubuntu2004: libpam-pwquality
pkgname@ubuntu2204: libpam-pwquality
+ pkgname@debian12: libpam-pwquality
platform: package[pam]
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/debian.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/debian.sh
new file mode 100644
index 00000000000..5324cef7214
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/debian.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_debian
+
+{{{ bash_instantiate_variables("var_password_pam_retry") }}}
+
+{{{ bash_ensure_pam_module_options('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', 'retry', "$var_password_pam_retry", "$var_password_pam_retry") }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
index ee1f51d3d4c..4ae8aec49b3 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
{{% set configuration_files = ["common-password"] %}}
{{% elif product in ['ol8','ol9','rhel8', 'rhel9'] %}}
{{% set configuration_files = ["password-auth","system-auth"] %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
index 411a67363a4..aa51339458f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
@@ -9,7 +9,7 @@ description: |-
Edit the /etc/security/pwquality.conf to include
{{% else %}}
Edit the pam_pwquality.so statement in
- {{% if 'ubuntu' not in product %}}
+ {{% if 'ubuntu' not in product and 'debian' not in product %}}
/etc/pam.d/system-auth to show
{{% else %}}
/etc/pam.d/common-password to show
@@ -63,7 +63,7 @@ ocil: |-
$ grep retry /etc/security/pwquality.conf
{{% else %}}
Check for the use of the "pwquality" retry option in the PAM files with the following command:
- {{% if 'ubuntu' in product %}}
+ {{% if 'ubuntu' in product or 'debian' in product %}}
$ grep pam_pwquality /etc/pam.d/common-password
{{% else %}}
$ grep pam_pwquality /etc/pam.d/system-auth
@@ -82,7 +82,7 @@ fixtext: |-
retry={{{ xccdf_value("var_password_pam_retry") }}}
{{% else %}}
- {{% if 'ubuntu' in product %}}
+ {{% if 'ubuntu' in product or 'debian' in product %}}
Add the following line to the "/etc/pam.d/common-password" file (or modify the line to have the required value):
{{% else %}}
Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value):
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh
index 2712118e5e3..c8a246b9048 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_all
{{{ bash_instantiate_variables("var_password_hashing_algorithm") }}}
{{{ bash_replace_or_append('/etc/login.defs', '^ENCRYPT_METHOD', "$var_password_hashing_algorithm", '%s %s') }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh
index 808365173de..7bdb759f686 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_root/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel
+# platform = multi_platform_rhel,multi_platform_debian
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
index a40010714fb..7374c21e869 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/bash/shared.sh
@@ -1,9 +1,11 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
{{{ bash_instantiate_variables("var_password_pam_unix_rounds") }}}
{{% if product in ["sle12", "sle15"] %}}
{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'sufficient', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
+{{% elif product in ["debian12"] %}}
+{{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', '\[success=1 default=ignore\]', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
{{% else %}}
{{{ bash_ensure_pam_module_configuration('/etc/pam.d/password-auth', 'password', 'sufficient', 'pam_unix.so', 'rounds', "$var_password_pam_unix_rounds", '') }}}
{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
index 40f37245d66..33076d3621c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "debian12"] %}}
{{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
{{% else %}}
{{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
@@ -19,7 +19,11 @@
^{{{ pam_passwd_file_path }}}$
+ {{% if product in ["debian12"] %}}
+ ^\s*password\s+.*\s+pam_unix\.so.*rounds=([0-9]*).*$
+ {{% else %}}
^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$
+ {{% endif %}}
1
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
index f454d4ef615..428b3e6948f 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'Set number of Password Hashing Rounds - password-auth'
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "debian12"] %}}
{{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
{{% else %}}
{{% set pam_passwd_file_path = "/etc/pam.d/password-auth" %}}
@@ -15,8 +15,13 @@ description: |-
In file {{{ pam_passwd_file_path }}} append rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
to the pam_unix.so entry, as shown below:
+ {{% if product in ["debian12"] %}}
+ password [success=1 default=ignore] pam_unix.so ...existing_options... rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
+ {{% else %}}
password sufficient pam_unix.so ...existing_options... rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
+
The system's default number of rounds is 5000.
+ {{% endif %}}
rationale: |-
Using a higher number of rounds makes password cracking attacks more difficult.
@@ -45,7 +50,11 @@ ocil: |-
To verify the number of rounds for the password hashing algorithm is configured, run the following command:
$ sudo grep rounds {{{ pam_passwd_file_path }}}
The output should show the following match:
+ {{% if product in ["debian12"] %}}
+ password [sucess=1 default=ignore] pam_unix.so sha512 rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
+ {{% else %}}
password sufficient pam_unix.so sha512 rounds={{{ xccdf_value("var_password_pam_unix_rounds") }}}
+ {{% endif %}}
platform: package[pam]
@@ -54,7 +63,10 @@ fixtext: |-
Add or modify the following line in "{{{ pam_passwd_file_path }}}" and set "rounds" to {{{ xccdf_value("var_password_pam_unix_rounds") }}}.
For example:
-
+ {{% if product in ["debian12"] %}}
+ password [sucess=1 default=ignore] pam_unix.so sha512 rounds=5000
+ {{% else %}}
password sufficient pam_unix.so sha512 rounds=5000
-
+ {{% endif %}}
+
srg_requirement: '{{{ full_name }}} shadow password suite must be configured to use a sufficient number of hashing rounds in {{{ pam_passwd_file_path }}}.'
diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
index fed8d1e7e33..b49c478adb6 100644
--- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
+++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml
@@ -20,7 +20,7 @@ description: |-
If the system is configured for online updates, invoking the following command will list available
security updates:
$ sudo zypper refresh && sudo zypper list-patches -g security
-{{% elif 'ubuntu' in product %}}
+{{% elif 'ubuntu' in product or 'debian' in product %}}
If the system has an apt repository available, run the following command to install updates:
$ apt update && apt full-upgrade
{{% endif %}}
diff --git a/products/debian12/product.yml b/products/debian12/product.yml
index 93a29d900f3..7077bc2263a 100644
--- a/products/debian12/product.yml
+++ b/products/debian12/product.yml
@@ -17,6 +17,7 @@ pkg_manager: "apt_get"
init_system: "systemd"
+oval_feed_url: "https://www.debian.org/security/oval/oval-definitions-bookworm.xml.bz2"
cpes_root: "../../shared/applicability"
cpes:
diff --git a/products/debian12/profiles/anssi_bp28_enhanced.profile b/products/debian12/profiles/anssi_bp28_enhanced.profile
index b03c0008011..61111bf85a7 100644
--- a/products/debian12/profiles/anssi_bp28_enhanced.profile
+++ b/products/debian12/profiles/anssi_bp28_enhanced.profile
@@ -13,170 +13,50 @@ description: |-
selections:
- anssi:all:enhanced
- - package_rsyslog_installed
- - service_rsyslog_enabled
+ - 'package_rsyslog_installed'
+ - 'service_rsyslog_enabled'
# PASS_MIN_LEN is handled by PAM on debian systems.
- '!accounts_password_minlen_login_defs'
+ # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default
+ - 'package_pam_pwquality_installed'
+ # PAM honour login.defs file for algorithm
+ - 'set_password_hashing_algorithm_logindefs'
# Debian uses apparmor
- '!selinux_state'
- '!audit_rules_mac_modification'
- - apparmor_configured
- - all_apparmor_profiles_enforced
- - grub2_enable_apparmor
- - package_apparmor_installed
- - package_pam_apparmor_installed
+ - '!selinux_policytype'
+ - 'apparmor_configured'
+ - 'all_apparmor_profiles_enforced'
+ - 'grub2_enable_apparmor'
+ - 'package_apparmor_installed'
+ - 'package_pam_apparmor_installed'
# The following are MLS related rules (not part of ANSSI-BP-028)
- '!accounts_polyinstantiated_tmp'
- '!accounts_polyinstantiated_var_tmp'
+ - '!enable_pam_namespace'
+
# Following rules once had a prodtype incompatible with the debian12 product
- - '!sysctl_net_ipv4_conf_default_secure_redirects'
- - '!accounts_password_pam_dcredit'
- - '!package_sendmail_removed'
- - '!partition_for_boot'
- - '!sysctl_net_ipv4_conf_all_accept_source_route'
- - '!mount_option_home_nosuid'
- - '!audit_rules_usergroup_modification_opasswd'
+ - '!accounts_passwords_pam_tally2_deny_root'
+ - '!ensure_redhat_gpgkey_installed'
+ - '!set_password_hashing_algorithm_systemauth'
+ - '!package_dnf-automatic_installed'
- '!accounts_passwords_pam_faillock_deny_root'
+ - '!dnf-automatic_security_updates_only'
- '!cracklib_accounts_password_pam_lcredit'
- - '!sysctl_fs_protected_regular'
- '!dnf-automatic_apply_updates'
- '!cracklib_accounts_password_pam_ocredit'
- - '!enable_pam_namespace'
- - '!package_talk_removed'
- - '!audit_rules_privileged_commands_insmod'
- - '!accounts_password_pam_minlen'
- '!accounts_password_pam_unix_rounds_system_auth'
- - '!sudo_dedicated_group'
- - '!chronyd_configure_pool_and_server'
- - '!grub2_page_poison_argument'
- - '!ensure_gpgcheck_local_packages'
- - '!grub2_uefi_password'
- - '!sysctl_net_ipv6_conf_all_accept_redirects'
- - '!audit_rules_usergroup_modification_group'
- - '!package_sudo_installed'
- - '!package_xinetd_removed'
- - '!package_rsh-server_removed'
- - '!mount_option_srv_nosuid'
- - '!audit_sudo_log_events'
- - '!mount_option_boot_noexec'
- - '!mount_option_var_tmp_noexec'
- - '!sysctl_net_ipv6_conf_default_router_solicitations'
- - '!package_ypserv_removed'
- - '!mount_option_tmp_nosuid'
- - '!service_chronyd_or_ntpd_enabled'
- - '!security_patches_up_to_date'
- - '!sysctl_net_ipv4_conf_all_rp_filter'
- - '!timer_logrotate_enabled'
- - '!rsyslog_remote_tls'
- - '!accounts_passwords_pam_faillock_unlock_time'
- - '!file_permissions_ungroupowned'
- - '!set_password_hashing_algorithm_systemauth'
- - '!sysctl_net_ipv6_conf_all_accept_ra_defrtr'
- - '!package_tftp-server_removed'
- - '!package_rsh_removed'
- - '!sysctl_net_ipv4_conf_default_accept_redirects'
- - '!package_dnf-automatic_installed'
- - '!audit_rules_privileged_commands_modprobe'
- - '!sysctl_kernel_perf_event_max_sample_rate'
- - '!sysctl_net_ipv6_conf_all_accept_ra_pinfo'
- - '!sysctl_kernel_perf_cpu_time_max_percent'
- '!timer_dnf-automatic_enabled'
- '!accounts_passwords_pam_tally2'
- - '!accounts_password_pam_unix_remember'
- - '!file_permissions_unauthorized_sgid'
- - '!sysctl_net_ipv6_conf_all_router_solicitations'
- - '!sysctl_net_ipv4_conf_default_rp_filter'
- - '!audit_rules_usergroup_modification_shadow'
- - '!sudo_add_umask'
- - '!sudo_add_env_reset'
- - '!package_dhcp_removed'
- - '!audit_rules_privileged_commands_kmod'
- - '!sysctl_net_ipv6_conf_default_accept_source_route'
- - '!sysctl_fs_protected_fifos'
- - '!grub2_page_alloc_shuffle_argument'
- - '!mount_option_var_noexec'
- - '!accounts_password_pam_ucredit'
- - '!ensure_gpgcheck_never_disabled'
- - '!mount_option_opt_nosuid'
- - '!partition_for_opt'
- - '!sysctl_kernel_sysrq'
- - '!sysctl_net_ipv4_ip_forward'
- - '!sysctl_net_ipv6_conf_all_accept_ra_rtr_pref'
- - '!postfix_network_listening_disabled'
- - '!install_PAE_kernel_on_x86-32'
- - '!sysctl_kernel_modules_disabled'
- - '!audit_rules_usergroup_modification_gshadow'
- - '!ensure_redhat_gpgkey_installed'
- - '!accounts_passwords_pam_faillock_interval'
- - '!sudo_add_ignore_dot'
- - '!sysctl_kernel_perf_event_paranoid'
- - '!mount_option_var_log_nosuid'
- - '!sysctl_net_ipv6_conf_default_autoconf'
- - '!sysctl_net_ipv6_conf_default_max_addresses'
- - '!sysctl_net_ipv6_conf_default_accept_ra_rtr_pref'
- - '!grub2_mds_argument'
- - '!audit_rules_privileged_commands_rmmod'
- - '!grub2_slub_debug_argument'
- - '!dnf-automatic_security_updates_only'
- - '!audit_rules_usergroup_modification_passwd'
- - '!mount_option_var_log_noexec'
- - '!partition_for_usr'
- - '!package_telnet-server_removed'
- - '!sysctl_net_ipv4_ip_local_port_range'
- - '!package_talk-server_removed'
- - '!sysctl_kernel_pid_max'
- - '!package_ypbind_removed'
- - '!sysctl_net_ipv4_conf_default_send_redirects'
- - '!mount_option_var_nosuid'
- - '!sysctl_net_ipv6_conf_all_max_addresses'
- - '!sysctl_net_ipv4_conf_all_accept_redirects'
- '!cracklib_accounts_password_pam_ucredit'
- - '!sysctl_net_ipv4_conf_all_send_redirects'
- - '!sysctl_net_ipv4_conf_all_secure_redirects'
+ - '!file_permissions_unauthorized_sgid'
+ - '!ensure_gpgcheck_local_packages'
- '!accounts_passwords_pam_tally2_unlock_time'
- - '!selinux_policytype'
- - '!sysctl_net_ipv4_conf_default_accept_source_route'
- - '!cracklib_accounts_password_pam_minlen'
- - '!sebool_polyinstantiation_enabled'
- - '!accounts_tmout'
- - '!mount_option_nodev_nonroot_local_partitions'
- - '!package_tftp_removed'
- - '!sysctl_net_core_bpf_jit_harden'
- - '!grub2_pti_argument'
- - '!file_permissions_unauthorized_suid'
- - '!package_rsyslog-gnutls_installed'
- - '!accounts_passwords_pam_tally2_deny_root'
- - '!sysctl_net_ipv6_conf_default_accept_redirects'
- - '!sysctl_kernel_unprivileged_bpf_disabled'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_password_pam_unix_rounds_password_auth'
- - '!sysctl_vm_mmap_min_addr'
- - '!sysctl_net_ipv4_tcp_rfc1337'
- - '!sysctl_net_ipv4_tcp_syncookies'
- - '!sysctl_kernel_yama_ptrace_scope'
- - '!sysctl_net_ipv6_conf_default_accept_ra_pinfo'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_lcredit'
- - '!no_files_unowned_by_user'
- - '!package_dracut-fips-aesni_installed'
- - '!mount_option_boot_nosuid'
- - '!audit_rules_privileged_commands_sudo'
- - '!mount_option_tmp_noexec'
- - '!mount_option_home_noexec'
- - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
- - '!sysctl_net_ipv6_conf_all_accept_source_route'
- - '!rsyslog_remote_tls_cacert'
- - '!sysctl_net_ipv6_conf_default_accept_ra_defrtr'
- '!enable_authselect'
- - '!sysctl_net_ipv4_icmp_ignore_bogus_error_responses'
- - '!sysctl_kernel_dmesg_restrict'
- - '!package_telnet_removed'
- - '!grub2_password'
- - '!dir_perms_world_writable_root_owned'
+ - '!cracklib_accounts_password_pam_minlen'
- '!cracklib_accounts_password_pam_dcredit'
- - '!partition_for_var_tmp'
- '!ensure_gpgcheck_globally_activated'
- - '!accounts_umask_etc_bashrc'
- - '!sysctl_net_ipv6_conf_all_autoconf'
+ - '!file_permissions_unauthorized_suid'
+ - '!ensure_gpgcheck_never_disabled'
- '!ensure_oracle_gpgkey_installed'
- - '!mount_option_var_tmp_nosuid'
+ - '!package_dracut-fips-aesni_installed'
diff --git a/products/debian12/profiles/anssi_bp28_high.profile b/products/debian12/profiles/anssi_bp28_high.profile
index b15e6fa7d3e..97db7e1c8d3 100644
--- a/products/debian12/profiles/anssi_bp28_high.profile
+++ b/products/debian12/profiles/anssi_bp28_high.profile
@@ -17,9 +17,14 @@ selections:
- service_rsyslog_enabled
# PASS_MIN_LEN is handled by PAM on debian systems.
- '!accounts_password_minlen_login_defs'
+ # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default
+ - 'package_pam_pwquality_installed'
+ # PAM honour login.defs file for algorithm
+ - 'set_password_hashing_algorithm_logindefs'
# Debian uses apparmor
- '!selinux_state'
- '!audit_rules_mac_modification'
+ - '!selinux_policytype'
- apparmor_configured
- all_apparmor_profiles_enforced
- grub2_enable_apparmor
@@ -28,194 +33,30 @@ selections:
# The following are MLS related rules (not part of ANSSI-BP-028)
- '!accounts_polyinstantiated_tmp'
- '!accounts_polyinstantiated_var_tmp'
+ - '!enable_pam_namespace'
+
# Following rules once had a prodtype incompatible with the debian12 product
- - '!aide_verify_acls'
- - '!sysctl_net_ipv4_conf_default_secure_redirects'
- - '!accounts_password_pam_dcredit'
- - '!sebool_ssh_sysadm_login'
- - '!package_sendmail_removed'
- - '!kernel_config_refcount_full'
- - '!partition_for_boot'
- - '!sysctl_net_ipv4_conf_all_accept_source_route'
- - '!mount_option_home_nosuid'
- - '!audit_rules_usergroup_modification_opasswd'
+ - '!accounts_passwords_pam_tally2_deny_root'
+ - '!ensure_redhat_gpgkey_installed'
+ - '!set_password_hashing_algorithm_systemauth'
+ - '!package_dnf-automatic_installed'
- '!accounts_passwords_pam_faillock_deny_root'
- - '!sysctl_fs_protected_regular'
+ - '!dnf-automatic_security_updates_only'
- '!cracklib_accounts_password_pam_lcredit'
- - '!kernel_config_sched_stack_end_check'
- '!dnf-automatic_apply_updates'
- '!cracklib_accounts_password_pam_ocredit'
- - '!enable_pam_namespace'
- - '!package_talk_removed'
- - '!audit_rules_privileged_commands_insmod'
- - '!accounts_password_pam_minlen'
- '!accounts_password_pam_unix_rounds_system_auth'
- - '!sudo_dedicated_group'
- - '!chronyd_configure_pool_and_server'
- - '!grub2_page_poison_argument'
- - '!ensure_gpgcheck_local_packages'
- - '!sebool_selinuxuser_execstack'
- - '!grub2_uefi_password'
- - '!sysctl_net_ipv6_conf_all_accept_redirects'
- - '!kernel_config_slab_freelist_hardened'
- - '!audit_rules_usergroup_modification_group'
- - '!package_sudo_installed'
- - '!kernel_config_slab_merge_default'
- - '!package_xinetd_removed'
- - '!package_rsh-server_removed'
- - '!mount_option_srv_nosuid'
- - '!audit_sudo_log_events'
- - '!mount_option_boot_noexec'
- - '!mount_option_var_tmp_noexec'
- - '!kernel_config_gcc_plugin_structleak_byref_all'
- - '!sysctl_net_ipv6_conf_default_router_solicitations'
- - '!package_ypserv_removed'
- - '!mount_option_tmp_nosuid'
- - '!service_chronyd_or_ntpd_enabled'
- - '!sebool_selinuxuser_execheap'
- - '!security_patches_up_to_date'
- - '!sysctl_net_ipv4_conf_all_rp_filter'
- - '!timer_logrotate_enabled'
- - '!rsyslog_remote_tls'
- - '!accounts_passwords_pam_faillock_unlock_time'
- - '!file_permissions_ungroupowned'
- - '!set_password_hashing_algorithm_systemauth'
- - '!sysctl_net_ipv6_conf_all_accept_ra_defrtr'
- - '!package_tftp-server_removed'
- - '!package_rsh_removed'
- - '!sysctl_net_ipv4_conf_default_accept_redirects'
- - '!package_dnf-automatic_installed'
- - '!audit_rules_privileged_commands_modprobe'
- - '!sysctl_kernel_perf_event_max_sample_rate'
- - '!kernel_config_stackprotector_strong'
- - '!sysctl_net_ipv6_conf_all_accept_ra_pinfo'
- - '!sysctl_kernel_perf_cpu_time_max_percent'
- - '!kernel_config_page_poisoning'
- '!timer_dnf-automatic_enabled'
- '!accounts_passwords_pam_tally2'
- - '!accounts_password_pam_unix_remember'
- - '!kernel_config_vmap_stack'
- - '!file_permissions_unauthorized_sgid'
- - '!sysctl_net_ipv6_conf_all_router_solicitations'
- - '!sysctl_net_ipv4_conf_default_rp_filter'
- - '!audit_rules_usergroup_modification_shadow'
- - '!sudo_add_umask'
- - '!sudo_add_env_reset'
- - '!package_dhcp_removed'
- - '!aide_scan_notification'
- - '!audit_rules_privileged_commands_kmod'
- - '!sysctl_net_ipv6_conf_default_accept_source_route'
- - '!sysctl_fs_protected_fifos'
- - '!kernel_config_strict_kernel_rwx'
- - '!kernel_config_slab_freelist_random'
- - '!kernel_config_hardened_usercopy'
- - '!grub2_page_alloc_shuffle_argument'
- - '!mount_option_var_noexec'
- - '!accounts_password_pam_ucredit'
- - '!ensure_gpgcheck_never_disabled'
- - '!mount_option_opt_nosuid'
- - '!partition_for_opt'
- - '!sysctl_kernel_sysrq'
- - '!aide_periodic_cron_checking'
- - '!sysctl_net_ipv4_ip_forward'
- - '!sysctl_net_ipv6_conf_all_accept_ra_rtr_pref'
- - '!postfix_network_listening_disabled'
- - '!install_PAE_kernel_on_x86-32'
- - '!sysctl_kernel_modules_disabled'
- - '!sebool_secure_mode_insmod'
- - '!audit_rules_usergroup_modification_gshadow'
- - '!kernel_config_hardened_usercopy_fallback'
- - '!ensure_redhat_gpgkey_installed'
- - '!accounts_passwords_pam_faillock_interval'
- - '!sudo_add_ignore_dot'
- - '!sysctl_kernel_perf_event_paranoid'
- - '!mount_option_var_log_nosuid'
- - '!sysctl_net_ipv6_conf_default_autoconf'
- - '!sysctl_net_ipv6_conf_default_max_addresses'
- - '!kernel_config_gcc_plugin_latent_entropy'
- - '!sysctl_net_ipv6_conf_default_accept_ra_rtr_pref'
- - '!grub2_mds_argument'
- - '!audit_rules_privileged_commands_rmmod'
- - '!package_setroubleshoot-plugins_removed'
- - '!grub2_slub_debug_argument'
- - '!dnf-automatic_security_updates_only'
- - '!audit_rules_usergroup_modification_passwd'
- - '!mount_option_var_log_noexec'
- - '!partition_for_usr'
- - '!package_telnet-server_removed'
- - '!kernel_config_gcc_plugin_stackleak'
- - '!kernel_config_arm64_sw_ttbr0_pan'
- - '!sysctl_net_ipv4_ip_local_port_range'
- - '!package_talk-server_removed'
- - '!sysctl_kernel_pid_max'
- - '!package_ypbind_removed'
- - '!sysctl_net_ipv4_conf_default_send_redirects'
- - '!mount_option_var_nosuid'
- - '!sysctl_net_ipv6_conf_all_max_addresses'
- - '!sysctl_net_ipv4_conf_all_accept_redirects'
- '!cracklib_accounts_password_pam_ucredit'
- - '!sysctl_net_ipv4_conf_all_send_redirects'
- - '!kernel_config_legacy_vsyscall_xonly'
- - '!sysctl_net_ipv4_conf_all_secure_redirects'
- - '!kernel_config_gcc_plugin_randstruct'
+ - '!file_permissions_unauthorized_sgid'
+ - '!ensure_gpgcheck_local_packages'
- '!accounts_passwords_pam_tally2_unlock_time'
- - '!selinux_policytype'
- - '!sysctl_net_ipv4_conf_default_accept_source_route'
- - '!cracklib_accounts_password_pam_minlen'
- - '!kernel_config_debug_wx'
- - '!sebool_polyinstantiation_enabled'
- - '!accounts_tmout'
- - '!mount_option_nodev_nonroot_local_partitions'
- - '!package_tftp_removed'
- - '!sysctl_net_core_bpf_jit_harden'
- - '!kernel_config_strict_module_rwx'
- - '!kernel_config_modify_ldt_syscall'
- - '!aide_verify_ext_attributes'
- - '!grub2_pti_argument'
- - '!file_permissions_unauthorized_suid'
- - '!package_rsyslog-gnutls_installed'
- - '!accounts_passwords_pam_tally2_deny_root'
- - '!sysctl_net_ipv6_conf_default_accept_redirects'
- - '!sysctl_kernel_unprivileged_bpf_disabled'
- - '!kernel_config_legacy_vsyscall_none'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_password_pam_unix_rounds_password_auth'
- - '!aide_periodic_checking_systemd_timer'
- - '!sysctl_vm_mmap_min_addr'
- - '!sysctl_net_ipv4_tcp_rfc1337'
- - '!sysctl_net_ipv4_tcp_syncookies'
- - '!sysctl_kernel_yama_ptrace_scope'
- - '!sysctl_net_ipv6_conf_default_accept_ra_pinfo'
- - '!package_dracut-fips-aesni_installed'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_lcredit'
- - '!no_files_unowned_by_user'
- - '!mount_option_boot_nosuid'
- - '!kernel_config_bug_on_data_corruption'
- - '!kernel_config_legacy_vsyscall_emulate'
- - '!audit_rules_privileged_commands_sudo'
- - '!mount_option_tmp_noexec'
- - '!mount_option_home_noexec'
- - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
- - '!sebool_deny_execmem'
- - '!sysctl_net_ipv6_conf_all_accept_source_route'
- - '!rsyslog_remote_tls_cacert'
- - '!sysctl_net_ipv6_conf_default_accept_ra_defrtr'
- - '!package_setroubleshoot-server_removed'
- - '!kernel_config_stackprotector'
- - '!kernel_config_gcc_plugin_structleak'
- '!enable_authselect'
- - '!sysctl_net_ipv4_icmp_ignore_bogus_error_responses'
- - '!sysctl_kernel_dmesg_restrict'
- - '!package_telnet_removed'
- - '!grub2_password'
- - '!package_setroubleshoot_removed'
- - '!kernel_config_fortify_source'
- - '!dir_perms_world_writable_root_owned'
+ - '!cracklib_accounts_password_pam_minlen'
- '!cracklib_accounts_password_pam_dcredit'
- - '!partition_for_var_tmp'
- '!ensure_gpgcheck_globally_activated'
- - '!accounts_umask_etc_bashrc'
- - '!sysctl_net_ipv6_conf_all_autoconf'
+ - '!file_permissions_unauthorized_suid'
+ - '!ensure_gpgcheck_never_disabled'
- '!ensure_oracle_gpgkey_installed'
- - '!mount_option_var_tmp_nosuid'
+ - '!package_dracut-fips-aesni_installed'
diff --git a/products/debian12/profiles/anssi_bp28_intermediary.profile b/products/debian12/profiles/anssi_bp28_intermediary.profile
index b45640eecfc..0009703a286 100644
--- a/products/debian12/profiles/anssi_bp28_intermediary.profile
+++ b/products/debian12/profiles/anssi_bp28_intermediary.profile
@@ -20,138 +20,38 @@ selections:
- anssi:all:intermediary
# PASS_MIN_LEN is handled by PAM on debian systems.
- '!accounts_password_minlen_login_defs'
+ # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default
+ - 'package_pam_pwquality_installed'
+ # PAM honour login.defs file for algorithm
+ - 'set_password_hashing_algorithm_logindefs'
# Debian uses apparmor
- '!selinux_state'
# The following are MLS related rules (not part of ANSSI-BP-028)
- '!accounts_polyinstantiated_tmp'
- '!accounts_polyinstantiated_var_tmp'
+ - '!enable_pam_namespace'
+
# Following rules once had a prodtype incompatible with the debian12 product
- - '!sysctl_net_ipv4_conf_default_secure_redirects'
- - '!accounts_password_pam_dcredit'
- - '!package_sendmail_removed'
- - '!partition_for_boot'
- - '!sysctl_net_ipv4_conf_all_accept_source_route'
- - '!mount_option_home_nosuid'
+ - '!accounts_passwords_pam_tally2_deny_root'
+ - '!ensure_redhat_gpgkey_installed'
+ - '!set_password_hashing_algorithm_systemauth'
+ - '!package_dnf-automatic_installed'
- '!accounts_passwords_pam_faillock_deny_root'
+ - '!dnf-automatic_security_updates_only'
- '!cracklib_accounts_password_pam_lcredit'
- - '!sysctl_fs_protected_regular'
- '!dnf-automatic_apply_updates'
- '!cracklib_accounts_password_pam_ocredit'
- - '!enable_pam_namespace'
- - '!package_talk_removed'
- - '!accounts_password_pam_minlen'
- '!accounts_password_pam_unix_rounds_system_auth'
- - '!grub2_page_poison_argument'
- - '!ensure_gpgcheck_local_packages'
- - '!grub2_uefi_password'
- - '!sysctl_net_ipv6_conf_all_accept_redirects'
- - '!package_sudo_installed'
- - '!package_xinetd_removed'
- - '!package_rsh-server_removed'
- - '!mount_option_srv_nosuid'
- - '!mount_option_boot_noexec'
- - '!mount_option_var_tmp_noexec'
- - '!sysctl_net_ipv6_conf_default_router_solicitations'
- - '!package_ypserv_removed'
- - '!mount_option_tmp_nosuid'
- - '!security_patches_up_to_date'
- - '!sysctl_net_ipv4_conf_all_rp_filter'
- - '!accounts_passwords_pam_faillock_unlock_time'
- - '!file_permissions_ungroupowned'
- - '!set_password_hashing_algorithm_systemauth'
- - '!sysctl_net_ipv6_conf_all_accept_ra_defrtr'
- - '!package_tftp-server_removed'
- - '!package_rsh_removed'
- - '!sysctl_net_ipv4_conf_default_accept_redirects'
- - '!package_dnf-automatic_installed'
- - '!sysctl_kernel_perf_event_max_sample_rate'
- - '!sysctl_net_ipv6_conf_all_accept_ra_pinfo'
- - '!sysctl_kernel_perf_cpu_time_max_percent'
- '!timer_dnf-automatic_enabled'
- '!accounts_passwords_pam_tally2'
- - '!accounts_password_pam_unix_remember'
- - '!file_permissions_unauthorized_sgid'
- - '!sysctl_net_ipv6_conf_all_router_solicitations'
- - '!sysctl_net_ipv4_conf_default_rp_filter'
- - '!sudo_add_umask'
- - '!sudo_add_env_reset'
- - '!package_dhcp_removed'
- - '!sysctl_net_ipv6_conf_default_accept_source_route'
- - '!sysctl_fs_protected_fifos'
- - '!grub2_page_alloc_shuffle_argument'
- - '!mount_option_var_noexec'
- - '!accounts_password_pam_ucredit'
- - '!ensure_gpgcheck_never_disabled'
- - '!mount_option_opt_nosuid'
- - '!partition_for_opt'
- - '!sysctl_kernel_sysrq'
- - '!sysctl_net_ipv4_ip_forward'
- - '!sysctl_net_ipv6_conf_all_accept_ra_rtr_pref'
- - '!postfix_network_listening_disabled'
- - '!ensure_redhat_gpgkey_installed'
- - '!accounts_passwords_pam_faillock_interval'
- - '!sudo_add_ignore_dot'
- - '!sysctl_kernel_perf_event_paranoid'
- - '!mount_option_var_log_nosuid'
- - '!sysctl_net_ipv6_conf_default_autoconf'
- - '!sysctl_net_ipv6_conf_default_max_addresses'
- - '!sysctl_net_ipv6_conf_default_accept_ra_rtr_pref'
- - '!grub2_mds_argument'
- - '!grub2_slub_debug_argument'
- - '!dnf-automatic_security_updates_only'
- - '!mount_option_var_log_noexec'
- - '!partition_for_usr'
- - '!package_telnet-server_removed'
- - '!sysctl_net_ipv4_ip_local_port_range'
- - '!package_talk-server_removed'
- - '!sysctl_kernel_pid_max'
- - '!package_ypbind_removed'
- - '!sysctl_net_ipv4_conf_default_send_redirects'
- - '!mount_option_var_nosuid'
- - '!sysctl_net_ipv6_conf_all_max_addresses'
- - '!sysctl_net_ipv4_conf_all_accept_redirects'
- '!cracklib_accounts_password_pam_ucredit'
- - '!sysctl_net_ipv4_conf_all_send_redirects'
- - '!sysctl_net_ipv4_conf_all_secure_redirects'
+ - '!file_permissions_unauthorized_sgid'
+ - '!ensure_gpgcheck_local_packages'
- '!accounts_passwords_pam_tally2_unlock_time'
- - '!sysctl_net_ipv4_conf_default_accept_source_route'
- - '!cracklib_accounts_password_pam_minlen'
- - '!sebool_polyinstantiation_enabled'
- - '!accounts_tmout'
- - '!mount_option_nodev_nonroot_local_partitions'
- - '!package_tftp_removed'
- - '!sysctl_net_core_bpf_jit_harden'
- - '!grub2_pti_argument'
- - '!file_permissions_unauthorized_suid'
- - '!accounts_passwords_pam_tally2_deny_root'
- - '!sysctl_net_ipv6_conf_default_accept_redirects'
- - '!sysctl_kernel_unprivileged_bpf_disabled'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_password_pam_unix_rounds_password_auth'
- - '!sysctl_vm_mmap_min_addr'
- - '!sysctl_net_ipv4_tcp_rfc1337'
- - '!sysctl_net_ipv4_tcp_syncookies'
- - '!sysctl_kernel_yama_ptrace_scope'
- - '!sysctl_net_ipv6_conf_default_accept_ra_pinfo'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_lcredit'
- - '!no_files_unowned_by_user'
- - '!mount_option_boot_nosuid'
- - '!audit_rules_privileged_commands_sudo'
- - '!mount_option_tmp_noexec'
- - '!mount_option_home_noexec'
- - '!sysctl_net_ipv4_conf_all_drop_gratuitous_arp'
- - '!sysctl_net_ipv6_conf_all_accept_source_route'
- - '!sysctl_net_ipv6_conf_default_accept_ra_defrtr'
- '!enable_authselect'
- - '!sysctl_net_ipv4_icmp_ignore_bogus_error_responses'
- - '!sysctl_kernel_dmesg_restrict'
- - '!package_telnet_removed'
- - '!grub2_password'
- - '!dir_perms_world_writable_root_owned'
+ - '!cracklib_accounts_password_pam_minlen'
- '!cracklib_accounts_password_pam_dcredit'
- - '!partition_for_var_tmp'
- '!ensure_gpgcheck_globally_activated'
- - '!sysctl_net_ipv6_conf_all_autoconf'
+ - '!file_permissions_unauthorized_suid'
+ - '!ensure_gpgcheck_never_disabled'
- '!ensure_oracle_gpgkey_installed'
- - '!mount_option_var_tmp_nosuid'
diff --git a/products/debian12/profiles/anssi_bp28_minimal.profile b/products/debian12/profiles/anssi_bp28_minimal.profile
index ded77a47463..2508a5d644d 100644
--- a/products/debian12/profiles/anssi_bp28_minimal.profile
+++ b/products/debian12/profiles/anssi_bp28_minimal.profile
@@ -15,55 +15,33 @@ selections:
- anssi:all:minimal
# PASS_MIN_LEN is handled by PAM on debian systems.
- '!accounts_password_minlen_login_defs'
+ # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default
+ - 'package_pam_pwquality_installed'
+ # PAM honour login.defs file for algorithm
+ - 'set_password_hashing_algorithm_logindefs'
# Following rules once had a prodtype incompatible with the debian12 product
- - '!package_ypserv_removed'
- - '!accounts_password_pam_dcredit'
- '!accounts_passwords_pam_tally2_deny_root'
- - '!security_patches_up_to_date'
- - '!package_sendmail_removed'
- '!ensure_redhat_gpgkey_installed'
- - '!accounts_passwords_pam_faillock_deny'
- - '!accounts_password_pam_unix_rounds_password_auth'
- - '!accounts_passwords_pam_faillock_unlock_time'
- - '!accounts_passwords_pam_faillock_interval'
- - '!file_permissions_ungroupowned'
- '!set_password_hashing_algorithm_systemauth'
- - '!package_tftp-server_removed'
- - '!package_rsh_removed'
- '!package_dnf-automatic_installed'
- - '!no_files_unowned_by_user'
- '!accounts_passwords_pam_faillock_deny_root'
- - '!accounts_password_pam_ocredit'
- - '!accounts_password_pam_lcredit'
- '!dnf-automatic_security_updates_only'
- '!cracklib_accounts_password_pam_lcredit'
- '!dnf-automatic_apply_updates'
- '!cracklib_accounts_password_pam_ocredit'
- - '!package_telnet-server_removed'
- - '!package_talk_removed'
- - '!accounts_password_pam_minlen'
- - '!package_talk-server_removed'
- - '!package_ypbind_removed'
- '!accounts_password_pam_unix_rounds_system_auth'
- '!timer_dnf-automatic_enabled'
- '!accounts_passwords_pam_tally2'
- '!cracklib_accounts_password_pam_ucredit'
- - '!accounts_password_pam_unix_remember'
- '!file_permissions_unauthorized_sgid'
- '!ensure_gpgcheck_local_packages'
- '!accounts_passwords_pam_tally2_unlock_time'
- '!enable_authselect'
- '!cracklib_accounts_password_pam_minlen'
- - '!package_dhcp_removed'
- - '!package_telnet_removed'
- - '!dir_perms_world_writable_root_owned'
- '!cracklib_accounts_password_pam_dcredit'
- - '!package_xinetd_removed'
- '!ensure_gpgcheck_globally_activated'
- - '!package_tftp_removed'
- - '!package_rsh-server_removed'
- - '!accounts_password_pam_ucredit'
- '!file_permissions_unauthorized_suid'
- '!ensure_gpgcheck_never_disabled'
- '!ensure_oracle_gpgkey_installed'
+
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 8244b856b7d..baa008f4f05 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -783,7 +783,7 @@ authselect enable-feature {{{ feature }}}
#}}
{{%- macro bash_enable_pam_faillock_directly_in_pam_files() -%}}
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
pam_file="/etc/pam.d/common-auth"
if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then
# insert at the top
diff --git a/shared/templates/accounts_password/ansible.template b/shared/templates/accounts_password/ansible.template
index b324dc01a35..f25e7cc5428 100644
--- a/shared/templates/accounts_password/ansible.template
+++ b/shared/templates/accounts_password/ansible.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_all
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template
index 46e98c1471a..372db9e6140 100644
--- a/shared/templates/accounts_password/bash.template
+++ b/shared/templates/accounts_password/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_all
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/shared/templates/audit_rules_privileged_commands/bash.template b/shared/templates/audit_rules_privileged_commands/bash.template
index 63dfcb06cca..21121564e81 100644
--- a/shared/templates/audit_rules_privileged_commands/bash.template
+++ b/shared/templates/audit_rules_privileged_commands/bash.template
@@ -1,7 +1,7 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}}
{{%- set perm_x=" -F perm=x" %}}
{{%- endif %}}
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_all
ACTION_ARCH_FILTERS="-a always,exit"
OTHER_FILTERS="-F path={{{ PATH }}}{{{ perm_x }}}"
diff --git a/shared/templates/audit_rules_privileged_commands/oval.template b/shared/templates/audit_rules_privileged_commands/oval.template
index 7ef67818cbf..617df29299d 100644
--- a/shared/templates/audit_rules_privileged_commands/oval.template
+++ b/shared/templates/audit_rules_privileged_commands/oval.template
@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}}
{{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}}
{{%- endif %}}
diff --git a/shared/templates/audit_rules_usergroup_modification/bash.template b/shared/templates/audit_rules_usergroup_modification/bash.template
index 62faac341c9..bff0ed51210 100644
--- a/shared/templates/audit_rules_usergroup_modification/bash.template
+++ b/shared/templates/audit_rules_usergroup_modification/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_all
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
diff --git a/shared/templates/pam_account_password_faillock/ansible.template b/shared/templates/pam_account_password_faillock/ansible.template
new file mode 100644
index 00000000000..5e1161920e5
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/ansible.template
@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_pam_faillock_enable() }}}
+{{{ ansible_pam_faillock_parameter_value(PRM_NAME, EXT_VARIABLE) }}}
diff --git a/shared/templates/pam_account_password_faillock/bash.template b/shared/templates/pam_account_password_faillock/bash.template
new file mode 100644
index 00000000000..e46c3b85197
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/bash.template
@@ -0,0 +1,6 @@
+# platform = multi_platform_all
+
+{{{ bash_instantiate_variables(EXT_VARIABLE) }}}
+
+{{{ bash_pam_faillock_enable() }}}
+{{{ bash_pam_faillock_parameter_value(PRM_NAME, '$'+EXT_VARIABLE) }}}
diff --git a/shared/templates/pam_account_password_faillock/oval.template b/shared/templates/pam_account_password_faillock/oval.template
new file mode 100644
index 00000000000..34174e89664
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/oval.template
@@ -0,0 +1,335 @@
+
+
+ {{{ oval_metadata(DESCRIPTION) }}}
+
+ {{% if 'debian' in product or 'ubuntu' in product %}}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {{% else %}}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {{% endif %}}
+
+
+
+
+ ^\s*auth\N+pam_unix\.so
+
+
+
+ {{% if 'debian' in product or 'ubuntu' in product %}}
+ ^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc
+ {{% elif 'openeuler' in product %}}
+ ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)?(?=.*?\bnew_authtok_reqd=done\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=die\b)?.*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail
+ {{% else %}}
+ ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail
+ {{% endif %}}
+
+
+
+ {{% if 'debian' in product or 'ubuntu' in product %}}
+ ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$
+ {{% elif 'openeuler' in product %}}
+ ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_unix\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bignore=ignore\b)?(?=.*?\bdefault=bad\b)?.*\])[\s]+pam_faillock\.so
+ {{% else %}}
+ ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so
+ {{% endif %}}
+
+
+
+ {{{ PRM_REGEX_PAMD }}}
+
+
+
+ {{{ PRM_REGEX_CONF }}}
+
+
+ {{% macro generate_test_faillock_enabled(file_stem) %}}
+
+
+
+
+
+
+ /etc/pam.d/{{{file_stem}}}-auth
+
+ 1
+
+
+
+
+
+
+
+
+ /etc/pam.d/{{{ file_stem }}}-auth
+
+ 1
+
+ {{% endmacro %}}
+
+ {{{ generate_test_faillock_enabled (file_stem="system") }}}
+ {{{ generate_test_faillock_enabled (file_stem="password") }}}
+ {{{ generate_test_faillock_enabled (file_stem="common") }}}
+
+ {{% macro generate_test_faillock_account(file_stem, file) %}}
+
+
+
+
+
+
+ /etc/pam.d/{{{ file }}}
+
+ 1
+
+ {{% endmacro %}}
+
+ {{{ generate_test_faillock_account (file_stem="system", file="system-auth") }}}
+ {{{ generate_test_faillock_account (file_stem="password", file="password-auth") }}}
+ {{{ generate_test_faillock_account (file_stem="common", file="common-account") }}}
+
+ {{% macro generate_check_parameter_in_pam_file(file_stem) %}}
+
+
+
+
+
+
+
+
+ {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+
+ {{% endif %}}
+ {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+
+ {{% endif %}}
+
+
+
+ /etc/pam.d/{{{ file_stem }}}-auth
+
+ 1
+
+ {{% endmacro %}}
+
+
+
+
+
+ {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+
+ {{% if VARIABLE_UPPER_BOUND == "use_ext_variable" %}}
+
+ {{% elif VARIABLE_UPPER_BOUND is number %}}
+ {{{ VARIABLE_UPPER_BOUND }}}
+ {{% else %}}
+
+ {{% endif %}}
+
+ {{% endif %}}
+
+ {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+
+ {{% if VARIABLE_LOWER_BOUND == "use_ext_variable" %}}
+
+ {{% elif VARIABLE_LOWER_BOUND is number %}}
+ {{{ VARIABLE_LOWER_BOUND }}}
+ {{% else %}}
+
+ {{% endif %}}
+
+ {{% endif %}}
+
+ {{{ generate_check_parameter_in_pam_file (file_stem="system") }}}
+ {{{ generate_check_parameter_in_pam_file (file_stem="password") }}}
+ {{{ generate_check_parameter_in_pam_file (file_stem="common") }}}
+
+
+
+
+ {{% if VARIABLE_UPPER_BOUND is defined and VARIABLE_UPPER_BOUND != "none" %}}
+
+ {{% endif %}}
+ {{% if VARIABLE_LOWER_BOUND is defined and VARIABLE_LOWER_BOUND != "none" %}}
+
+ {{% endif %}}
+
+
+
+
+
+
+
+
+ /etc/security/faillock.conf
+
+ 1
+
+
+
diff --git a/shared/templates/pam_account_password_faillock/template.yml b/shared/templates/pam_account_password_faillock/template.yml
new file mode 100644
index 00000000000..b57de6fbb63
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+ - ansible
+ - bash
+ - oval
diff --git a/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh b/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh
new file mode 100644
index 00000000000..b3232cc93ec
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/authselect_modified_pam.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
+# remediation = none
+
+SYSTEM_AUTH_FILE="/etc/pam.d/system-auth"
+
+# This modification will break the integrity checks done by authselect.
+if ! $(grep -q "^[^#].*pam_pwhistory\.so.*remember=" $SYSTEM_AUTH_FILE); then
+ sed -i "/^password.*requisite.*pam_pwquality\.so/a password requisite pam_pwhistory.so" $SYSTEM_AUTH_FILE
+else
+ sed -i "s/\(.*pam_pwhistory\.so.*remember=\)[[:digit:]]\+\s\(.*\)/\1/g" $SYSTEM_AUTH_FILE
+fi
diff --git a/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
new file mode 100644
index 00000000000..24f5731f63d
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/conflicting_settings_authselect.fail.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+# packages = authselect,pam
+# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
+
+pam_files=("password-auth" "system-auth")
+
+authselect create-profile testingProfile --base-on minimal
+
+CUSTOM_PROFILE_DIR="/etc/authselect/custom/testingProfile"
+
+authselect select --force custom/testingProfile
+
+truncate -s 0 /etc/security/faillock.conf
+
+echo "deny = 3" > /etc/security/faillock.conf
+
+{{{ bash_pam_faillock_enable() }}}
+
+for file in ${pam_files[@]}; do
+ if grep -qP "auth.*faillock\.so.*preauth" $CUSTOM_PROFILE_DIR/$file; then
+ sed -i "/^\s*auth.*faillock\.so.*preauth/ s/$/deny=3/" \
+ "$CUSTOM_PROFILE_DIR/$file"
+ else
+ sed -i "0,/^\s*auth.*/i auth required pam_faillock.so preauth deny=3" \
+ "$CUSTOM_PROFILE_DIR/$file"
+ fi
+done
+
+
+authselect apply-changes
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
new file mode 100644
index 00000000000..aa3ca061de7
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_conflicting_settings.fail.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = authselect
+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
+# remediation = none
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authselect select sssd --force
+authselect enable-feature with-faillock
+# This test scenario simulates conflicting settings in pam and faillock.conf files.
+# It means that authselect is not properly configured and may have a unexpected behaviour. The
+# authselect integrity check will fail and the remediation will be aborted in order to preserve
+# intentional changes. In this case, an informative message will be shown in the remediation report.
+sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
+> /etc/security/faillock.conf
+echo "deny = 3" >> /etc/security/faillock.conf
+echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
new file mode 100644
index 00000000000..579e5670ea1
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_disabled.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+{{%- if product in ["rhel7"] %}}
+# packages = authconfig
+{{%- else %}}
+# packages = authselect
+{{%- endif %}}
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+if [ -f /usr/sbin/authconfig ]; then
+ authconfig --disablefaillock --update
+else
+ authselect select sssd --force
+ authselect disable-feature with-faillock
+fi
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
new file mode 100644
index 00000000000..e770e300f52
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_faillock_conf.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# packages = authselect
+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authselect select sssd --force
+authselect enable-feature with-faillock
+> /etc/security/faillock.conf
+echo "deny = 3" >> /etc/security/faillock.conf
+echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh
new file mode 100644
index 00000000000..24936609706
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_expected_pam_files.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authconfig --enablefaillock --faillockargs="deny=3" --update
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh
new file mode 100644
index 00000000000..fd57152b8c4
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_faillock_conf.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# packages = authselect
+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authselect select sssd --force
+authselect enable-feature with-faillock
+> /etc/security/faillock.conf
+echo "deny = 5" >> /etc/security/faillock.conf
+echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh
new file mode 100644
index 00000000000..34405f59422
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_lenient_pam_files.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authconfig --enablefaillock --faillockargs="deny=5" --update
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
new file mode 100644
index 00000000000..efb57601cb9
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_faillock_conf.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = authselect
+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
+# remediation = none
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authselect select sssd --force
+authselect enable-feature with-faillock
+# Ensure the parameters only in /etc/security/faillock.conf
+sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
+> /etc/security/faillock.conf
+echo "deny = 3" >> /etc/security/faillock.conf
+echo "silent" >> /etc/security/faillock.conf
+
+# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
+# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
+# in order to preserve intentional changes.
+echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
new file mode 100644
index 00000000000..dbc12db6b9f
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_multiple_pam_unix_pam_files.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora
+# remediation = none
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authconfig --enablefaillock --faillockargs="deny=3" --update
+
+# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
+# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
+# in order to preserve intentional changes.
+echo "auth sufficient pam_unix.so" >> /etc/pam.d/password-auth
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
new file mode 100644
index 00000000000..b780f320362
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_not_required_pam_files.fail.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# platform = multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+{{%- if product in ["rhel7"] %}}
+# packages = authconfig
+{{%- else %}}
+# packages = authselect
+# remediation = none
+{{%- endif %}}
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+# This test scenario manually modify the pam_faillock.so entries in auth section from
+# "required" to "sufficient". This makes pam_faillock.so behave differently than initially
+# intentioned. We catch this, but we can't safely remediate in an automated way.
+if [ -f /usr/sbin/authconfig ]; then
+ authconfig --enablefaillock --faillockargs="deny=3" --update
+else
+ authselect select sssd --force
+ authselect enable-feature with-faillock
+ sed -i --follow-symlinks 's/\(pam_faillock.so \(preauth silent\|authfail\)\).*$/\1 deny=3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
+fi
+sed -i --follow-symlinks 's/\(^\s*auth\s*\)\(\s.*\)\(pam_faillock\.so.*$\)/\1 sufficient \3/g' /etc/pam.d/system-auth /etc/pam.d/password-auth
+if [ -f /etc/security/faillock.conf ]; then
+ > /etc/security/faillock.conf
+fi
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
new file mode 100644
index 00000000000..595b85192da
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_faillock_conf.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# packages = authselect
+# platform = multi_platform_fedora,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Oracle Linux 8
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authselect select sssd --force
+authselect enable-feature with-faillock
+> /etc/security/faillock.conf
+echo "deny = 2" >> /etc/security/faillock.conf
+echo "silent" >> /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh
new file mode 100644
index 00000000000..03f93edaa4f
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/pam_faillock_stricter_pam_files.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = authconfig
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,multi_platform_fedora
+# variables = var_accounts_passwords_pam_faillock_deny=3
+
+authconfig --enablefaillock --faillockargs="deny=2" --update
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh
new file mode 100644
index 00000000000..06e07a9d968
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_commented_values.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-auth
+sed -i 's/\(^.*pam_faillock\.so.*\)/# \1/' /etc/pam.d/common-account
+
+echo "#deny=1" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh
new file mode 100644
index 00000000000..e64fb3528e8
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_common.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# Create passing pam.d files based on defaults from a clean installation of Ubuntu 22.04 LTS
+# Extra comments and whitespaces were added to test for edge cases
+
+cat >/etc/pam.d/common-auth </etc/pam.d/common-account < /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh
new file mode 100644
index 00000000000..e6d203a01c5
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_correct_pamd.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+sed -i 's/\(.*pam_faillock.so.*\)/\1 deny=1/g' /etc/pam.d/common-auth
+
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh
new file mode 100644
index 00000000000..3b73ba396a6
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_empty_faillock_conf.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+# This test should fail because neither pam.d or faillock.conf have deny defined
+
+source ubuntu_common.sh
+
+echo > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh
new file mode 100644
index 00000000000..40c103dc6f9
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_missing_pamd.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+sed -i '/pam_faillock\.so/d' /etc/pam.d/common-auth
+sed -i '/pam_faillock\.so/d' /etc/pam.d/common-account
+
+echo "deny=1" > /etc/security/faillock.conf
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh
new file mode 100644
index 00000000000..23be5083c6f
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_multiple_pam_unix.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# remediation = none
+
+# Multiple instances of pam_unix.so in auth section may, intentionally or not, interfere
+# in the expected behaviour of pam_faillock.so. Remediation does not solve this automatically
+# in order to preserve intentional changes.
+
+source ubuntu_common.sh
+
+echo "auth sufficient pam_unix.so" >> /etc/pam.d/common-auth
diff --git a/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh b/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh
new file mode 100644
index 00000000000..d236f32cb8b
--- /dev/null
+++ b/shared/templates/pam_account_password_faillock/tests/ubuntu_wrong_value.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+source ubuntu_common.sh
+
+echo "deny=999" > /etc/security/faillock.conf