From 2e7b06ba0bc046a884204051cdecdfc441fb7031 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 2 Dec 2025 10:03:40 +0100 Subject: [PATCH 1/5] accounts_password_pam_unix_no_remember: add different behavior to the rule on systems not based on DEbian modify rule description and ocil, Bash and Oval --- .../bash/shared.sh | 14 +++++++++++++- .../oval/shared.xml | 4 ++++ .../rule.yml | 19 ++++++++++++++++++- 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh index 0793ace96683..d26921328504 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh @@ -1,9 +1,11 @@ -# platform = multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu # reboot = false # strategy = configure # complexity = low # disruption = medium +{{% if 'ubuntu' in product or 'debian' in product %}} +# Debian-based systems: Use pam-auth-update {{{ bash_pam_unix_enable() }}} config_file="/usr/share/pam-configs/cac_unix" sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ { @@ -13,3 +15,13 @@ sed -i -E '/^Password(-Initial)?:/,/^[^[:space:]]/ { }' "$config_file" DEBIAN_FRONTEND=noninteractive pam-auth-update +{{% else %}} +# RHEL-based systems: Use authselect-aware approach +if [ -f /usr/bin/authselect ]; then + {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember') }}} + {{{ bash_remove_pam_module_option_configuration('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember') }}} +else + {{{ bash_remove_pam_module_option('/etc/pam.d/system-auth', 'password', '', 'pam_unix.so', 'remember') }}} + {{{ bash_remove_pam_module_option('/etc/pam.d/password-auth', 'password', '', 'pam_unix.so', 'remember') }}} +fi +{{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml index 81c0031d89e3..94b4e9466579 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml @@ -12,7 +12,11 @@ +{{% if 'ubuntu' in product or 'debian' in product %}} ^/etc/pam.d/common-(password|auth|account|session|session-noninteractive)$ +{{% else %}} + ^/etc/pam.d/(system|password)-auth$ +{{% endif %}} ^\s*password\s+(?:(?:sufficient)|(?:required)|(?:\[.*\]))\s+pam_unix\.so[^#]+\bremember=\d+\b.*$ 1 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml index 5c13a69aeffb..fbaed33c19e4 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml @@ -9,13 +9,30 @@ description: |- module should be used. This module also stores the last n passwords in /etc/security/opasswd and it uses the password hash algorithm configured in the pam_unix module, such as yescrypt or SHA512, offering enhanced security. + {{% if 'ubuntu' in product or 'debian' in product %}} +

+ On Debian-based systems, the remember option should be removed from the PAM configuration + in /etc/pam.d/common-* files. + {{% else %}} +

+ The remember option should be removed from the PAM configuration + in /etc/pam.d/system-auth and /etc/pam.d/password-auth files. + {{% endif %}} rationale: |- Removing the remember argument ensures the use of a stronger password hashing algorithm. A more robust hash algorithm increases the difficulty for attackers to crack stored passwords in /etc/security/opasswd, thereby improving system security and - protecting user credentials. + protecting user credentials. severity: medium platform: package[pam] + +warnings: + - general: |- + If the system relies on authselect tool to manage PAM settings, the remediation + will also use authselect tool. However, if any manual modification was made in + PAM files, the authselect integrity check will fail and the remediation will be + aborted in order to preserve intentional changes. In this case, an informative message will + be shown in the remediation report. From efe042b821b1d82135231f6adc2af43ca6dab8d4 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 2 Dec 2025 10:05:09 +0100 Subject: [PATCH 2/5] add Ansible remediation --- .../ansible/shared.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml new file mode 100644 index 000000000000..6442dde33977 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/ansible/shared.yml @@ -0,0 +1,18 @@ +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu +# reboot = false +# strategy = configure +# complexity = low +# disruption = medium + +{{% if 'ubuntu' in product or 'debian' in product %}} +{{%- set pam_config_paths = "['/etc/pam.d/common-password', '/etc/pam.d/common-auth', '/etc/pam.d/common-account', '/etc/pam.d/common-session', '/etc/pam.d/common-session-noninteractive']" %}} +{{% else %}} +{{%- set pam_config_paths = "['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']" -%}} +{{% endif %}} + +- name: '{{{ rule_title }}} - Remove remember option from pam_unix.so' + ansible.builtin.replace: + dest: "{{ item }}" + regexp: '(\s+pam_unix\.so.*)\s+remember=\d+\b(.*)' + replace: '\1\2' + loop: {{{ pam_config_paths }}} From 94d4b6c09339c8ae5ea591d1fa4d7d678b73bb71 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 2 Dec 2025 10:05:29 +0100 Subject: [PATCH 3/5] add test scenarios --- .../tests/no_remember_rhel.pass.sh | 16 ++++++++++++++++ .../tests/remember_commented_rhel.pass.sh | 15 +++++++++++++++ .../tests/remember_present_password_auth.fail.sh | 12 ++++++++++++ .../tests/remember_present_system_auth.fail.sh | 12 ++++++++++++ 4 files changed, 55 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh new file mode 100644 index 000000000000..92ce2278b8e8 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember_rhel.pass.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# packages = pam + +# Ensure system-auth and password-auth don't have remember option +sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/system-auth +sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/password-auth + +# Add a clean pam_unix.so line without remember if it doesn't exist +if ! grep -q "^password.*pam_unix\.so" /etc/pam.d/system-auth; then + echo "password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok" >> /etc/pam.d/system-auth +fi + +if ! grep -q "^password.*pam_unix\.so" /etc/pam.d/password-auth; then + echo "password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok" >> /etc/pam.d/password-auth +fi diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh new file mode 100644 index 000000000000..f3cb36505d14 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented_rhel.pass.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# packages = pam + +# Commented lines should pass (comments are ignored) +sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/system-auth +sed -i --follow-symlinks '/pam_unix\.so.*remember=/d' /etc/pam.d/password-auth + +# Add commented line with remember (should be ignored) +echo "# password sufficient pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/system-auth +echo "# password sufficient pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/password-auth + +# Add clean active lines without remember +echo "password sufficient pam_unix.so sha512 shadow" >> /etc/pam.d/system-auth +echo "password sufficient pam_unix.so sha512 shadow" >> /etc/pam.d/password-auth diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh new file mode 100644 index 000000000000..67d6ca691e2f --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_password_auth.fail.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# packages = pam + +# Add remember option to password-auth (should fail) +if grep -q "^password.*pam_unix\.so" /etc/pam.d/password-auth; then + # If pam_unix.so line exists, add remember option + sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' /etc/pam.d/password-auth +else + # If no pam_unix.so line exists, add one with remember + echo "password sufficient pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/password-auth +fi diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh new file mode 100644 index 000000000000..1914e2484f41 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present_system_auth.fail.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_almalinux +# packages = pam + +# Add remember option to system-auth (should fail) +if grep -q "^password.*pam_unix\.so" /etc/pam.d/system-auth; then + # If pam_unix.so line exists, add remember option + sed -i --follow-symlinks 's/\(^password.*pam_unix\.so.*\)/\1 remember=5/' /etc/pam.d/system-auth +else + # If no pam_unix.so line exists, add one with remember + echo "password sufficient pam_unix.so sha512 shadow remember=5" >> /etc/pam.d/system-auth +fi From a77b247bc7e8b5cf67c624f2cddac0a68ea26c31 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 2 Dec 2025 10:06:00 +0100 Subject: [PATCH 4/5] add rule to all RHEL CIS profiles --- controls/cis_rhel10.yml | 9 +++++---- controls/cis_rhel8.yml | 7 ++++--- .../accounts_password_pam_unix_no_remember/rule.yml | 5 +++++ products/rhel9/controls/cis_rhel9.yml | 7 ++++--- shared/references/cce-redhat-avail.txt | 3 --- tests/data/profile_stability/rhel10/cis.profile | 1 + .../data/profile_stability/rhel10/cis_server_l1.profile | 1 + .../profile_stability/rhel10/cis_workstation_l1.profile | 1 + .../profile_stability/rhel10/cis_workstation_l2.profile | 1 + tests/data/profile_stability/rhel8/cis.profile | 1 + tests/data/profile_stability/rhel8/cis_server_l1.profile | 1 + .../profile_stability/rhel8/cis_workstation_l1.profile | 1 + .../profile_stability/rhel8/cis_workstation_l2.profile | 1 + tests/data/profile_stability/rhel9/cis.profile | 1 + tests/data/profile_stability/rhel9/cis_server_l1.profile | 1 + .../profile_stability/rhel9/cis_workstation_l1.profile | 1 + .../profile_stability/rhel9/cis_workstation_l2.profile | 1 + 17 files changed, 30 insertions(+), 13 deletions(-) diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml index 691a5b6d74a8..a3c5e90fb093 100644 --- a/controls/cis_rhel10.yml +++ b/controls/cis_rhel10.yml @@ -2106,13 +2106,14 @@ controls: levels: - l1_server - l1_workstation - status: pending + status: automated notes: |- Usage of pam_unix.so module together with "remember" option is deprecated and is not - recommened by this policy. Instead, it should be used remember option of pam_pwhistory - module, as required in 5.3.3.3.1. See here for more details about pam_unix.so: + recommended by this policy. Instead, it should be used remember option of pam_pwhistory + module, as required in 5.3.2.3.1. See here for more details about pam_unix.so: https://bugzilla.redhat.com/show_bug.cgi?id=1778929 - A new rule needs to be created to remove the remember option from pam_unix module. + rules: + - accounts_password_pam_unix_no_remember - id: 5.3.2.4.3 title: Ensure pam_unix includes a strong password hashing algorithm (Automated) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index a5b889cd589e..baab83b1e371 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1991,13 +1991,14 @@ controls: levels: - l1_server - l1_workstation - status: pending + status: automated notes: |- Usage of pam_unix.so module together with "remember" option is deprecated and is not - recommened by this policy. Instead, it should be used remember option of pam_pwhistory + recommended by this policy. Instead, it should be used remember option of pam_pwhistory module, as required in 4.4.3.3.1. See here for more details about pam_unix.so: https://bugzilla.redhat.com/show_bug.cgi?id=1778929 - A new rule needs to be created to remove the remember option from pam_unix module. + rules: + - accounts_password_pam_unix_no_remember - id: 4.4.3.4.3 title: Ensure pam_unix includes a strong password hashing algorithm (Automated) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml index fbaed33c19e4..4d55e7af0e6b 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml @@ -27,6 +27,11 @@ rationale: |- severity: medium +identifiers: + cce@rhel8: CCE-90728-7 + cce@rhel9: CCE-90726-1 + cce@rhel10: CCE-90725-3 + platform: package[pam] warnings: diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml index e5b03ac75807..75006bd5da19 100644 --- a/products/rhel9/controls/cis_rhel9.yml +++ b/products/rhel9/controls/cis_rhel9.yml @@ -2035,13 +2035,14 @@ controls: levels: - l1_server - l1_workstation - status: pending + status: automated notes: |- Usage of pam_unix.so module together with "remember" option is deprecated and is not - recommened by this policy. Instead, it should be used remember option of pam_pwhistory + recommended by this policy. Instead, it should be used remember option of pam_pwhistory module, as required in 5.3.3.3.1. See here for more details about pam_unix.so: https://bugzilla.redhat.com/show_bug.cgi?id=1778929 - A new rule needs to be created to remove the remember option from pam_unix module. + rules: + - accounts_password_pam_unix_no_remember - id: 5.3.3.4.3 title: Ensure pam_unix includes a strong password hashing algorithm (Automated) diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 963e26fadc69..0c6a49b2a0fa 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -2421,6 +2421,3 @@ CCE-90720-4 CCE-90721-2 CCE-90722-0 CCE-90723-8 -CCE-90725-3 -CCE-90726-1 -CCE-90728-7 diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile index 353276de259e..9e32e0b0e61c 100644 --- a/tests/data/profile_stability/rhel10/cis.profile +++ b/tests/data/profile_stability/rhel10/cis.profile @@ -22,6 +22,7 @@ accounts_password_pam_pwhistory_use_authtok accounts_password_pam_pwquality_password_auth accounts_password_pam_pwquality_system_auth accounts_password_pam_unix_authtok +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_min_life_existing accounts_password_set_warn_age_existing diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile index 914598916877..c5da206d12c8 100644 --- a/tests/data/profile_stability/rhel10/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile @@ -21,6 +21,7 @@ accounts_password_pam_pwhistory_use_authtok accounts_password_pam_pwquality_password_auth accounts_password_pam_pwquality_system_auth accounts_password_pam_unix_authtok +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile index a0c73e821286..88862e80601d 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile @@ -21,6 +21,7 @@ accounts_password_pam_pwhistory_use_authtok accounts_password_pam_pwquality_password_auth accounts_password_pam_pwquality_system_auth accounts_password_pam_unix_authtok +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile index 7ec7962b67ec..02b065d0f0f1 100644 --- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile @@ -22,6 +22,7 @@ accounts_password_pam_pwhistory_use_authtok accounts_password_pam_pwquality_password_auth accounts_password_pam_pwquality_system_auth accounts_password_pam_unix_authtok +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_min_life_existing accounts_password_set_warn_age_existing diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index 3a736f7c1dc1..e6bbde1a9106 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -16,6 +16,7 @@ accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index accc1d4f4a60..c895ad5238d0 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -16,6 +16,7 @@ accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index b0cfd0ea8aea..3f536cde777f 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -16,6 +16,7 @@ accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index c4a96e2466c6..2bcf95b9a595 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -16,6 +16,7 @@ accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index 8a203db31ce7..91062aae6c5e 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -17,6 +17,7 @@ accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_min_life_existing accounts_password_set_warn_age_existing diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index a5dc6c89af50..69deee00db2b 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -16,6 +16,7 @@ accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index fdaaa9e0cf59..14b3e6a51c26 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -16,6 +16,7 @@ accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_warn_age_existing accounts_password_warn_age_login_defs diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index f00a69ab0c32..7603c675a3a9 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -17,6 +17,7 @@ accounts_password_pam_minclass accounts_password_pam_minlen accounts_password_pam_pwhistory_remember_password_auth accounts_password_pam_pwhistory_remember_system_auth +accounts_password_pam_unix_no_remember accounts_password_set_max_life_existing accounts_password_set_min_life_existing accounts_password_set_warn_age_existing From 08c89dcab1d66954cebd99c1d29b1d756518385b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 2 Dec 2025 11:03:42 +0100 Subject: [PATCH 5/5] add ocil part to the rule --- .../accounts_password_pam_unix_no_remember/rule.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml index 4d55e7af0e6b..5e11fc66bb94 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml @@ -41,3 +41,16 @@ warnings: PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. + +ocil_clause: 'the remember option is found in pam_unix.so configuration' + +ocil: |- + To verify that the remember option is not present in pam_unix.so configuration, + run the following command: + {{% if 'ubuntu' in product or 'debian' in product %}} + 
$ grep -rE "^\s*password\s+.*pam_unix\.so.*\bremember=" /etc/pam.d/common-*
+ {{% else %}} + 
$ grep -E "^\s*password\s+.*pam_unix\.so.*\bremember=" /etc/pam.d/system-auth /etc/pam.d/password-auth
+ {{% endif %}} + The command should not return any output. If any lines are returned, it means the remember + option is configured in pam_unix.so, which is not compliant with this requirement.