Fix UBTU-20-010072 to properly set PAM config for pam_faillock

dexterle · dexterle · commit 46285543ab21 · 2023-07-10T21:05:30.000Z
This commit will properly fix STIG by ensuring that the pam_faillock arguments are properly set in /etc/pam.d/common-auth and within /etc/security/faillok.conf.
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/rule.yml
@@ -20,6 +20,7 @@ references:
     srg: SRG-OS-000021-GPOS-00005
     stigid@ol8: OL08-00-020021
     stigid@rhel8: RHEL-08-020021
+    stigid@ubuntu2004: UBTU-20-010072
 
 ocil_clause: 'the "audit" option is not set, is missing or commented out'
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204
+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
 
 title: 'Lock Accounts After Failed Password Attempts'
 
@@ -54,6 +54,7 @@ references:
     stigid@ol8: OL08-00-020010
     stigid@rhel7: RHEL-07-010320
     stigid@rhel8: RHEL-08-020011
+    stigid@ubuntu2004: UBTU-20-010072
 
 platform: package[pam]
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2204
+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204
 
 title: 'Set Interval For Counting Failed Password Attempts'
 
@@ -40,6 +40,7 @@ references:
     stigid@ol8: OL08-00-020012
     stigid@rhel7: RHEL-07-010320
     stigid@rhel8: RHEL-08-020012
+    stigid@ubuntu2004: UBTU-20-010072
 
 platform: package[pam]
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/ansible/shared.yml
@@ -30,7 +30,11 @@
         line: \1required\3 silent
         state: present
       loop:
+        {{% if 'ubuntu' in product %}}
+        - /etc/pam.d/common-auth
+        {{% else %}}
         - /etc/pam.d/system-auth
         - /etc/pam.d/password-auth
+        {{% endif %}}
   when:
     - not result_faillock_conf_check.stat.exists
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8,rhel9
+prodtype: ol8,rhel8,rhel9,ubuntu2004
 
 title: 'Do Not Show System Messages When Unsuccessful Logon Attempts Occur'
 
@@ -31,6 +31,7 @@ references:
     srg: SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005
     stigid@ol8: OL08-00-020019
     stigid@rhel8: RHEL-08-020019
+    stigid@ubuntu2004: UBTU-20-010072
 
 ocil_clause: 'the system shows messages when three unsuccessful logon attempts occur'
 
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204
+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
 
 title: 'Set Lockout Time for Failed Password Attempts'
 
@@ -54,6 +54,7 @@ references:
     stigid@ol8: OL08-00-020014
     stigid@rhel7: RHEL-07-010320
     stigid@rhel8: RHEL-08-020016
+    stigid@ubuntu2004: UBTU-20-010072
 
 platform: package[pam]
 
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
@@ -150,7 +150,11 @@ selections:
     - accounts_password_pam_unix_remember
 
     # UBTU-20-010072 The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
-    - accounts_passwords_pam_tally2
+    - accounts_passwords_pam_faillock_audit
+    - accounts_passwords_pam_faillock_silent
+    - accounts_passwords_pam_faillock_deny
+    - accounts_passwords_pam_faillock_interval
+    - accounts_passwords_pam_faillock_unlock_time
 
     # UBTU-20-010074 The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one.
     - aide_periodic_cron_checking
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
@@ -983,13 +983,18 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
   block:
     - name: {{{ rule_title }}} - Check if pam_faillock.so is already enabled
       ansible.builtin.lineinfile:
+        {{% if 'ubuntu' in product %}}
+        path: /etc/pam.d/common-auth
+        {{% else %}}
         path: /etc/pam.d/system-auth
+        {{% endif %}}
         regexp: .*auth.*pam_faillock\.so (preauth|authfail)
         state: absent
       check_mode: yes
       changed_when: false
       register: result_pam_faillock_is_enabled
 
+    {{% if 'ubuntu' not in product %}}
     - name: {{{ rule_title }}} - Enable pam_faillock.so preauth editing PAM files
       ansible.builtin.lineinfile:
         path: '{{ item }}'
@@ -1001,19 +1006,38 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
         - /etc/pam.d/password-auth
       when:
         - result_pam_faillock_is_enabled.found == 0
+    {{% else %}}
+    - name: {{{ rule_title }}} - Enable pam_faillock.so authsucc editing PAM files
+      ansible.builtin.lineinfile:
+        path: /etc/pam.d/common-auth
+        line: auth        sufficient      pam_faillock.so authsucc
+        insertbefore: ^auth.*sufficient.*pam_unix\.so.*
+        state: present
+      when:
+        - not result_authselect_present.stat.exists
+    {{% endif %}}
 
     - name: {{{ rule_title }}} - Enable pam_faillock.so authfail editing PAM files
       ansible.builtin.lineinfile:
         path: '{{ item }}'
+        {{% if 'ubuntu' in product %}}
+        line: auth     [default=die]  pam_faillock.so authfail
+        {{% else %}}
         line: auth        required      pam_faillock.so authfail
+        {{% endif %}}
         insertbefore: ^auth.*required.*pam_deny\.so.*
         state: present
       loop:
+        {{% if 'ubuntu' in product %}}
+        - /etc/pam.d/common-auth
+        {{% else %}}
         - /etc/pam.d/system-auth
         - /etc/pam.d/password-auth
+        {{% endif %}}
       when:
         - result_pam_faillock_is_enabled.found == 0
 
+    {{% if 'ubuntu' not in product %}}
     - name: {{{ rule_title }}} - Enable pam_faillock.so account section editing PAM files
       ansible.builtin.lineinfile:
         path: '{{ item }}'
@@ -1025,6 +1049,7 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
         - /etc/pam.d/password-auth
       when:
         - result_pam_faillock_is_enabled.found == 0
+    {{% endif %}}
   when:
     - not result_authselect_present.stat.exists
 {{%- endmacro -%}}
@@ -1070,8 +1095,12 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
 
 - name: {{{ rule_title }}} - Ensure the pam_faillock.so {{{ parameter }}} parameter not in PAM files
   block:
+    {{% if 'ubuntu' in product %}}
+    {{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/common-auth','auth','','pam_faillock.so',parameter) | indent(4) }}}
+    {{% else %}}
     {{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/system-auth','auth','','pam_faillock.so',parameter) | indent(4) }}}
     {{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/password-auth','auth','','pam_faillock.so',parameter) | indent(4) }}}
+    {{% endif %}}
   when:
     - result_faillock_conf_check.stat.exists
 
@@ -1080,7 +1109,11 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
   block:
     - name: {{{ rule_title }}} - Check if pam_faillock.so {{{ parameter }}} parameter is already enabled in pam files
       ansible.builtin.lineinfile:
+        {{% if 'ubuntu' in product %}}
+        path: /etc/pam.d/common-auth
+        {{% else %}}
         path: /etc/pam.d/system-auth
+        {{% endif %}}
         regexp: .*auth.*pam_faillock\.so (preauth|authfail).*{{{ parameter }}}
         state: absent
       check_mode: yes
@@ -1099,8 +1132,12 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
         {{%- endif %}}
         state: present
       loop:
+        {{% if 'ubuntu' in product %}}
+        - /etc/pam.d/common-auth
+        {{% else %}}
         - /etc/pam.d/system-auth
         - /etc/pam.d/password-auth
+        {{% endif %}}
       when:
         - result_pam_faillock_{{{ parameter }}}_parameter_is_present.found == 0
 
@@ -1117,8 +1154,12 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
         {{%- endif %}}
         state: present
       loop:
+        {{% if 'ubuntu' in product %}}
+        - /etc/pam.d/common-auth
+        {{% else %}}
         - /etc/pam.d/system-auth
         - /etc/pam.d/password-auth
+        {{% endif %}}
       when:
         - result_pam_faillock_{{{ parameter }}}_parameter_is_present.found == 0
     {{%- endif %}}
@@ -1132,8 +1173,12 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
         line: \1required\3\4={{ {{{ faillock_var_name }}} }}\5
         state: present
       loop:
+        {{% if 'ubuntu' in product %}}
+        - /etc/pam.d/common-auth
+        {{% else %}}
         - /etc/pam.d/system-auth
         - /etc/pam.d/password-auth
+        {{% endif %}}
       when:
         - result_pam_faillock_{{{ parameter }}}_parameter_is_present.found > 0
 
@@ -1146,8 +1191,12 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
         line: \1required\3\4={{ {{{ faillock_var_name }}} }}\5
         state: present
       loop:
+        {{% if 'ubuntu' in product %}}
+        - /etc/pam.d/common-auth
+        {{% else %}}
         - /etc/pam.d/system-auth
         - /etc/pam.d/password-auth
+        {{% endif %}}
       when:
         - result_pam_faillock_{{{ parameter }}}_parameter_is_present.found > 0
     {{%- endif %}}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle`
	`1`	`+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu`
`2`	`2`	`# reboot = false`
`3`	`3`	`# strategy = restrict`
`4`	`4`	`# complexity = low`