Remove all nullok parameters of pam_unix.so

Check all nullok parameters in common-*
ComplianceAsCode · Jan 30, 2025 · 0591704 · 0591704
1 parent c7a57e0
commit 0591704
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 19 deletions.
diff --git a/.../system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/.../system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
@@ -13,17 +13,7 @@ done
 {{% elif 'ubuntu' in product %}}
 {{{ bash_pam_unix_enable() }}}
 config_file="/usr/share/pam-configs/cac_unix"
-sed -i -E '/^Password:/,/^[^[:space:]]/ {
-    /pam_unix\.so/ {
-        s/\s*nullok//g
-    }
-}' "$config_file"
-
-sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
-    /pam_unix\.so/ {
-        s/\s*nullok//g
-    }
-}' "$config_file"
+sed -iE 's/^(.*pam_unix\.so)([^#\n\r]+\s*)?(nullok)(.*)?$/\1\2\4/g' "$config_file"
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}

diff --git a/...system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml b/...system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
@@ -15,7 +15,7 @@
 {{% if product in ["sle12", "sle15", "slmicro5"] %}}
     <ind:filepath operation="pattern match">^/etc/pam.d/.*$</ind:filepath>
 {{% elif 'ubuntu' in product %}}
-    <ind:filepath operation="pattern match">^/etc/pam.d/common-password</ind:filepath>
+    <ind:filepath operation="pattern match">^/etc/pam.d/common-(password|auth|account|session|session-noninteractive)$</ind:filepath>
 {{% else %}}
     <ind:filepath operation="pattern match">^/etc/pam.d/(system|password)-auth$</ind:filepath>
 {{% endif %}}

diff --git a/...ccounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh b/...ccounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh
@@ -7,13 +7,14 @@ config_file=/usr/share/pam-configs/tmp_unix
 
 cat << EOF > "$config_file"
 Name: Unix authentication
+Conflicts: unix
 Default: yes
-Priority: 256
+Priority: 257
 Auth-Type: Primary
 Auth:
-	[success=end default=ignore]	pam_unix.so nullok try_first_pass
+	[success=end default=ignore]	pam_unix.so try_first_pass
 Auth-Initial:
-	[success=end default=ignore]	pam_unix.so nullok
+	[success=end default=ignore]	pam_unix.so
 Account-Type: Primary
 Account:
 	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so

diff --git a/.../accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh b/.../accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh
@@ -7,13 +7,14 @@ config_file=/usr/share/pam-configs/tmp_unix
 
 cat << EOF > "$config_file"
 Name: Unix authentication
+Conflicts: unix
 Default: yes
-Priority: 256
+Priority: 257
 Auth-Type: Primary
 Auth:
-	[success=end default=ignore]	pam_unix.so nullok try_first_pass
+	[success=end default=ignore]	pam_unix.so try_first_pass # nullok
 Auth-Initial:
-	[success=end default=ignore]	pam_unix.so nullok
+	[success=end default=ignore]	pam_unix.so # nullok
 Account-Type: Primary
 Account:
 	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so

diff --git a/...ts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh b/...ts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present.fail.sh
@@ -7,8 +7,9 @@ config_file=/usr/share/pam-configs/tmp_unix
 
 cat << EOF > "$config_file"
 Name: Unix authentication
+Conflicts: unix
 Default: yes
-Priority: 256
+Priority: 257
 Auth-Type: Primary
 Auth:
 	[success=end default=ignore]	pam_unix.so nullok try_first_pass