Merge pull request #12904 from mpurg/ubuntu2404_cis_5.3.1.1_5.3.1.2

Add rules for installing pam-runtime and pam-modules to Ubuntu 24.04

components/pam.yml

@@ -14,6 +14,8 @@ name: pam
 packages:
 - pam
 - pam_apparmor
+- libpam-runtime
+- libpam-modules
 rules:
 - account_disable_inactivity_password_auth
 - account_disable_inactivity_system_auth
@@ -198,7 +200,9 @@ rules:
 - no_tmux_in_shells
 - package_opensc_installed
 - package_pam_apparmor_installed
+- package_pam_modules_installed
 - package_pam_pwquality_installed
+- package_pam_runtime_installed
 - package_pcsc-lite_installed
 - package_screen_installed
 - package_tmux_installed

controls/cis_ubuntu2404.yml

@@ -1833,16 +1833,21 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - package_pam_runtime_installed
+    status: automated
+    notes: |
+      The CIS control checks that version >= 1.5.3-5 and not that
+      it is the latest version as the title suggests.
 
   - id: 5.3.1.2
     title: Ensure libpam-modules is installed (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - package_pam_modules_installed
+    status: automated
 
   - id: 5.3.1.3
     title: Ensure libpam-pwquality is installed (Automated)

linux_os/guide/system/accounts/accounts-pam/package_pam_modules_installed/rule.yml

@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'Install pam-modules Package'
+
+description: |-
+    {{{ describe_package_install(package="libpam-modules") }}}
+
+rationale: |-
+    libpam-modules contains PAM modules that are needed
+    by other rules when configuring PAM options.
+
+severity: medium
+
+platform: package[pam]
+
+template:
+    name: package_installed
+    vars:
+        pkgname: libpam-modules
+        evr: 0:1.5.3-5

linux_os/guide/system/accounts/accounts-pam/package_pam_modules_installed/tests/package-installed-removed.fail.sh

@@ -0,0 +1,6 @@
+# platform = Not Applicable
+
+# Override template test.
+# The package shouldn't be removed as it would
+# break the test environment.
+

linux_os/guide/system/accounts/accounts-pam/package_pam_modules_installed/tests/package-removed.fail.sh

@@ -0,0 +1,5 @@
+# platform = Not Applicable
+
+# Override template test.
+# The package shouldn't be removed as it would
+# break the test environment.

linux_os/guide/system/accounts/accounts-pam/package_pam_runtime_installed/rule.yml

@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'Install pam-runtime Package'
+
+description: |-
+    {{{ describe_package_install(package="libpam-runtime") }}}
+
+rationale: |-
+    libpam-runtime contains configuration that is needed
+    by other rules when configuring PAM options.
+
+severity: medium
+
+template:
+    name: package_installed
+    vars:
+        pkgname: libpam-runtime
+        evr: 0:1.5.3-5

linux_os/guide/system/accounts/accounts-pam/package_pam_runtime_installed/tests/package-installed-removed.fail.sh

@@ -0,0 +1,6 @@
+# platform = Not Applicable
+
+# Override template test.
+# The package shouldn't be removed as it would
+# break the test environment.
+

linux_os/guide/system/accounts/accounts-pam/package_pam_runtime_installed/tests/package-removed.fail.sh

@@ -0,0 +1,5 @@
+# platform = Not Applicable
+
+# Override template test.
+# The package shouldn't be removed as it would
+# break the test environment.