ComplianceAsCode · dexterle · Jul 10, 2023 · Jul 11, 2023 · Aug 14, 2023
diff --git a/...am/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/ansible/shared.yml b/...am/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...s-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/oval/shared.xml b/...s-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/oval/shared.xml
@@ -12,24 +12,35 @@
         comment="Check expected value for pam_faillock.so audit parameter">
             <criteria operator="AND"
             comment="Check expected pam_faillock.so audit parameter in pam files">
+                {{% if 'ubuntu' not in product %}}
                 <criterion
                 test_ref="test_pam_faillock_audit_parameter_system_auth"
                 comment="Check the audit parameter in auth section of system-auth file"/>
                 <criterion
                 test_ref="test_pam_faillock_audit_parameter_password_auth"
                 comment="Check the audit parameter in auth section of password-auth file"/>
+                {{% else %}}
+                <criterion
+                test_ref="test_pam_faillock_audit_parameter_common_auth"
+                comment="Check the audit parmaeter in auth section of common-auth file"/>
+                {{% endif %}}
+                {{% if 'ubuntu' not in product %}}
                 <criterion
                 test_ref="test_pam_faillock_audit_parameter_no_faillock_conf"
                 comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
+                {{% endif %}}
             </criteria>
             <criteria operator="AND"
             comment="Check expected pam_faillock.so audit parameter in faillock.conf">
+                {{% if 'ubuntu' not in product %}}
                 <criterion
                 test_ref="test_pam_faillock_audit_parameter_no_pamd_system"
                 comment="Check the audit parameter is not present system-auth file"/>
                 <criterion
                 test_ref="test_pam_faillock_audit_parameter_no_pamd_password"
                 comment="Check the audit parameter is not present password-auth file"/>
+                {{% else %}}
+                {{% endif %}}
                 <criterion
                 test_ref="test_pam_faillock_audit_parameter_faillock_conf"
                 comment="Ensure the audit parameter is present in /etc/security/faillock.conf"/>
@@ -42,6 +53,10 @@
         <value>^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit</value>
     </constant_variable>
 
+    <constant_variable id="var_pam_faillock_audit_parameter_authsucc_regex" version="1" datatype="string" comment="regex to identify the authsucc audit parameter in pam files">
+        <value>[\s]*auth[\s]+(?:sufficient)[\s]+pam_faillock.so[^\n#]authsucc</value>
+    </constant_variable>
+
     <ind:textfilecontent54_object id="obj_all_pam_faillock_audit_parameter_system_auth"
     comment="Get the pam_faillock.so preauth audit parameter from system-auth file" version="1">
         <ind:filepath >/etc/pam.d/system-auth</ind:filepath>
@@ -51,13 +66,20 @@
     </ind:textfilecontent54_object>
 
     <ind:textfilecontent54_object id="obj_all_pam_faillock_audit_parameter_password_auth"
-    comment="Get the pam_faillock.so preauth audit parameter from system-auth file" version="1">
+    comment="Get the pam_faillock.so preauth audit parameter from password-auth file" version="1">
         <ind:filepath >/etc/pam.d/password-auth</ind:filepath>
         <ind:pattern operation="pattern match"
         var_ref="var_pam_faillock_audit_parameter_regex" />
         <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
     </ind:textfilecontent54_object>
 
+    <ind:textfilecontent54_object id="obj_all_pam_faillock_audit_parameter_common_auth" comment="Get the pam_faillock.so authsucc audit parameter from common-auth file" version="1">
+        <ind:filepath >/etc/pam.d/common-auth</ind:filepath>
+        <ind:pattern operation="pattern match"
+        var_ref="var_pam_faillock_audit_parameter_authsucc_regex" />
+        <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    </ind:textfilecontent54_object>
+
     <!-- Check the pam_faillock.so audit parameter in system-auth -->
     <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" version="1"
     id="test_pam_faillock_audit_parameter_system_auth"
@@ -73,6 +95,19 @@
         object_ref="obj_all_pam_faillock_audit_parameter_system_auth"/>
     </ind:textfilecontent54_test>
 
+    <!-- Check the pam_faillock.so audit parameter in common-auth -->
+    <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" version="1"
+    id="test_pam_faillock_audit_parameter_common_auth"
+    comment="Check the presence of audit parameter in common-auth">
+        <ind:object
+        object_ref="obj_all_pam_faillock_audit_parameter_common_auth"/>
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1" id="test_pam_faillock_audit_parameter_no_pamd_common" comment="Check the absence of audit parameter in common-auth">
+        <ind:object
+        object_ref="obj_all_pam_faillock_audit_parameter_common_auth"/> 
+    </ind:textfilecontent54_test>
+
     <!-- Check the pam_faillock.so audit parameter in password-auth -->
     <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" version="1"
     id="test_pam_faillock_audit_parameter_password_auth"

diff --git a/...accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/rule.yml b/...accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/rule.yml
@@ -20,6 +20,7 @@ references:
     srg: SRG-OS-000021-GPOS-00005
     stigid@ol8: OL08-00-020021
     stigid@rhel8: RHEL-08-020021
+    stigid@ubuntu2004: UBTU-20-010072
 
 {{% if product == "rhel8" %}}
 platform: os_linux[rhel]>=8.2

diff --git a/...pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/...pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml b/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml
@@ -10,13 +10,17 @@
             comment="pam_unix.so appears only once in auth section of common-auth"/>
         <criterion test_ref="test_accounts_passwords_pam_faillock_deny_common_pam_faillock_auth"
             comment="pam_faillock.so is properly defined in auth section of common-auth"/>
+        {{% if 'ubuntu2004' not in product %}}
         <criterion test_ref="test_accounts_passwords_pam_faillock_deny_common_pam_faillock_account"
             comment="pam_faillock.so is properly defined in common-account"/>
+        {{% endif %}}
       </criteria>
       <criteria operator="AND"
           comment="Check expected pam_faillock.so deny parameter in faillock.conf">
+        {{% if 'ubuntu2004' not in product %}}
         <criterion test_ref="test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_common"
             comment="Check the deny parameter is not present in common-auth file"/>
+        {{% endif %}}
         <criterion  test_ref="test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf"
             comment="Ensure the deny parameter is present in /etc/security/faillock.conf"/>
         </criteria>
@@ -31,10 +35,32 @@
     <value>^\s*auth.*pam_unix\.so</value>
   </constant_variable>
 
-  <constant_variable id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_regex"
+  <constant_variable
+  id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_preauth_regex"
+                datatype="string" version="1"
+                comment="regex to identify pam_faillock.so entries in auth section of pam files">
+    <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*$</value>
+  </constant_variable>
+
+  <constant_variable
+  id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_unix_regex"
                 datatype="string" version="1"
                 comment="regex to identify pam_faillock.so entries in auth section of pam files">
-    <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
+    <value>^\s*auth.*pam_unix\.so.*$</value>
+  </constant_variable>
+
+  <constant_variable
+  id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authfail_regex"
+                datatype="string" version="1"
+                comment="regex to identify pam_faillock.so entries in auth section of pam files">
+    <value>^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail.*$</value>
+  </constant_variable>
+
+  <constant_variable
+  id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authsucc_regex"
+                datatype="string" version="1"
+                comment="regex to identify pam_faillock.so entries in auth section of pam files">
+    <value>^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc.*$</value>
   </constant_variable>
 
   <constant_variable id="var_accounts_passwords_pam_faillock_deny_pam_faillock_account_regex"
@@ -86,7 +112,13 @@
         comment="Check common definition of pam_faillock.so in auth section of common-auth">
     <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
     <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_regex"/>
+                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_preauth_regex"/>
+    <ind:pattern operation="pattern match"
+                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_unix_regex"/>
+    <ind:pattern operation="pattern match"
+                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authfail_regex"/>
+    <ind:pattern operation="pattern match"
+                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authsucc_regex"/>
     <ind:instance datatype="int" operation="equals">1</ind:instance>
   </ind:textfilecontent54_object>
 

diff --git a/.../accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/.../accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204
+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
 
 title: 'Lock Accounts After Failed Password Attempts'
 
@@ -65,6 +65,7 @@ references:
     stigid@ol8: OL08-00-020010
     stigid@rhel7: RHEL-07-010320
     stigid@rhel8: RHEL-08-020011
+    stigid@ubuntu2004: UBTU-20-010072
 
 platform: package[pam]
 

diff --git a/...locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml b/...locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...am/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml b/...am/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/ubuntu.xml
@@ -10,8 +10,10 @@
             comment="pam_unix.so appears only once in auth section of common-auth"/>
         <criterion test_ref="test_accounts_passwords_pam_faillock_interval_common_pam_faillock_auth"
              comment="pam_faillock.so is properly defined in auth section of common-auth"/>
+        {{% if 'ubuntu2004' not in product %}}
         <criterion test_ref="test_accounts_passwords_pam_faillock_interval_common_pam_faillock_account"
              comment="pam_faillock.so is properly defined in common-account"/>
+        {{% endif %}}
       </criteria>
       <criteria operator="AND"
                 comment="Check expected value for pam_faillock.so fail_interval parameter">
@@ -31,10 +33,32 @@
     <value>^\s*auth.*pam_unix\.so</value>
   </constant_variable>
 
-  <constant_variable id="var_accounts_passwords_pam_faillock_interval_pam_faillock_auth_regex"
+  <constant_variable
+  id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_preauth_regex"
+                datatype="string" version="1"
+                comment="regex to identify pam_faillock.so entries in auth section of pam files">
+    <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*$</value>
+  </constant_variable>
+
+  <constant_variable
+  id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_unix_regex"
                 datatype="string" version="1"
                 comment="regex to identify pam_faillock.so entries in auth section of pam files">
-    <value>^\s*auth\s+required\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc</value>
+    <value>^\s*auth.*pam_unix\.so.*$</value>
+  </constant_variable>
+
+  <constant_variable
+  id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authfail_regex"
+                datatype="string" version="1"
+                comment="regex to identify pam_faillock.so entries in auth section of pam files">
+    <value>^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail.*$</value>
+  </constant_variable>
+
+  <constant_variable
+  id="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authsucc_regex"
+                datatype="string" version="1"
+                comment="regex to identify pam_faillock.so entries in auth section of pam files">
+    <value>^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc.*$</value>
   </constant_variable>
 
   <constant_variable id="var_accounts_passwords_pam_faillock_interval_pam_faillock_account_regex"
@@ -86,7 +110,13 @@
         comment="Check common definition of pam_faillock.so in auth section of common-auth">
     <ind:filepath>/etc/pam.d/common-auth</ind:filepath>
     <ind:pattern operation="pattern match"
-                 var_ref="var_accounts_passwords_pam_faillock_interval_pam_faillock_auth_regex"/>
+                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_preauth_regex"/>
+    <ind:pattern operation="pattern match"
+                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_unix_regex"/>
+    <ind:pattern operation="pattern match"
+                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authfail_regex"/>
+    <ind:pattern operation="pattern match"
+                 var_ref="var_accounts_passwords_pam_faillock_deny_pam_faillock_auth_authsucc_regex"/>
     <ind:instance datatype="int" operation="equals">1</ind:instance>
   </ind:textfilecontent54_object>
 

diff --git a/...ounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/...ounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2204
+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle15,ubuntu2004,ubuntu2204
 
 title: 'Set Interval For Counting Failed Password Attempts'
 
@@ -55,6 +55,7 @@ references:
     stigid@ol8: OL08-00-020012
     stigid@rhel7: RHEL-07-010320
     stigid@rhel8: RHEL-08-020012,RHEL-08-020013
+    stigid@ubuntu2004: UBTU-20-010072
 
 platform: package[pam]
 

diff --git a/...m/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/ansible/shared.yml b/...m/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/ansible/shared.yml
@@ -5,6 +5,12 @@
 # disruption = low
 {{{ ansible_pam_faillock_enable() }}}
 
+{{% if 'ubuntu' in product %}}
+  {{%- set pam_path = ['/etc/pam.d/common-auth'] %}}
+{{% else %}}
+  {{%- set pam_path = ['/etc/pam.d/system-auth', '/etc/pam.d/password-auth'] %}}
+{{% endif %}}
+
 - name: {{{ rule_title }}} - Check the presence of /etc/security/faillock.conf file
   ansible.builtin.stat:
     path: /etc/security/faillock.conf
@@ -29,8 +35,6 @@
         regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth(:?(?!silent).)*)
         line: \1required\3 silent
         state: present
-      loop:
-        - /etc/pam.d/system-auth
-        - /etc/pam.d/password-auth
+      loop: {{{ pam_path }}}
   when:
     - not result_faillock_conf_check.stat.exists
diff --git a/...-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/oval/shared.xml b/...-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/oval/shared.xml
@@ -10,6 +10,7 @@
             that if faillock.conf is available, authselect tool only manage parameters on it -->
         <criteria operator="OR"
         comment="Check expected value for pam_faillock.so silent parameter">
+            {{% if 'ubuntu' not in product %}}
             <criteria operator="AND"
             comment="Check expected pam_faillock.so silent parameter in pam files">
                 <criterion
@@ -19,14 +20,17 @@
                 test_ref="test_pam_faillock_silent_parameter_password_auth"
                 comment="Check the silent parameter in auth section of password-auth file"/>
             </criteria>
+            {{% endif %}}
             <criteria operator="AND"
             comment="Check expected pam_faillock.so silent parameter in faillock.conf">
+                {{% if 'ubuntu' not in product %}}
                 <criterion
                 test_ref="test_pam_faillock_silent_parameter_no_pamd_system"
                 comment="Check the silent parameter is not present system-auth file"/>
                 <criterion
                 test_ref="test_pam_faillock_silent_parameter_no_pamd_password"
                 comment="Check the silent parameter is not present password-auth file"/>
+                {{% endif %}}
                 <criterion
                 test_ref="test_pam_faillock_silent_parameter_faillock_conf"
                 comment="Ensure the silent parameter is present in /etc/security/faillock.conf"/>
@@ -48,7 +52,7 @@
     </ind:textfilecontent54_object>
 
     <ind:textfilecontent54_object id="obj_all_pam_faillock_silent_parameter_password_auth"
-    comment="Get the pam_faillock.so preauth silent parameter from system-auth file" version="1">
+    comment="Get the pam_faillock.so preauth silent parameter from password-auth file" version="1">
         <ind:filepath >/etc/pam.d/password-auth</ind:filepath>
         <ind:pattern operation="pattern match"
         var_ref="var_pam_faillock_silent_parameter_regex" />

diff --git a/...ccounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/rule.yml b/...ccounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol8,rhel8,rhel9
+prodtype: ol8,rhel8,rhel9,ubuntu2004
 
 title: 'Do Not Show System Messages When Unsuccessful Logon Attempts Occur'
 
@@ -31,6 +31,7 @@ references:
     srg: SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005
     stigid@ol8: OL08-00-020019
     stigid@rhel8: RHEL-08-020018,RHEL-08-020019
+    stigid@ubuntu2004: UBTU-20-010072
 
 ocil_clause: 'the system shows messages when three unsuccessful logon attempts occur'
 

diff --git a/...king_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml b/...king_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2204
+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,ubuntu2004,ubuntu2204
 
 title: 'Set Lockout Time for Failed Password Attempts'
 
@@ -67,6 +67,7 @@ references:
     stigid@ol8: OL08-00-020014
     stigid@rhel7: RHEL-07-010320
     stigid@rhel8: RHEL-08-020014,RHEL-08-020015
+    stigid@ubuntu2004: UBTU-20-010072
 
 platform: package[pam]
 

@@ -153,7 +153,11 @@ selections:
     - accounts_password_pam_unix_remember
 
     # UBTU-20-010072 The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
-    - accounts_passwords_pam_tally2
+    - accounts_passwords_pam_faillock_audit
+    - accounts_passwords_pam_faillock_silent
+    - accounts_passwords_pam_faillock_deny
+    - accounts_passwords_pam_faillock_interval
+    - accounts_passwords_pam_faillock_unlock_time
 
     # UBTU-20-010074 The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one.
     - aide_periodic_cron_checking