Limit Password Reuse (ubuntu2204)

Classification:

compliance

Framework:

Control:

Description

Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

Rationale

Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'libpam-runtime' 2>/dev/null | grep -q installed; then

var\_password\_pam\_unix\_remember=''


if [ -e "/etc/pam.d/common-password" ] ; then
 valueRegex="$var\_password\_pam\_unix\_remember" defaultValue="$var\_password\_pam\_unix\_remember"
 # non-empty values need to be preceded by an equals sign
 [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
 # add an equals sign to non-empty values
 [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"

 # fix 'type' if it's wrong
 if grep -q -P "^\\s\*(?"'!'"password\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam\_unix.so" < "/etc/pam.d/common-password" ; then
 sed --follow-symlinks -i -E -e "s/^(\\s\*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam\_unix.so)/\\1password\\2/" "/etc/pam.d/common-password"
 fi

 # fix 'control' if it's wrong
 if grep -q -P "^\\s\*password\\s+(?"'!'"\[success=[[:alnum:]].\*\])[[:alnum:]]+\\s+pam\_unix.so" < "/etc/pam.d/common-password" ; then
 sed --follow-symlinks -i -E -e "s/^(\\s\*password\\s+)[[:alnum:]]+(\\s+pam\_unix.so)/\\1\[success=[[:alnum:]].\*\]\\2/" "/etc/pam.d/common-password"
 fi

 # fix the value for 'option' if one exists but does not match 'valueRegex'
 if grep -q -P "^\\s\*password\\s+\[success=[[:alnum:]].\*\]\\s+pam\_unix.so(\\s.+)?\\s+remember(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-password" ; then
 sed --follow-symlinks -i -E -e "s/^(\\s\*password\\s+\[success=[[:alnum:]].\*\]\\s+pam\_unix.so(\\s.+)?\\s)remember=[^[:space:]]\*/\\1remember${defaultValue}/" "/etc/pam.d/common-password"

 # add 'option=default' if option is not set
 elif grep -q -E "^\\s\*password\\s+\[success=[[:alnum:]].\*\]\\s+pam\_unix.so" < "/etc/pam.d/common-password" &&
 grep -E "^\\s\*password\\s+\[success=[[:alnum:]].\*\]\\s+pam\_unix.so" < "/etc/pam.d/common-password" | grep -q -E -v "\\sremember(=|\\s|\$)" ; then

 sed --follow-symlinks -i -E -e "s/^(\\s\*password\\s+\[success=[[:alnum:]].\*\]\\s+pam\_unix.so[^\\n]\*)/\\1 remember${defaultValue}/" "/etc/pam.d/common-password"
 # add a new entry if none exists
 elif ! grep -q -P "^\\s\*password\\s+\[success=[[:alnum:]].\*\]\\s+pam\_unix.so(\\s.+)?\\s+remember${valueRegex}(\\s|\$)" < "/etc/pam.d/common-password" ; then
 echo "password \[success=[[:alnum:]].\*\] pam\_unix.so remember${defaultValue}" >> "/etc/pam.d/common-password"
 fi
else
 echo "/etc/pam.d/common-password doesn't exist" >&2
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Warning

If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report.