diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml index aa939f3968a..f5628b09edf 100644 --- a/controls/stig_ubuntu2404.yml +++ b/controls/stig_ubuntu2404.yml @@ -714,9 +714,9 @@ controls: for local and network access to privileged and nonprivileged accounts. levels: - medium - related_rules: + rules: - smartcard_pam_enabled - status: planned + status: automated - id: UBTU-24-400030 title: Ubuntu 24.04 LTS must implement smart card logins for multifactor authentication diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/bash/shared.sh index 67b8bb9fbea..bb1f33ffdd1 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/bash/shared.sh @@ -1,6 +1,16 @@ -# platform = multi_platform_sle,multi_platform_slmicro +# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu {{% if 'ubuntu' in product %}} -{{{ bash_ensure_pam_module_option('/etc/pam.d/common-auth', 'auth', '[success=2 default=ignore]', 'pam_pkcs11.so', '', '', '# here are the per-package modules') }}} +cat << EOF > /usr/share/pam-configs/cac_pkcs11 +Name: Enable pkcs11 +Conflicts: pkcs11 +Default: yes +Priority: 512 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_pkcs11.so +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pkcs11 {{% else %}} {{{ bash_ensure_pam_module_options('/etc/pam.d/common-auth', 'auth','sufficient', 'pam_pkcs11.so', '', '', '') }}} {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/commented.fail.sh index 91934ecd5b3..7305f0c50f9 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/commented.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/commented.fail.sh @@ -2,7 +2,18 @@ # platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu # packages = libpam-pkcs11 {{% if 'ubuntu' in product %}} -sed -i '/^auth.*pam_unix.so/i # auth [success=2 default=ignore] pam_pkcs11.so' /etc/pam.d/common-auth +cat << EOF > /usr/share/pam-configs/tmp_pkcs11 +Name: Enable pkcs11 +Conflicts: pkcs11 +Default: yes +Priority: 511 +Auth-Type: Primary +Auth: + [success=end default=ignore] #pam_pkcs11.so +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pkcs11 +rm -f /usr/share/pam-configs/tmp_pkcs11 {{% else %}} echo '# auth sufficient pam_pkcs11.so' > /etc/pam.d/common-auth {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/correct.pass.sh index 517c970aa92..925b4d7297f 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/correct.pass.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/correct.pass.sh @@ -3,7 +3,18 @@ # packages = libpam-pkcs11 {{% if 'ubuntu' in product %}} -sed -i '/^auth.*pam_unix.so/i auth [success=2 default=ignore] pam_pkcs11.so' /etc/pam.d/common-auth +cat << EOF > /usr/share/pam-configs/tmp_pkcs11 +Name: Enable pkcs11 +Conflicts: pkcs11 +Default: yes +Priority: 511 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_pkcs11.so +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pkcs11 +rm -f /usr/share/pam-configs/tmp_pkcs11 {{% else %}} echo 'auth sufficient pam_pkcs11.so' > /etc/pam.d/common-auth {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/nothing.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/nothing.fail.sh index df8aa9695b4..7871e882f9d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/nothing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/nothing.fail.sh @@ -2,4 +2,6 @@ # platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu # packages = libpam-pkcs11 +{{% if 'ubuntu' not in product %}} echo "auth [success=1 default=ignore] pam_unix.so nullok" > /etc/pam.d/common-auth +{{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/substring.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/substring.fail.sh index 67fa5d22551..d0a3b45fd9c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/substring.fail.sh +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/substring.fail.sh @@ -3,7 +3,18 @@ # packages = libpam-pkcs11 {{% if 'ubuntu' in product %}} -sed -i '/^auth.*pam_unix.so/i aauth [success=2 default=ignore] pam_pkcs11.so' /etc/pam.d/common-auth +cat << EOF > /usr/share/pam-configs/tmp_pkcs11 +Name: Enable pkcs11 +Conflicts: pkcs11 +Default: yes +Priority: 511 +Auth-Type: Primary +Auth: + [success=end default=ignore] ppam_pkcs11.so +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable tmp_pkcs11 +rm -f /usr/share/pam-configs/tmp_pkcs11 {{% else %}} echo 'aauth sufficient pam_pkcs11.so' > /etc/pam.d/common-auth {{% endif %}}