From b15ec90959a5dc063b993caa6795dee2c4f51d63 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Mon, 22 Apr 2024 17:09:24 +0200
Subject: [PATCH 1/3] Add Ubuntu tests for
 set_password_hashing_algorithm_systemauth

---
 .../tests/commented_value.fail.sh                      |  7 +++++++
 .../tests/correct.pass.sh                              | 10 +++++++++-
 .../tests/missing.fail.sh                              |  6 +++++-
 .../tests/wrong_value_concat.fail.sh                   |  6 ++++++
 4 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
new file mode 100644
index 00000000000..2ee0cfe53e1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# remediation = none
+
+sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' /etc/pam.d/common-password
+sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/$/ # sha512/' /etc/pam.d/common-password
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
index 557a3626283..3638cb1918a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh
@@ -1,8 +1,16 @@
 #!/bin/bash
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu
 
+{{% if 'ubuntu' in product %}}
+pam_file="/etc/pam.d/common-password"
+
+if ! grep -q "^\s*password.*pam_unix\.so.*sha512" "$pam_file"; then
+	sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/$/ sha512/' "$pam_file"
+fi
+{{% else %}}
 pam_file="/etc/pam.d/system-auth"
 
 if ! grep -q "^password.*sufficient.*pam_unix\.so.*sha512" "$pam_file"; then
 	sed -i --follow-symlinks '/^password.*sufficient.*pam_unix\.so/ s/$/ sha512/' "$pam_file"
 fi
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
index ac6e4852cdd..1cc9da3985b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh
@@ -1,4 +1,8 @@
 #!/bin/bash
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ubuntu
 
+{{% if 'ubuntu' in product %}}
+sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/common-password"
+{{% else %}}
 sed -i --follow-symlinks '/^password.*sufficient.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/system-auth"
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
new file mode 100644
index 00000000000..9445a5583ab
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/sha512//g' /etc/pam.d/common-password
+sed -i --follow-symlinks '/^\s*password.*pam_unix\.so/ s/$/ sha5122/' /etc/pam.d/common-password
+

From e427553cb69977e36763a5b641f2eb3389c86778 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Mon, 22 Apr 2024 17:12:42 +0200
Subject: [PATCH 2/3] Fix rule set_password_hashing_algorithm_systemauth on
 Ubuntu

Modified bash and OVAL of set_password_hashing_algorithm_systemauth
to use the correct pathname (/etc/pam.d/common-password) and control
([success=... ]) on Ubuntu.
---
 .../bash/shared.sh                                    |  7 +++++++
 .../oval/shared.xml                                   |  3 +++
 .../rule.yml                                          | 11 +++++++++--
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
index f2e4939dc4c..e7337d036a1 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
@@ -2,6 +2,13 @@
 
 {{% if product in ["sle15", "sle12"] -%}}
 {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'required', 'pam_unix.so', 'sha512', '', '') }}}
+{{% elif 'ubuntu' in product -%}}
+# Can't use macro bash_ensure_pam_module_configuration because the control
+# contains special characters and is not static ([success=N default=ignore)
+PAM_FILE_PATH=/etc/pam.d/common-password
+if ! grep -qP '^\s*password\s+.*\s+pam_unix.so\s+.*\s+sha512\b' "$PAM_FILE_PATH"; then
+  sed -i -E --follow-symlinks '/\s*password\s+.*\s+pam_unix.so.*/ s/$/ sha512/' "$PAM_FILE_PATH"
+fi
 {{%- else -%}}
 {{{ bash_ensure_pam_module_configuration('/etc/pam.d/system-auth', 'password', 'sufficient', 'pam_unix.so', 'sha512', '', '') }}}
 {{%- endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
index a754a84df6c..e8485d66c5a 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
@@ -17,6 +17,9 @@
     {{% if product in ['sle12', 'sle15'] %}}
       <ind:filepath>/etc/pam.d/common-password</ind:filepath>
       <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required))[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern>
+    {{% elif 'ubuntu' in product %}}
+      <ind:filepath>/etc/pam.d/common-password</ind:filepath>
+      <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:\[success=\d+\s+default=ignore\])[\s]+pam_unix\.so[\s]+[^#]*[\s]sha512(\s.*)?$</ind:pattern>
     {{% else %}}
       <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
       <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern>
diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
index 7fae090d474..c7842eda268 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 
 title: "Set PAM''s Password Hashing Algorithm"
 
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
 {{% else %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/system-auth" %}}
@@ -19,6 +19,8 @@ description: |-
     <br />
     {{% if product in ["sle12", "sle15"] %}}
     <pre>password    required    pam_unix.so sha512 <i>other arguments...</i></pre>
+    {{% elif 'ubuntu' in product %}}
+    <pre>password    [success=1 default=ignore]   pam_unix.so sha512 <i>other arguments...</i></pre>
     {{% else %}}
     <pre>password    sufficient    pam_unix.so sha512 <i>other arguments...</i></pre>
     {{% endif %}}
@@ -69,6 +71,7 @@ references:
     stigid@rhel8: RHEL-08-010159
     stigid@sle12: SLES-12-010230
     stigid@sle15: SLES-15-020170
+    stigid@ubuntu2204: UBTU-22-611055
 
 ocil_clause: '"sha512" is missing, or is commented out'
 
@@ -80,6 +83,8 @@ ocil: |-
     <pre>$ sudo grep "^password.*pam_unix\.so.*sha512" {{{ pam_passwd_file_path }}}
     {{% if product in ["sle12", "sle15"] -%}}
     password required pam_unix.so sha512
+    {{% elif 'ubuntu' in product %}}
+    password [success=1 default=ignore] pam_unix.so sha512
     {{% else %}}
     password sufficient pam_unix.so sha512
     {{%- endif -%}}
@@ -88,7 +93,7 @@ ocil: |-
 platform: package[pam]
 
 fixtext: |-
-    {{% if product in ['ol9', 'rhel9'] -%}}
+    {{% if product in ['ol9', 'rhel9', 'ubuntu2204'] -%}}
     Configure {{{ full_name }}} to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
     {{% else %}}
     Configure {{{ full_name }}} to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
@@ -97,6 +102,8 @@ fixtext: |-
     Edit/modify the following line in the "{{{ pam_passwd_file_path }}}" file to include the sha512 option for pam_unix.so:
     {{% if product in ['sle12', 'sle15'] -%}}
     password required pam_unix.so sha512
+    {{% elif 'ubuntu' in product %}}
+    password [success=1 default=ignore] pam_unix.so sha512
     {{% else %}}
     password sufficient pam_unix.so sha512
     {{%- endif %}}

From 1ca1e4af6e565be187cf9477269818cd3c9ef2c9 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Mon, 22 Apr 2024 17:24:30 +0200
Subject: [PATCH 3/3] Add rule set_password_hashing_algorithm_systemauth to
 Ubuntu STIG profile

---
 products/ubuntu2204/profiles/stig.profile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/products/ubuntu2204/profiles/stig.profile b/products/ubuntu2204/profiles/stig.profile
index 5fe21f5c71f..2aeafc53d44 100644
--- a/products/ubuntu2204/profiles/stig.profile
+++ b/products/ubuntu2204/profiles/stig.profile
@@ -620,9 +620,8 @@ selections:
     # UBTU-22-654225 The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to modify the /etc/sudoers.d directory occur
     - audit_rules_sudoers_d
 
-    ### TODO (rule needed; reevaluate requirement)
-    # Analogous to set_password_hashing_algorithm_passwordauth
     # UBTU-22-611055 The Ubuntu operating system must store only encrypted representations of passwords
+    - set_password_hashing_algorithm_systemauth
 
     ### TODO (rule needed)
     # Analogous to audit_rules_login_events_lastlog