From 610856c7cfec08f6e01dfac1c2431c66a6cedbf3 Mon Sep 17 00:00:00 2001
From: Rodrigo Tavares <Rodrigo.DosSantosTavares@windriver.com>
Date: Wed, 6 Nov 2024 16:01:30 -0300
Subject: [PATCH] Relocate faillock and pwquality pam modules config

Currently CIS Benchmark fails when checking faillock and pwquality
configuration when it doesn't find them set in faillock.conf and
pwquality.conf, even though some items pass, as they are correctly
configured in /etc/pam.d/common-auth and /etc/pam.d/common-password.

CIS recommends having the configuration only in one place, and requires
those separate files to contain them.

This change removes faillock and pwquality configurations from the
/etc/pam.d files, adds them to the recommended configuration files,
and does not change any password requirements or lock rules.

Test Plan:
PASS: Run build-pkgs -c -p pam-config.
PASS: Install pam-config deb file and check if faillock.conf from
      libpam-modules is renamed with .old suffix.
PASS: Roll back pam-config package to master and check if faillock.conf
      from libpam-modules is renamed back.
PASS: Run build-image.
PASS: Run fresh install of AIO-SX with complete bootstrap and unlock of
      the controller-0.
PASS: Run fresh install of AIO-DX with complete bootstrap and unlock of
      controller-0 and controller-1.
PASS: Change password 5 times and then try to use the first password of
      the sequence again to verify if it is using password history.
PASS: Try password without at least 1 uppercase letter.
PASS: Try password without at least 1 lowercase letter.
PASS: Try password without at least one number.
PASS: Try password without at least one special character.
PASS: Try password with less than 12 character and verify if it fails.
PASS: Try password with less than 3 different characters from the old
      one and verify that it fails.

Story: 2011283
Task: 51351

Change-Id: I00424030b8fd877752908c35793627df16eb31c8
Signed-off-by: Rodrigo Tavares <Rodrigo.DosSantosTavares@windriver.com>
---
 pam-config/debian/deb_folder/pam-config.install | 2 ++
 pam-config/debian/deb_folder/postinst           | 3 +++
 pam-config/debian/deb_folder/postrm             | 9 +++++++++
 pam-config/debian/deb_folder/preinst            | 9 +++++++++
 pam-config/source-debian/common-auth            | 6 +++---
 pam-config/source-debian/common-password        | 2 +-
 pam-config/source-debian/faillock.conf          | 2 ++
 pam-config/source-debian/pwquality.conf         | 8 ++++++++
 8 files changed, 37 insertions(+), 4 deletions(-)
 create mode 100644 pam-config/debian/deb_folder/postrm
 create mode 100644 pam-config/debian/deb_folder/preinst
 create mode 100644 pam-config/source-debian/faillock.conf
 create mode 100644 pam-config/source-debian/pwquality.conf

diff --git a/pam-config/debian/deb_folder/pam-config.install b/pam-config/debian/deb_folder/pam-config.install
index 831d830..2070314 100644
--- a/pam-config/debian/deb_folder/pam-config.install
+++ b/pam-config/debian/deb_folder/pam-config.install
@@ -3,3 +3,5 @@ common-password /usr/share/starlingx
 common-session /usr/share/starlingx
 common-session-noninteractive /usr/share/starlingx
 common-account /usr/share/starlingx
+faillock.conf /usr/share/starlingx
+pwquality.conf /usr/share/starlingx
diff --git a/pam-config/debian/deb_folder/postinst b/pam-config/debian/deb_folder/postinst
index a7b2da8..1633d8f 100644
--- a/pam-config/debian/deb_folder/postinst
+++ b/pam-config/debian/deb_folder/postinst
@@ -7,5 +7,8 @@ cp /usr/share/starlingx/common-auth /etc/pam.d/common-auth
 cp /usr/share/starlingx/common-password /etc/pam.d/common-password
 cp /usr/share/starlingx/common-session /etc/pam.d/common-session
 cp /usr/share/starlingx/common-session-noninteractive /etc/pam.d/common-session-noninteractive
+cp /usr/share/starlingx/faillock.conf /etc/security/faillock.conf
+mkdir -p /etc/security/pwquality.conf.d
+cp /usr/share/starlingx/pwquality.conf /etc/security/pwquality.conf.d/50-pwquality.conf
 
 #DEBHELPER#
diff --git a/pam-config/debian/deb_folder/postrm b/pam-config/debian/deb_folder/postrm
new file mode 100644
index 0000000..a198941
--- /dev/null
+++ b/pam-config/debian/deb_folder/postrm
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+rm -f /etc/security/faillock.conf
+dpkg-divert --remove --package pam-config --rename \
+    /etc/security/faillock.conf
+
+#DEBHELPER#
diff --git a/pam-config/debian/deb_folder/preinst b/pam-config/debian/deb_folder/preinst
new file mode 100644
index 0000000..632b872
--- /dev/null
+++ b/pam-config/debian/deb_folder/preinst
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+dpkg-divert --add --package pam-config --rename \
+    --divert /etc/security/faillock.conf.old \
+    /etc/security/faillock.conf
+
+#DEBHELPER#
diff --git a/pam-config/source-debian/common-auth b/pam-config/source-debian/common-auth
index b28207c..8abbbb2 100755
--- a/pam-config/source-debian/common-auth
+++ b/pam-config/source-debian/common-auth
@@ -10,11 +10,11 @@
 # here are the per-package modules (the "Primary" block)
 # auth	[success=1 default=ignore]	pam_unix.so nullok_secure
 # auth  sufficient                      pam_ldap.so use_first_pass
-auth    requisite                       pam_faillock.so preauth deny=5 unlock_time=300
+auth    requisite                       pam_faillock.so preauth
 auth    [success=2 default=ignore]      pam_unix.so nullok_secure
 auth    [success=1 default=ignore]      pam_sss.so use_first_pass
-auth    [default=die]                   pam_faillock.so authfail deny=5 unlock_time=300
-auth    sufficient                      pam_faillock.so authsucc deny=5 unlock_time=300
+auth    [default=die]                   pam_faillock.so authfail
+auth    sufficient                      pam_faillock.so authsucc
 # here's the fallback if no module succeeds
 auth    requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
diff --git a/pam-config/source-debian/common-password b/pam-config/source-debian/common-password
index 988ef6d..35228da 100755
--- a/pam-config/source-debian/common-password
+++ b/pam-config/source-debian/common-password
@@ -26,7 +26,7 @@
 ##  - Added enforce_for_root for pam_pwquality.so                         #
 ###########################################################################
 
-password    required                        pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=12 minclass=4 ocredit=-1 lcredit=-1 ucredit=-1 dcredit=-1 enforce_for_root debug
+password    required                        pam_pwquality.so try_first_pass retry=3 authtok_type= debug
 password    required                        pam_pwhistory.so use_authtok enforce_for_root remember=5 retry=3 debug
 
 password    sufficient                      pam_unix.so sha512 use_authtok debug
diff --git a/pam-config/source-debian/faillock.conf b/pam-config/source-debian/faillock.conf
new file mode 100644
index 0000000..4df0b4e
--- /dev/null
+++ b/pam-config/source-debian/faillock.conf
@@ -0,0 +1,2 @@
+deny = 5
+unlock_time = 300
diff --git a/pam-config/source-debian/pwquality.conf b/pam-config/source-debian/pwquality.conf
new file mode 100644
index 0000000..ef3b3c6
--- /dev/null
+++ b/pam-config/source-debian/pwquality.conf
@@ -0,0 +1,8 @@
+difok=3
+minlen=12
+minclass=4
+ocredit=-1
+lcredit=-1
+ucredit=-1
+dcredit=-1
+enforce_for_root