Implement rule 5.3.3.4.2 Ensure pam_unix does not include remember

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh

@@ -0,0 +1,27 @@
+# platform = multi_platform_ubuntu
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+{{{ bash_pam_unix_enable() }}}
+config_file="/usr/share/pam-configs/cac_unix"
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*\bremember=\d+\b//g
+    }
+}' "$config_file"
+
+sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*\bremember=\d+\b//g
+    }
+}' "$config_file"
+
+{{{ bash_remove_pam_module_option('/etc/pam.d/common-auth', 'auth', '', 'pam_unix.so', 'remember') }}}
+{{{ bash_remove_pam_module_option('/etc/pam.d/common-account', 'account', '', 'pam_unix.so', 'remember') }}}
+{{{ bash_remove_pam_module_option('/etc/pam.d/common-password', 'password', '', 'pam_unix.so', 'remember') }}}
+{{{ bash_remove_pam_module_option('/etc/pam.d/common-session', 'session', '', 'pam_unix.so', 'remember') }}}
+{{{ bash_remove_pam_module_option('/etc/pam.d/common-session-noninteractive', 'session', '', 'pam_unix.so', 'remember') }}}
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/oval/shared.xml

@@ -0,0 +1,19 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("The pam_unix module should not include remember option") }}}
+    <criteria>
+      <criterion comment="make sure the remember option is not used in pam_unix.so module"
+                 test_ref="test_pam_unix_no_remember" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1"
+                              id="test_pam_unix_no_remember"
+                              comment="make sure remember is not used in /etc/pam.d/common-auth">
+    <ind:object object_ref="object_pam_unix_no_remember" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_pam_unix_no_remember" version="1">
+    <ind:filepath operation="pattern match">^/etc/pam.d/common-(password|auth|account|session|session-noninteractive)$</ind:filepath>
+    <ind:pattern operation="pattern match">^[^#]*\bremember=\d+\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/rule.yml

@@ -0,0 +1,21 @@
+documentation_complete: true
+
+title: 'Avoid using remember in pam_unix module'
+
+description: |-
+    The <tt>remember</tt> option stores the last n passwords for each user in <tt>/etc/security/opasswd</tt>,
+    enforcing password history and preventing users from reusing the same passwords. However, this feature
+    relies on the MD5 password hash algorithm, which is less secure. Instead, the <tt>pam_pwhistory</tt>
+    module should be used. This module also stores the last n passwords in <tt>/etc/security/opasswd</tt>
+    and it uses the password hash algorithm configured in the pam_unix module, such as yescrypt or SHA512,
+    offering enhanced security.
+
+rationale: |-
+    Removing the <tt>remember</tt> argument ensures the use of a stronger password hashing algorithm.
+    A more robust hash algorithm increases the difficulty for attackers to crack stored
+    passwords in <tt>/etc/security/opasswd</tt>, thereby improving system security and
+    protecting user credentials. 
+
+severity: medium
+
+platform: package[pam]

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/no_remember.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+sed -i --follow-symlinks '/\bremember=\d+\b/d' /etc/pam.d/common-*

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_commented.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+for pam_file in /etc/pam.d/common-*; do
+    sed -i --follow-symlinks '/\bremember=\d+\b/d' $pam_file
+    echo "# auth  sufficient  pam_unix.so try_first_pass bremember=1" >> $pam_file
+done

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/tests/remember_present.fail.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+for FILE in "/etc/pam.d/common-*"; do
+    if ! grep -q "^[^#].*pam_unix\.so.*\bremember=\d+\b" ${FILE}; then
+        sed -i 's/\(^[^#].*pam_unix\.so\)/\1 remember=1/g' ${FILE}
+    fi
+done
+