Add Debian 13 PAM support to existing rules

linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_ubuntu,multi_platform_debian
 
 {{% if 'ubuntu' in product or 'debian' in product %}}
     {{{ bash_pam_unix_enable() }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh

@@ -1,3 +1,3 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_ubuntu,multi_platform_debian
 
 {{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/debian.sh

@@ -0,0 +1,21 @@
+# platform = multi_platform_debian
+
+{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}
+
+{{{ bash_instantiate_variables("var_password_pam_remember") }}}
+
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_pwhistory\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_remember"'/g
+    }
+}' /usr/share/pam-configs/cac_pwhistory
+
+sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_pwhistory\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_remember"'/g
+    }
+}' /usr/share/pam-configs/cac_pwhistory
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml

@@ -0,0 +1,58 @@
+{{% if "debian" in product %}}
+{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}}
+{{% endif %}}
+
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("The passwords to remember of pam_pwhistory should be set correctly.", rule_title=rule_title) }}}
+      <criteria operator="AND" comment="Check if pam_pwhistory.so is properly configured">
+        <criterion test_ref="test_accounts_password_pam_pwhistory_remember_enabled"
+                   comment="pam_pwhistory.so is properly defined in password section of PAM file"/>
+        <criterion test_ref="test_accounts_password_pam_pwhistory_remember_parameter"
+                 comment="Remember parameter of pam_pwhistory.so is properly configured"/>
+      </criteria>
+  </definition>
+
+  <external_variable comment="number of passwords that should be remembered" datatype="int" id="var_password_pam_remember" version="1" />
+
+  <!-- is pam_pwhistory.so enabled? -->
+  <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_remember_enabled"
+                              check="all" version="1" comment="Check pam_pwhistory.so presence in PAM file">
+    <ind:object object_ref="object_accounts_password_pam_pwhistory_remember_enabled"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_remember_enabled"
+                                version="1">
+    <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
+    <ind:pattern var_ref="var_accounts_password_pam_pwhistory_module_regex"
+                 var_check="at least one" operation="pattern match"/>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <!-- variables used to check the module implementation -->
+  <local_variable id="var_accounts_password_pam_pwhistory_module_regex"
+		  datatype="string" version="1"
+		  comment="The regex is to confirm the pam_pwhistory.so module is enabled">
+    <literal_component>^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so.*$</literal_component>
+  </local_variable>
+
+  <ind:textfilecontent54_state id="state_accounts_password_pam_pwhistory_remember" version="1">
+    <ind:subexpression datatype="int" operation="greater than or equal"
+                       var_ref="var_password_pam_remember"/>
+  </ind:textfilecontent54_state>
+
+  <!-- Check the pam_pwhistory.so remember parameter -->
+  <ind:textfilecontent54_test id="test_accounts_password_pam_pwhistory_remember_parameter" version="1"
+                              check="all" check_existence="all_exist"
+                              comment="Test if remember attribute of pam_pwhistory.so is set correctly in {{{ accounts_password_pam_file }}}">
+    <ind:object object_ref="object_accounts_password_pam_pwhistory_remember_parameter" />
+    <ind:state state_ref="state_accounts_password_pam_pwhistory_remember" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_accounts_password_pam_pwhistory_remember_parameter" version="1">
+    <ind:filepath>{{{ accounts_password_pam_file }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so[ \t]+[^#\n\r]*\bremember=([0-9]*)\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/debian.sh

@@ -0,0 +1,13 @@
+# platform = multi_platform_debian
+
+{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}
+conf_file=/usr/share/pam-configs/cac_pwhistory
+if ! grep -qE 'pam_pwhistory\.so\s+[^#]*\buse_authtok\b' "$conf_file"; then
+	sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_pwhistory\.so/ {
+        s/$/ use_authtok/g
+    }
+    }' "$conf_file"
+fi
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/debian.sh

@@ -0,0 +1,12 @@
+# platform = multi_platform_debian
+
+config_file="/usr/share/pam-configs/cac_unix"
+{{{ bash_pam_unix_enable() }}}
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        /use_authtok/! s/$/ use_authtok/g
+    }
+}'  "$config_file"
+
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable cac_unix

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh

@@ -1,3 +1,3 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_ubuntu,multi_platform_debian
 
 {{{ bash_pam_faillock_enable() }}}

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml

@@ -0,0 +1,37 @@
+{{% if 'debian' in product %}}
+{{% set configuration_files = ["common-password"] %}}
+{{% endif %}}
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Check pam_pwquality module is enabled", rule_title=rule_title) }}}
+    <criteria operator="AND" comment="Check for pam_pwquality module in PAM files">
+      {{% for file in configuration_files %}}
+      <criterion comment="pam_pwquality has correctly set in {{{ file }}}"
+      test_ref="test_password_pam_pwquality_enabled_{{{ file | escape_id }}}" />
+      {{% endfor %}}
+    </criteria>
+  </definition>
+
+  {{% macro test_pwquality_enabled(path, test_ref) %}}
+  <ind:textfilecontent54_test check="all" id="test_{{{ test_ref }}}" version="1"
+  check_existence="at_least_one_exists"
+  comment="Check for pam_pwquality.so module in PAM file of {{{ path }}}">
+    <ind:object object_ref="obj_{{{ test_ref }}}" />
+  </ind:textfilecontent54_test>
+  {{% endmacro %}}
+
+  {{% macro object_pwquality_enabled(path, test_ref) %}}
+  <ind:textfilecontent54_object id="obj_{{{ test_ref }}}" version="1">
+    <ind:filepath>{{{ path }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  {{% endmacro %}}
+
+  {{% for file in configuration_files %}}
+  {{{ test_pwquality_enabled( path="/etc/pam.d/" ~ file ,
+                             test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}}
+  {{{ object_pwquality_enabled( path="/etc/pam.d/" ~ file ,
+                               test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}}
+  {{% endfor %}}
+</def-group>

linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var

@@ -22,3 +22,4 @@ options:
     cis_rhel8: YESCRYPT|SHA512
     cis_rhel10: YESCRYPT|SHA512
     cis_fedora: YESCRYPT|SHA512
+    cis_debian13: YESCRYPT|SHA512

linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var

@@ -18,3 +18,4 @@ options:
     yescrypt: yescrypt
     cis_rhel8: yescrypt|sha512
     cis_rhel10: yescrypt|sha512
+    cis_debian13: yescrypt|sha512

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu,multi_platform_debian
 # reboot = false
 # strategy = configure
 # complexity = low

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh

@@ -9,3 +9,11 @@ config_file="/usr/share/pam-configs/cac_unix"
 sed -i '/pam_unix\.so/s/nullok//g' "$config_file"
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+# Fallback: remove nullok directly in case pam-auth-update was blocked
+# by local modifications to /etc/pam.d/common-*
+for pam_file in /etc/pam.d/common-password /etc/pam.d/common-auth \
+                /etc/pam.d/common-account /etc/pam.d/common-session \
+                /etc/pam.d/common-session-noninteractive; do
+    [ -f "$pam_file" ] && sed -i '/pam_unix\.so/s/\bnullok\b//g' "$pam_file"
+done