Fixing for ASB v2 default PAM modules location and logrotate.timer expectation for Ubuntu 16.04 and Ubuntu 18.04 (#754)

Author: MariusNi

src/adapters/mc/asb/LinuxSecurityBaseline_DeployIfNotExists.json

@@ -15,7 +15,7 @@
                 "version": "1.0.0",
                 "contentType": "Custom",
                 "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
-                "contentHash": "D0A9C2B0CD5851D0BB8C130A8F7DB554D2696E3322595E0D374F033DFA291C0F",
+                "contentHash": "709F738A808DB79EF7253B1D3C2900F9753E373258F254CB8063A5C03772ACB4",
                 "configurationParameter": {
                     "accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
                     "ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
@@ -625,7 +625,7 @@
                                                 "version": "1.0.0",
                                                 "contentType": "Custom",
                                                 "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
-                                                "contentHash": "D0A9C2B0CD5851D0BB8C130A8F7DB554D2696E3322595E0D374F033DFA291C0F",
+                                                "contentHash": "709F738A808DB79EF7253B1D3C2900F9753E373258F254CB8063A5C03772ACB4",
                                                 "assignmentType": "ApplyAndAutoCorrect",
                                                 "configurationParameter": [
                                                     {
@@ -716,7 +716,7 @@
                                                 "version": "1.0.0",
                                                 "contentType": "Custom",
                                                 "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
-                                                "contentHash": "D0A9C2B0CD5851D0BB8C130A8F7DB554D2696E3322595E0D374F033DFA291C0F",
+                                                "contentHash": "709F738A808DB79EF7253B1D3C2900F9753E373258F254CB8063A5C03772ACB4",
                                                 "assignmentType": "ApplyAndAutoCorrect",
                                                 "configurationParameter": [
                                                     {
@@ -807,7 +807,7 @@
                                                 "version": "1.0.0",
                                                 "contentType": "Custom",
                                                 "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
-                                                "contentHash": "D0A9C2B0CD5851D0BB8C130A8F7DB554D2696E3322595E0D374F033DFA291C0F",
+                                                "contentHash": "709F738A808DB79EF7253B1D3C2900F9753E373258F254CB8063A5C03772ACB4",
                                                 "assignmentType": "ApplyAndAutoCorrect",
                                                 "configurationParameter": [
                                                     {

src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json

@@ -15,7 +15,7 @@
                 "version": "1.0.0",
                 "contentType": "Custom",
                 "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
-                "contentHash": "97DAEAE6E915A690FCF4D1BD533765F61C72DF4F840B57AA2742636B42F29C55",
+                "contentHash": "BF3A9E6087B90ED493EF9BF54FC4D7C28FF97832FECB77906E1AA9AF45F182B7",
                 "configurationParameter": {
                     "accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
                     "ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
@@ -624,7 +624,7 @@
                                                 "version": "1.0.0",
                                                 "contentType": "Custom",
                                                 "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
-                                                "contentHash": "97DAEAE6E915A690FCF4D1BD533765F61C72DF4F840B57AA2742636B42F29C55",
+                                                "contentHash": "BF3A9E6087B90ED493EF9BF54FC4D7C28FF97832FECB77906E1AA9AF45F182B7",
                                                 "assignmentType": "ApplyAndAutoCorrect",
                                                 "configurationParameter": [
                                                     {
@@ -715,7 +715,7 @@
                                                 "version": "1.0.0",
                                                 "contentType": "Custom",
                                                 "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
-                                                "contentHash": "97DAEAE6E915A690FCF4D1BD533765F61C72DF4F840B57AA2742636B42F29C55",
+                                                "contentHash": "BF3A9E6087B90ED493EF9BF54FC4D7C28FF97832FECB77906E1AA9AF45F182B7",
                                                 "assignmentType": "ApplyAndAutoCorrect",
                                                 "configurationParameter": [
                                                     {
@@ -806,7 +806,7 @@
                                                 "version": "1.0.0",
                                                 "contentType": "Custom",
                                                 "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
-                                                "contentHash": "97DAEAE6E915A690FCF4D1BD533765F61C72DF4F840B57AA2742636B42F29C55",
+                                                "contentHash": "BF3A9E6087B90ED493EF9BF54FC4D7C28FF97832FECB77906E1AA9AF45F182B7",
                                                 "assignmentType": "ApplyAndAutoCorrect",
                                                 "configurationParameter": [
                                                     {

src/common/asb/Asb.c

@@ -1616,13 +1616,20 @@ static char* AuditEnsureLockoutForFailedPasswordAttempts(void* log)
 {
     const char* pamFailLockSo = "pam_faillock.so";
     const char* pamTally2So = "pam_tally2.so";
+    const char* pamTallySo = "pam_tally.so";
     char* reason = NULL;
     RETURN_REASON_IF_ZERO(CheckLockoutForFailedPasswordAttempts(g_etcPamdSystemAuth, pamFailLockSo, '#', &reason, log));
     RETURN_REASON_IF_ZERO(CheckLockoutForFailedPasswordAttempts(g_etcPamdPasswordAuth, pamFailLockSo, '#', &reason, log));
     RETURN_REASON_IF_ZERO(CheckLockoutForFailedPasswordAttempts(g_etcPamdLogin, pamFailLockSo, '#', &reason, log));
     RETURN_REASON_IF_ZERO(CheckLockoutForFailedPasswordAttempts(g_etcPamdSystemAuth, pamTally2So, '#', &reason, log));
     RETURN_REASON_IF_ZERO(CheckLockoutForFailedPasswordAttempts(g_etcPamdPasswordAuth, pamTally2So, '#', &reason, log));
-    CheckLockoutForFailedPasswordAttempts(g_etcPamdLogin, pamTally2So, '#', &reason, log);
+    RETURN_REASON_IF_ZERO(CheckLockoutForFailedPasswordAttempts(g_etcPamdLogin, pamTally2So, '#', &reason, log));
+    RETURN_REASON_IF_ZERO(CheckLockoutForFailedPasswordAttempts(g_etcPamdSystemAuth, pamTallySo, '#', &reason, log));
+    RETURN_REASON_IF_ZERO(CheckLockoutForFailedPasswordAttempts(g_etcPamdPasswordAuth, pamTallySo, '#', &reason, log));
+    RETURN_REASON_IF_ZERO(CheckLockoutForFailedPasswordAttempts(g_etcPamdLogin, pamTallySo, '#', &reason, log));
+    FREE_MEMORY(reason);
+    reason = DuplicateString("Neither pam_faillock.so, pam_tally2.so or pam_tally.so PAM modules exist for this distribution. "
+        "Manually set lockout for failed password attempts following specific instructions for this distrubution. Automatic remediation is not possible");
     return reason;
 }
 
@@ -1787,7 +1794,7 @@ static char* AuditEnsureSyslogRotaterServiceIsEnabled(void* log)
     char* reason = NULL;
     RETURN_REASON_IF_NOT_ZERO(CheckPackageInstalled(g_logrotate, &reason, log));
     RETURN_REASON_IF_NOT_ZERO(CheckFileAccess(g_etcCronDailyLogRotate, 0, 0, 755, &reason, log));
-    if (false == IsRedHatBased(log))
+    if ((false == IsRedHatBased(log)) && (false == IsCurrentOs(PRETTY_NAME_UBUNTU_16_04, log)) && (false == IsCurrentOs(PRETTY_NAME_UBUNTU_18_04, log)))
     {
         CheckDaemonActive(g_logrotateTimer, &reason, log);
     }
@@ -3386,7 +3393,7 @@ static int RemediateEnsureSyslogRotaterServiceIsEnabled(char* value, void* log)
     if ((0 == InstallPackage(g_logrotate, log)) && (0 == SetFileAccess(g_etcCronDailyLogRotate, 0, 0, 755, log)))
     {
         status = 0;
-        if (false == IsRedHatBased(log))
+        if ((false == IsRedHatBased(log)) && (false == IsCurrentOs(PRETTY_NAME_UBUNTU_16_04, log)) && (false == IsCurrentOs(PRETTY_NAME_UBUNTU_18_04, log)))
         {
             status = EnableAndStartDaemon(g_logrotateTimer, log) ? 0 : ENOENT;
         }

src/common/asb/Asb.h

@@ -20,6 +20,8 @@
 #define PRETTY_NAME_RHEL_9 "Red Hat Enterprise Linux 9"
 #define PRETTY_NAME_ROCKY_LINUX_9 "Rocky Linux 9"
 #define PRETTY_NAME_SLES_15 "SUSE Linux Enterprise Server 15"
+#define PRETTY_NAME_UBUNTU_16_04 "Ubuntu 16.04"
+#define PRETTY_NAME_UBUNTU_18_04 "Ubuntu 18.04"
 #define PRETTY_NAME_UBUNTU_20_04 "Ubuntu 20.04"
 #define PRETTY_NAME_UBUNTU_22_04 "Ubuntu 22.04"
 

src/common/commonutils/PassUtils.c

@@ -6,36 +6,17 @@
 static const char* g_etcPamdCommonPassword = "/etc/pam.d/common-password";
 static const char* g_etcSecurityPwQualityConf = "/etc/security/pwquality.conf";
 static const char* g_etcPamdSystemAuth = "/etc/pam.d/system-auth";
+static const char* g_pamUnixSo = "pam_unix.so";
 static const char* g_remember = "remember";
 
-int CheckEnsurePasswordReuseIsLimited(int remember, char** reason, void* log)
-{
-    int status = ENOENT;
-
-    if (0 == CheckFileExists(g_etcPamdCommonPassword, NULL, log))
-    {
-        // On Debian-based systems '/etc/pam.d/common-password' is expected to exist
-        status = ((0 == CheckLineFoundNotCommentedOut(g_etcPamdCommonPassword, '#', g_remember, NULL, log)) &&
-            (0 == CheckIntegerOptionFromFileLessOrEqualWith(g_etcPamdCommonPassword, g_remember, '=', remember, reason, log))) ? 0 : ENOENT;
-    }
-    else if (0 == CheckFileExists(g_etcPamdSystemAuth, NULL, log))
-    {
-        // On Red Hat-based systems '/etc/pam.d/system-auth' is expected to exist
-        status = ((0 == CheckLineFoundNotCommentedOut(g_etcPamdSystemAuth, '#', g_remember, NULL, log)) &&
-            (0 == CheckIntegerOptionFromFileLessOrEqualWith(g_etcPamdSystemAuth, g_remember, '=', remember, reason, log))) ? 0 : ENOENT;
-    }
-    else
-    {
-        OsConfigCaptureReason(reason, "Neither '%s' or '%s' found, unable to check for '%s' option being set",
-            g_etcPamdCommonPassword, g_etcPamdSystemAuth, g_remember);
-    }
-
-    return status;
-}
-
 static char* FindPamModule(const char* pamModule, void* log)
 {
-    const char* paths[] = {"/usr/lib/x86_64-linux-gnu/security/%s", "/lib/security/%s", "/usr/lib/security/%s", "/lib64/security/%s"};
+    const char* paths[] = {
+        "/usr/lib/x86_64-linux-gnu/security/%s",
+        "/usr/lib/security/%s",
+        "/lib/security/%s",
+        "/lib64/security/%s",
+        "/lib/x86_64-linux-gnu/security/%s" };
     int numPaths = ARRAY_SIZE(paths);
     char* result = NULL;
     int status = 0, i = 0;
@@ -78,6 +59,36 @@ static char* FindPamModule(const char* pamModule, void* log)
     return result;
 }
 
+int CheckEnsurePasswordReuseIsLimited(int remember, char** reason, void* log)
+{
+    int status = ENOENT;
+
+    if (0 == CheckFileExists(g_etcPamdCommonPassword, NULL, log))
+    {
+        // On Debian-based systems '/etc/pam.d/common-password' is expected to exist
+        status = ((0 == CheckLineFoundNotCommentedOut(g_etcPamdCommonPassword, '#', g_remember, NULL, log)) &&
+            (0 == CheckIntegerOptionFromFileLessOrEqualWith(g_etcPamdCommonPassword, g_remember, '=', remember, reason, log))) ? 0 : ENOENT;
+    }
+    else if (0 == CheckFileExists(g_etcPamdSystemAuth, NULL, log))
+    {
+        // On Red Hat-based systems '/etc/pam.d/system-auth' is expected to exist
+        status = ((0 == CheckLineFoundNotCommentedOut(g_etcPamdSystemAuth, '#', g_remember, NULL, log)) &&
+            (0 == CheckIntegerOptionFromFileLessOrEqualWith(g_etcPamdSystemAuth, g_remember, '=', remember, reason, log))) ? 0 : ENOENT;
+    }
+    else
+    {
+        OsConfigCaptureReason(reason, "Neither '%s' or '%s' found, unable to check for '%s' option being set",
+            g_etcPamdCommonPassword, g_etcPamdSystemAuth, g_remember);
+    }
+
+    if (status && (false == FindPamModule(g_pamUnixSo, log)))
+    {
+        OsConfigCaptureReason(reason, "The PAM module '%s' is not available. Automatic remediation is not possible", g_pamUnixSo);
+    }
+
+    return status;
+}
+
 static void EnsurePamModulePackagesAreInstalled(void* log)
 {
     const char* pamPackages[] = {"pam", "libpam-modules", "pam_pwquality", "libpam-pwquality", "libpam-cracklib"};
@@ -112,15 +123,15 @@ int SetEnsurePasswordReuseIsLimited(int remember, void* log)
     // While 'required'  says that if this module fails, authentication fails.
 
     const char* endsHereIfFailsTemplate = "password required %s sha512 shadow %s=%d retry=3\n";
-    const char* pamUnixSo = "pam_unix.so";
     char* pamModulePath = NULL;
     char* newline = NULL;
     int status = 0, _status = 0;
 
     EnsurePamModulePackagesAreInstalled(log);
 
-    if (NULL == (pamModulePath = FindPamModule(pamUnixSo, log)))
+    if (NULL == (pamModulePath = FindPamModule(g_pamUnixSo, log)))
     {
+        OsConfigLogError(log, "SetEnsurePasswordReuseIsLimited: cannot proceed without %s being present", g_pamUnixSo);
         return ENOENT;
     }
 
@@ -198,8 +209,9 @@ int CheckLockoutForFailedPasswordAttempts(const char* fileName, const char* pamS
         {
             // Example of valid lines: 
             //
-            // 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' in /etc/pam.d/login
-            // 'auth required pam_faillock.so preauth silent audit deny=3 unlock_time=900' in /etc/pam.d/system-auth
+            // 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900'
+            // 'auth required pam_faillock.so preauth silent audit deny=3 unlock_time=900'
+            // 'auth required pam_tally.so onerr=fail deny=3 unlock_time=900'
 
             if ((commentCharacter == line[0]) || (EOL == line[0]))
             {
@@ -427,7 +439,7 @@ static int CheckRequirementsForCommonPassword(int retry, int minlen, int dcredit
                 continue;
             }
             else if ((NULL != strstr(line, password)) && (NULL != strstr(line, requisite)) && 
-                ((NULL != strstr(line, pamPwQualitySo)) || (NULL != strstr(line, pamCrackLibSo))))
+                ((NULL != strstr(line, pamPwQualitySo)) || (NULL != strstr(line, pamCrackLibSo)) || (NULL != strstr(line, g_pamUnixSo))))
             {
                 found = true;
 
@@ -745,8 +757,10 @@ int SetPasswordCreationRequirements(int retry, int minlen, int minclass, int dcr
     int numEntries = ARRAY_SIZE(entries);
     bool pamPwQualitySoExists = false;
     bool pamCrackLibSoExists = false;
+    bool pamUnixSoExists = false;
     char* pamModulePath = NULL;
     char* pamModulePath2 = NULL;
+    char* pamModulePath3 = NULL;
     int i = 0, status = 0, _status = 0;
     char* line = NULL;
 
@@ -756,13 +770,15 @@ int SetPasswordCreationRequirements(int retry, int minlen, int minclass, int dcr
 
         pamPwQualitySoExists = (NULL != (pamModulePath = FindPamModule(pamPwQualitySo, log))) ? true : false;
         pamCrackLibSoExists = (NULL != (pamModulePath2 = FindPamModule(pamCrackLibSo, log))) ? true : false;
+        pamUnixSoExists = (NULL != (pamModulePath3 = FindPamModule(g_pamUnixSo, log))) ? true : false;
 
-        if (pamPwQualitySoExists || pamCrackLibSoExists)
+        if (pamPwQualitySoExists || pamCrackLibSoExists || pamUnixSoExists)
         {
-            if (NULL != (line = FormatAllocateString(etcPamdCommonPasswordLineTemplate, pamPwQualitySoExists ? pamModulePath : pamModulePath2,
+            if (NULL != (line = FormatAllocateString(etcPamdCommonPasswordLineTemplate, 
+                pamPwQualitySoExists ? pamModulePath : (pamCrackLibSoExists ? pamModulePath2 : pamModulePath3),
                 retry, minlen, lcredit, ucredit, ocredit, dcredit)))
             {
-                status = ReplaceMarkedLinesInFile(g_etcPamdCommonPassword, pamPwQualitySoExists ? pamPwQualitySo : pamCrackLibSo, line, '#', true, log);
+                status = ReplaceMarkedLinesInFile(g_etcPamdCommonPassword, pamPwQualitySoExists ? pamPwQualitySo : (pamCrackLibSoExists ? pamCrackLibSo : g_pamUnixSo), line, '#', true, log);
                 FREE_MEMORY(line);
             }
             else