Remove nullok from common-auth on Ubuntu

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml

@@ -4,7 +4,7 @@
 # complexity = low
 # disruption = medium
 {{% if 'ubuntu' in product %}}
-{{%- set pam_config_paths = "['/etc/pam.d/common-password']" %}}
+{{%- set pam_config_paths = "['/etc/pam.d/common-auth', '/etc/pam.d/common-password']" %}}
 {{% else %}}
 {{%- set pam_config_paths = "['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']" -%}}
 {{% endif %}}

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh

@@ -25,6 +25,18 @@ sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
     }
 }' "$config_file"
 
+sed -i -E '/^Auth:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*nullok//g
+    }
+}' "$config_file"
+
+sed -i -E '/^Auth-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*nullok//g
+    }
+}' "$config_file"
+
 DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 if [ -f /usr/bin/authselect ]; then

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml

@@ -15,7 +15,7 @@
 {{% if 'sle' in product or 'slmicro' in product %}}
     <ind:filepath operation="pattern match">^/etc/pam.d/.*$</ind:filepath>
 {{% elif 'ubuntu' in product %}}
-    <ind:filepath operation="pattern match">^/etc/pam.d/common-password</ind:filepath>
+    <ind:filepath operation="pattern match">^/etc/pam.d/common-(auth|password)$</ind:filepath>
 {{% else %}}
     <ind:filepath operation="pattern match">^/etc/pam.d/(system|password)-auth$</ind:filepath>
 {{% endif %}}

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml

@@ -10,7 +10,7 @@ description: |-
     {{% if 'sle' in product or 'slmicro' in product%}}
     password authentication configurations in <tt>/etc/pam.d/</tt>
     {{% elif 'ubuntu' in product %}}
-    <tt>/etc/pam.d/common-password</tt>
+    <tt>/etc/pam.d/common-auth</tt> and <tt>/etc/pam.d/common-password</tt>
     {{% else %}}
     <tt>/etc/pam.d/system-auth</tt> and
     <tt>/etc/pam.d/password-auth</tt>
@@ -63,7 +63,7 @@ ocil: |-
     {{% if 'sle' in product or 'slmicro' in product %}}
     <pre>$ grep pam_unix.so /etc/pam.d/* | grep nullok</pre>
     {{% elif 'ubuntu' in product %}}
-    <pre>grep nullok /etc/pam.d/common-password</pre>
+    <pre>grep nullok /etc/pam.d/common-auth /etc/pam.d/common-password</pre>
     {{% else %}}
     <pre>$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth</pre>
     {{% endif %}}
@@ -72,10 +72,10 @@ ocil: |-
     prevent logins with empty passwords.
 
 fixtext: |-
-    Configure {{{ full_name }}} in the {{% if 'ubuntu' in product %}}common-password file {{% else %}}system-auth and password-auth files {{% endif %}} to not allow null
+    Configure {{{ full_name }}} in the {{% if 'ubuntu' in product %}}common-auth and common-password files {{% else %}}system-auth and password-auth files {{% endif %}} to not allow null
     passwords.
     {{% if 'ubuntu' in product %}}
-    Remove any instances of the "nullok" option in "/etc/pam.d/common-password"
+    Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password"
     {{% else %}}
     Remove any instances of the "nullok" option in the "/etc/pam.d/system-auth" and
     "/etc/pam.d/password-auth" files
@@ -85,7 +85,7 @@ fixtext: |-
     Note: Manual changes to the listed file may be overwritten by the "authselect" program.
 
 srg_requirement: |-
-    '{{{ full_name }}} must not allow blank or null passwords in the {{% if 'ubuntu' in product %}} common-password file.{{% else %}} system-auth file nor
+    '{{{ full_name }}} must not allow blank or null passwords in the {{% if 'ubuntu' in product %}} common-auth and common-password files.{{% else %}} system-auth file nor
     password-auth. {{% endif %}}'
 
 warnings:

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh

@@ -12,9 +12,9 @@ Priority: 257
 Conflicts: unix
 Auth-Type: Primary
 Auth:
-	[success=end default=ignore]	pam_unix.so nullok try_first_pass
+	[success=end default=ignore]	pam_unix.so try_first_pass
 Auth-Initial:
-	[success=end default=ignore]	pam_unix.so nullok
+	[success=end default=ignore]	pam_unix.so
 Account-Type: Primary
 Account:
 	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh

@@ -12,9 +12,9 @@ Priority: 257
 Conflicts: unix
 Auth-Type: Primary
 Auth:
-	[success=end default=ignore]	pam_unix.so nullok try_first_pass
+	[success=end default=ignore]	pam_unix.so try_first_pass # nullok
 Auth-Initial:
-	[success=end default=ignore]	pam_unix.so nullok
+	[success=end default=ignore]	pam_unix.so # nullok
 Account-Type: Primary
 Account:
 	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_auth.fail.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_unix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 257
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_unix.so nullok try_first_pass
+Auth-Initial:
+	[success=end default=ignore]	pam_unix.so nullok
+Account-Type: Primary
+Account:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Account-Initial:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Session-Type: Additional
+Session:
+	required	pam_unix.so
+Session-Initial:
+	required	pam_unix.so
+Password-Type: Primary
+Password:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"

linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password.fail.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_unix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 257
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+	[success=end default=ignore]	pam_unix.so try_first_pass
+Auth-Initial:
+	[success=end default=ignore]	pam_unix.so
+Account-Type: Primary
+Account:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Account-Initial:
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
+Session-Type: Additional
+Session:
+	required	pam_unix.so
+Session-Initial:
+	required	pam_unix.so
+Password-Type: Primary
+Password:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt nullok
+Password-Initial:
+	[success=end default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt nullok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"