{{ if .Vars.ubtu24cis_level_1 }}
  {{ if .Vars.ubtu24cis_rule_5_3_3_4_1 }}
command:
  pam_unix_nullok_pam_configs:
    title: 5.3.3.4.1 | Ensure pam_unix does not include nullok
    exec: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} /usr/share/pam-configs/* | grep -P -- '\bnullok\b'
    exit-status:
      or:
      - 0
      - 1
    stdout:
    - '!/.*/'
    meta:
      server: 1
      workstation: 1
      CIS_ID:
      - 5.3.3.4.1
      CISv8: 5.2
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5: IA-5
  {{ end }}
{{ end }}