ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

v2 improvements

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-08-07 10:29:03 +01:00
parent 7c2a6a2a89
commit 0fc418a222
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
14 changed files with 542 additions and 709 deletions
Download patch file Download diff file Expand all files Collapse all files

14
tasks/section_5/cis_5.1.x.yml
View file

@ -194,7 +194,7 @@
notify: Restart sshd
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denyusers"
when: "rhel9cis_sshd_denyusers'|default('') | length > 0"
when: "rhel9cis_sshd_denyusers | length > 0"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^DenyUsers"
@ -203,7 +203,7 @@
notify: Restart sshd
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denygroups"
when: "rhel9cis_sshd_denygroups|default('') | length > 0"
when: "rhel9cis_sshd_denygroups | length > 0"
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^DenyGroups"
@ -500,17 +500,17 @@
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
when:
- rhel9cis_rule_5_1_22
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
tags:
- level1-server
- level1-workstation
- patch
- ssh
- rule_5.1.22
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*MaxStartupsUsePAM

2
tasks/section_5/cis_5.3.1.x.yml
View file

@ -42,7 +42,7 @@
- name: "5.3.1.3 | PATCH | Ensure libpwquality is installed"
when:
- rhel9cis_rule_5_3_1_3
- ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<')
- ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<') or
"'libpwquality' not in ansible_facts.packages"
tags:
- level1-server

67
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -2,7 +2,7 @@
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured"
when:
- rhel8cis_rule_5_3_3_1_1
- rhel9cis_rule_5_3_3_1_1
tags:
- level1-server
- level1-workstation
@ -16,10 +16,12 @@
path: /etc/security/faillock.conf
state: present
regexp: '^(#|)\s*deny\s*=\s*\d'
line: "deny = {{ rhel8cis_pam_faillock['deny'] }}"
line: "deny = {{ rhel9cis_pam_faillock_deny }}"
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | pam_files"
when: not rhel8cis_allow_authselect_updates
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | remove deny from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$)
@ -28,9 +30,22 @@
- password
- system
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | remove deny from AuthSelect config"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
when:
- rhel8cis_rule_5_3_3_1_2
- rhel9cis_rule_5_3_3_1_2
tags:
- level1-server
- level1-workstation
@ -44,10 +59,12 @@
path: /etc/security/faillock.conf
state: present
regexp: '^(#|)\s*unlock_time\s*=\s*\d'
line: "unlock_time = {{ rhel8cis_pam_faillock['unlock_time'] }}"
line: "unlock_time = {{ rhel9cis_pam_faillock_unlock_time }}"
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | pam_files"
when: not rhel8cis_allow_authselect_updates
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | remove unlock from pam files NOT AuthSelect"
when:
- rhel9cis_disruption_high
- not rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+unlock_time\s*=\s*\S+(.*$)
@ -56,6 +73,19 @@
- password
- system
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | remove unlock from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+unlock_time\s*=\s*\S+(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
when:
- rhel9cis_rule_5_3_3_1_3
@ -71,12 +101,14 @@
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: '^{{ rhel9cis_pamroot_lock_option }}'
line: "{{ rhel9cis_pamroot_lock_string }}"
line: "{{ rhel9cis_pamroot_lock_option }}"
insertafter: '^# end of pam-auth-update config'
create: true
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | pam_files"
when: not rhel9cis_allow_authselect_updates
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | remove lockout from pam files NOT AuthSelect"
when:
- rhel9cis_disruption_high
- not rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s(even_deny_root|root_unlock_time=\d*)"(\s*=\s*\d|.*)\S+(.*$)
@ -84,3 +116,16 @@
loop:
- password
- system
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | remove lockout from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s(even_deny_root|root_unlock_time=\d*)"(\s*=\s*\d|.*)\S+(.*$)
replace: \1\2\4
loop:
- password
- system
notify: Authselect update

155
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -14,6 +14,7 @@
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file"
when:
- item != rhel9cis_passwd_difok_file
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'difok\s*=\s*\d+\b'
@ -31,6 +32,31 @@
group: root
mode: '0600'
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files Not AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdifok=\d*(.*$)
replace: \1\2\3
loop:
- password
- system
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdifok=\d*(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.2.2 | PATCH | Ensure password length is configured"
when:
- rhel9cis_rule_5_3_3_2_2
@ -45,6 +71,7 @@
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
when:
- item != rhel9cis_passwd_minlen_file
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'minlen\s*=\s*\d+\b'
@ -62,6 +89,31 @@
group: root
mode: '0600'
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sminlen=\d*(.*$)
replace: \1\2\3
loop:
- password
- system
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sminlen=\d*(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured"
when:
- rhel9cis_rule_5_3_3_2_3
@ -76,6 +128,7 @@
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file"
when:
- item != rhel9cis_passwd_complex_file
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "{{ item }}"
regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
@ -93,6 +146,31 @@
group: root
mode: '0600'
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\s(minclass=[0-3]|[dulo]credit=[^-]\d*)(.*$)
replace: \1\2\4
loop:
- password
- system
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\s(minclass=[0-3]|[dulo]credit=[^-]\d*)(.*$)
replace: \1\2\4
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured"
when:
- rhel9cis_rule_5_3_3_2_4
@ -124,6 +202,31 @@
group: root
mode: '0600'
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxrepeat\s*=\s*\d*(.*$)
replace: \1\2\3
loop:
- password
- system
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxrepeat\s*=\s*\d*(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
when:
- rhel9cis_rule_5_3_3_2_5
@ -138,6 +241,7 @@
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file"
when:
- item != rhel9cis_passwd_maxsequence_file
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'maxsequence\s*=\s*\d+\b'
@ -155,6 +259,31 @@
group: root
mode: '0600'
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxsequence\s*=\s*\d*(.*$)
replace: \1\2\3
loop:
- password
- system
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxsequence\s*=\s*\d*(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled"
when:
- rhel9cis_rule_5_3_3_2_6
@ -186,6 +315,32 @@
group: root
mode: '0600'
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdictcheck\s*=\s*\d*(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdictcheck\s*=\s*\d*(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
when:
- rhel9cis_rule_5_3_3_2_7

56
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -3,7 +3,6 @@
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured"
when:
- rhel9cis_rule_5_3_3_3_1
- rhel9cis_disruption_high
tags:
- level1-server
- level1-workstation
@ -18,7 +17,9 @@
failed_when: rhel9_pwhistory_remember.rc not in [0, 1]
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set"
when: rhel9_pwhistory_remember.stdout | length > 0
when:
- rhel9_pwhistory_remember.stdout | length > 0
- not rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
regexp: ^(password\s+[^#\n\r]+\h+pam_pwhistory\.so\s+)(.*)(remember=\d+)
@ -26,6 +27,31 @@
backrefs: true
notify: Pam_auth_update_pwhistory
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\sremember=\d*(.*$)
replace: \1\2\3
loop:
- password
- system
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\sremember=\d*(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user"
when:
- rhel9cis_rule_5_3_3_3_2
@ -38,13 +64,15 @@
- pam
block:
- name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/common-password
ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/{system,password}-auth
register: rhel9_pwhistory_enforce_for_root
changed_when: false
failed_when: rhel9_pwhistory_enforce_for_root.rc not in [0, 1]
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set"
when: rhel9_pwhistory_enforce_for_root.stdout | length > 0
when:
- not rhel9cis_allow_authselect_updates
- rhel9_pwhistory_enforce_for_root.stdout | length > 0
ansible.builtin.lineinfile:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root)
@ -64,16 +92,32 @@
- pam
block:
- name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password
ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth
register: rhel9_pwhistory_use_authtok
changed_when: false
failed_when: rhel9_pwhistory_use_authtok.rc not in [0, 1]
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set"
when: rhel9_pwhistory_use_authtok.stdout | length > 0
when:
- not rhel9cis_allow_authselect_updates
- rhel9_pwhistory_use_authtok.stdout | length > 0
ansible.builtin.lineinfile:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok)
line: '\1\2\3 use_authtok'
backrefs: true
notify: Pam_auth_update_pwhistory
- name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\suse_authtok(.*$)
line: \1\2 use_authtok\3
backrefs: true
loop:
- password
- system
notify: Authselect update

77
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -18,17 +18,31 @@
register: rhel9cis_pam_nullok
- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed"
when: rhel9cis_pam_nullok.stdout | length > 0
when:
- rhel9cis_pam_nullok.stdout | length > 0
- not rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "{{ item }}"
regexp: nullok
replace: ''
loop: "{{ rhel9cis_pam_nullok.stdout_lines }}"
notify: Pam_auth_update_pwunix
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\snullok(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember"
when:
- rhel9cis_rule_5_3_3_4_2
- rhel9cis_disruption_high
tags:
- level1-server
- level1-workstation
@ -37,22 +51,36 @@
- rule_5.3.3.4.2
block:
- name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state"
ansible.builtin.shell: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | grep -Pv -- '\bremember=\d\b'
ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/{password,system}-auth | grep -P -- '\bremember\b'
changed_when: false
failed_when: rhel9cis_pam_remember.rc not in [ 0, 1 ]
register: rhel9cis_pam_remember
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed"
when: rhel9cis_pam_remember.stdout | length > 0
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_pam_remember.stdout | length > 0
ansible.builtin.replace:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwunix_file }}"
regexp: remember=\d+
replace: ''
notify: Pam_auth_update_pwunix
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\sremember\s*=\s*=\d*(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm"
when:
- rhel9cis_rule_5_3_3_4_3
- rhel9cis_disruption_high
tags:
- level1-server
- level1-workstation
@ -68,16 +96,31 @@
register: rhel9cis_pam_pwhash
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set"
when: rhel9cis_pam_remember.stdout | length > 0
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_pam_remember.stdout | length > 0
ansible.builtin.replace:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwunix_file }}"
regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)"
replace: '{{ rhel9cis_passwd_hash_algo }}'
notify: Pam_auth_update_pwunix
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Remove remember from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)(sha512|yescrypt)(.*$)
line: \1\2 {{ rhel9cis_passwd_hash_algo }}\4
backrefs: true
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok"
when:
- rhel9cis_rule_5_3_3_4_4
- rhel9cis_disruption_high
tags:
- level1-server
- level1-workstation
@ -87,18 +130,32 @@
- NIST800-53R5_IA-5
block:
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state"
ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{password,system}-auth
ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b'
changed_when: false
failed_when: rhel9cis_pam_authtok.rc not in [ 0, 1 ]
register: rhel9cis_pam_authtok
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_pam_authtok is defined
- rhel9cis_pam_authtok.stdout | length > 0
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: ^(\s*password\s+[success=end.*]\s+pam_unix\.so)(.*)\s+use_authtok\s*=\s*\S+(.*$)
line: \1\2\3 use_authtok
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)use_authtok(.*$)
line: \1\2 use_authtok\3
backrefs: true
loop: "{{ rhel9cis_pam_authtok.stdout_lines }}"
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)use_authtok(.*$)
line: \1\2 use_authtok\3
backrefs: true
loop:
- password
- system
notify: Authselect update

56
tasks/section_5/cis_5.4.1.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
when:
- rhel9cis_rule_5_4_1_1
tags:
@ -15,34 +15,34 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
- name: "5.4.1.1 | AUDIT | Ensure password expiration is configured | Get existing users PASS_MAX_DAYS"
- name: "5.4.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: discovered_max_days
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS"
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
when:
- discovered_max_days.stdout_lines | length > 0
- item in prelim_interactive_usernames.stdout
- rhel9cis_force_user_maxdays
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
loop: "{{ discovered_max_days.stdout_lines }}"
when:
- discovered_max_days.stdout_lines | length > 0
- item in discovered_interactive_usernames.stdout
- rhel9cis_force_user_maxdays
- name: "5.4.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
when:
- rhel9cis_rule_5_4_1_2
tags:
- level2-server
- level2-workstation
- level1-server
- level1-workstation
- patch
- password
- rule_5.4.1.2
@ -60,14 +60,14 @@
register: discovered_min_days
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured | Set existing users PASS_MIN_DAYS"
when:
- discovered_min_days.stdout_lines | length > 0
- item in prelim_interactive_usernames.stdout
- rhel9cis_force_user_mindays
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['min_days'] }}"
loop: "{{ discovered_min_days.stdout_lines }}"
when:
- discovered_min_days.stdout_lines | length > 0
- item in discovered_interactive_usernames.stdout
- rhel9cis_force_user_mindays
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
when:
@ -92,12 +92,12 @@
register: discovered_warn_days
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users WARN_DAYS"
ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
loop: "{{ discovered_warn_days.stdout_lines }}"
when:
- discovered_warn_days.stdout_lines | length > 0
- item in discovered_interactive_usernames.stdout
- item in prelim_interactive_usernames.stdout
- rhel9cis_force_user_warnage
ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
loop: "{{ discovered_warn_days.stdout_lines }}"
- name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured"
when:
@ -135,16 +135,16 @@
ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
when: rhel9cis_5_4_1_5_inactive_settings.stdout | length == 0
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Getting user list"
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false
check_mode: false
register: rhel9cis_5_4_1_5_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Apply Inactive setting to existing accounts"
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_usernames.stdout
ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
loop: "{{ rhel9cis_5_4_1_5_user_list.stdout_lines }}"
when: item in discovered_interactive_usernames.stdout
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
when:
@ -172,22 +172,22 @@
register: rhel9cis_5_4_1_6_user_list
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
ansible.builtin.debug:
msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_4_1_6_user_list.stdout_lines }}"
when:
- rhel9cis_5_4_1_6_user_list.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
ansible.builtin.debug:
msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_4_1_5_user_list.stdout_lines }}"
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- rhel9cis_5_4_1_6_user_list.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
when:
- rhel9cis_5_4_1_6_user_list.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix
ansible.builtin.shell: passwd --expire {{ item }}
when:
- rhel9cis_5_4_1_5_user_list.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix
loop: "{{ rhel9cis_5_4_1_6_user_list.stdout_lines }}"

7
tasks/section_5/cis_5.4.2.x.yml
View file

@ -51,10 +51,9 @@
- discovered_gid0_members.stdout | length > 0
ansible.builtin.user:
name: "{{ item }}"
gid: 0
group: root
state: absent
loop:
- discovered_gid0_members.stdout_lines
loop: "{{ discovered_gid0_members.stdout_lines }}"
- name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group"
when:
@ -96,7 +95,7 @@
vars:
warn_control_id: '5.4.2.3'
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled"
- name: "5.4.2.4 | PATCH | Ensure root account access is controlled "
when:
- rhel9cis_rule_5_4_2_4
tags:

2
tasks/section_5/cis_5.4.3.x.yml
View file

@ -55,7 +55,7 @@
- NIST800-53R5_MP-2
ansible.builtin.replace:
path: "{{ item.path }}"
regexp: (?i)(umask\s+\d\d\d)
regexp: (?i)(umask\s+\d*)
replace: '{{ item.line }} {{ rhel9cis_bash_umask }}'
loop:
- { path: '/etc/profile', line: 'umask' }

89
tasks/section_5/cis_5.4.x.yml
View file

@ -1,89 +0,0 @@
---
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used"
block:
- name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles"
ansible.builtin.shell: 'authselect list | grep custom'
failed_when: false
changed_when: false
check_mode: false
register: rhel9cis_5_4_1_current_profile
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
when:
- rhel9cis_authselect_custom_profile_create
- "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout"
- name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Force custom profile creates backup"
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} --force --backup=rhel9cis_5_4_1_{{ ansible_date_time.epoch}}"
register: authselect_5_4_1_select
when:
- rhel9cis_authselect_custom_profile_create
- "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout"
when:
- rhel9cis_rule_5_4_1
tags:
- level1-server
- level1-workstation
- manual
- patch
- authselect
- rule_5.4.1
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Get Authselect profile options"
block:
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
ansible.builtin.shell: "authselect current | grep with-faillock"
failed_when: false
changed_when: false
check_mode: false
register: rhel9cis_5_4_2_profiles_faillock
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Show profiles"
ansible.builtin.debug:
msg:
- "Below are the current custom profiles"
- "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}"
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Authselect add options"
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force"
when: rhel9cis_authselect_custom_profile_select
- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile"
ansible.builtin.lineinfile:
path: "/etc/pam.d/password-auth"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
insertbefore: "{{ item.before }}"
loop:
- { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
- { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'}
- { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'}
when:
- rhel9cis_add_faillock_without_authselect
- rhel9cis_5_4_2_risks == 'ACCEPT'
- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile"
ansible.builtin.lineinfile:
path: "/etc/pam.d/system-auth"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
insertbefore: "{{ item.before | default(omit)}}"
insertafter: "{{ item.after | default(omit)}}"
loop:
- { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line':'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
- { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'}
- { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'}
when:
- rhel9cis_add_faillock_without_authselect
- rhel9cis_5_4_2_risks == 'ACCEPT'
when:
- rhel9cis_rule_5_4_2
tags:
- level1-server
- level1-workstation
- patch
- authselect
- rule_5.4.2

135
tasks/section_5/cis_5.5.x.yml
View file

@ -1,135 +0,0 @@
---
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured"
block:
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
regexp: ^{{ item.name }}
line: "{{ item.name }} = {{ item.value }}"
loop:
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: /etc/pam.d/password-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
when:
- rhel9cis_rule_5_5_1
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.1
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured"
block:
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs"
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)'
line: "auth required pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$'
loop:
- "/etc/pam.d/system-auth"
- "/etc/pam.d/password-auth"
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)'
line: "auth required pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$'
loop:
- "/etc/pam.d/system-auth"
- "/etc/pam.d/password-auth"
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$'
line: "account required pam_faillock.so"
insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$'
loop:
- "/etc/pam.d/system-auth"
- "/etc/pam.d/password-auth"
when:
- rhel9cis_rule_5_5_2
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.2
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
block:
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
ansible.builtin.lineinfile:
path: /etc/pam.d/password-auth
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
when:
- rhel9cis_rule_5_5_3
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.3
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt"
block:
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
ansible.builtin.replace:
path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
ansible.builtin.replace:
path: /etc/pam.d/password-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
ansible.builtin.replace:
path: /etc/pam.d/system-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
when:
- rhel9cis_rule_5_5_4
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.4

144
tasks/section_5/cis_5.5.x_authselect.yml
View file

@ -1,144 +0,0 @@
---
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured"
block:
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
regexp: ^{{ item.name }}
line: "{{ item.name }} = {{ item.value }}"
loop:
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
notify: Apply_authselect
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_1
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.1
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured"
block:
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs"
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)'
line: "auth required pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)'
line: "auth required pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$'
line: "account required pam_faillock.so"
insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_2
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.2
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
block:
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
notify: Apply_authselect
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_3
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.3
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt"
block:
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
ansible.builtin.replace:
path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
notify: Apply_authselect
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_4
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.4

149
tasks/section_5/cis_5.6.x.yml
View file

@ -1,149 +0,0 @@
---
- name: "5.6.2 | PATCH | Ensure system accounts are secured"
block:
- name: "5.6.2 | PATCH | Ensure system accounts are secured | Set nologin"
ansible.builtin.user:
name: "{{ item.id }}"
shell: /usr/sbin/nologin
loop: "{{ rhel9cis_passwd }}"
when:
- item.id != "root"
- item.id != "sync"
- item.id != "shutdown"
- item.id != "halt"
- item.id != "nfsnobody"
- item.uid < min_int_uid | int
- item.shell != "/bin/false"
- item.shell != "/usr/sbin/nologin"
- item.shell != "/sbin/nologin"
- item.shell != "/dev/null"
loop_control:
label: "{{ item.id }}"
- name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts"
ansible.builtin.user:
name: "{{ item.id }}"
password_lock: true
loop: "{{ rhel9cis_passwd }}"
when:
- item.id != "halt"
- item.id != "shutdown"
- item.id != "sync"
- item.id != "root"
- item.id != "nfsnobody"
- item.uid < min_int_uid | int
- item.shell != "/bin/false"
- item.shell != "/usr/sbin/nologin"
- item.shell != "/sbin/nologin"
- item.shell != "/dev/null"
loop_control:
label: "{{ item.id }}"
when:
- rhel9cis_rule_5_6_2
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.2
- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
ansible.builtin.blockinfile:
path: "{{ item.path }}"
state: "{{ item.state }}"
marker: "# {mark} - CIS benchmark - Ansible-lockdown"
create: true
mode: '0644'
block: |
TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
export TMOUT
readonly TMOUT
loop:
- { path: "{{ rhel9cis_shell_session_timeout.file }}", state: present }
- { path: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" }
when:
- rhel9cis_rule_5_6_3
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.3
- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
ansible.builtin.user:
name: root
group: 0
when:
- rhel9cis_rule_5_6_4
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.4
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
block:
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings"
ansible.builtin.replace:
path: "{{ item.path }}"
regexp: (?i)(umask\s+\d\d\d)
replace: '{{ item.line }} 027'
with_items:
- { path: '/etc/bashrc', line: 'umask' }
- { path: '/etc/profile', line: 'umask' }
- { path: '/etc/login.defs', line: 'UMASK' }
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^USERGROUPS_ENAB'
line: USERGROUPS_ENAB no
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Add umask sessions for pamd"
community.general.pamd:
name: "{{ item }}"
type: session
control: required
module_path: pam_limits.so
new_type: session
new_module_path: pam_umask.so
new_control: optional
state: before
register: rhel9cis_pamd_umask_added
loop:
- system-auth
- password-auth
- name: "5.6.5 | AUDIT | Ensure default user umask is 027 or more restrictive | update umask settings if required"
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}"
regexp: ^(session\s+)(requisite|required)(\s+pam_umask.so)$
replace: \1optional\3
loop:
- system-auth
- password-auth
when:
- rhel9cis_rule_5_6_5
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_5.6.5
- name: "5.6.6 | PATCH | Ensure root password is set"
ansible.builtin.debug:
msg: "The root password has been set as per the assert in early stages"
when:
- rhel9cis_rule_5_6_6
tags:
- level1-server
- level1-workstation
- patch
- accounts
- root
- rule_5.6.6