From 195e42e3eae5acb12370d5c0b13cfe57837beee4 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Tue, 16 May 2023 08:52:45 +0100
Subject: [PATCH] removed line and updated requirement #53

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_5/cis_5.5.x.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml
index b8749b3..566823a 100644
--- a/tasks/section_5/cis_5.5.x.yml
+++ b/tasks/section_5/cis_5.5.x.yml
@@ -82,14 +82,14 @@
       - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
         ansible.builtin.lineinfile:
             path: /etc/pam.d/system-auth
-            line: "password    requisite     pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
+            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
             insertafter: '^password\s*requisite\s*pam_pwquality.so'
 
       - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix"
         ansible.builtin.replace:
             path: /etc/pam.d/system-auth
-            regexp: '^password\s*(sufficient|requisite|sufficient)\s*pam_unix.so.*$'
-            replace: 'password    requisite     pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
+            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
+            replace: 'password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
   when:
       - rhel9cis_rule_5_5_3
   tags: