ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

5.3.2.2: fix regex failing to match whitespace

Browse source 
Fixed yamllint (colons) issues

Signed-off-by: polski-g <polski_g@sent.at>
This commit is contained in:
polski-g 2025-08-28 13:55:41 -04:00
parent 39c7dfa187
commit 2557470054
No known key found for this signature in database
GPG key ID: C077F64D3FFD4D39
1 changed files with 18 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

24
tasks/section_5/cis_5.3.2.x.yml
View file

@ -91,9 +91,15 @@
insertafter: "{{ item.after | default(omit) }}" insertafter: "{{ item.after | default(omit) }}"
line: "{{ item.line }}" line: "{{ item.line }}"
loop: loop:
- { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
- { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
- { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" } line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
before: "auth\\s+required\\s+pam_deny.so"
line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "account\\s+required\\s+pam_faillock.so"
before: "account\\s+required\\s+pam_unix.so"
line: "account required pam_faillock.so" # yamllint disable-line rule:colons
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth" - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth"
when: not rhel9cis_allow_authselect_updates when: not rhel9cis_allow_authselect_updates
@ -104,9 +110,15 @@
insertafter: "{{ item.after | default(omit) }}" insertafter: "{{ item.after | default(omit) }}"
line: "{{ item.line }}" line: "{{ item.line }}"
loop: loop:
- { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
- { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
- { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" } line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
before: "auth\\s+required\\s+pam_deny.so"
line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "account\\s+required\\s+pam_faillock.so"
before: "account\\s+required\\s+pam_unix.so"
line: "account required pam_faillock.so" # yamllint disable-line rule:colons
- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
when: when: