diff --git a/tasks/main.yml b/tasks/main.yml index 488c765..8e283e0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -124,14 +124,14 @@ fail_msg: "You still have the default name for your authselect profile" - name: "PRELIM | AUDIT | Check authselect profile is selected" - ansible.builtin.shell: authselect current + ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}' changed_when: false - failed_when: prelim_authselect_current_config.rc not in [ 0, 1 ] - register: prelim_authselect_current_config + failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ] + register: prelim_authselect_current_profile - name: "PRELIM | AUDIT | Check authselect profile is selected" ansible.builtin.assert: - that: prelim_authselect_current_config is defined + that: prelim_authselect_current_profile is defined success_msg: "Authselect is running and profile is selected" fail_msg: Authselect updates have been selected there are issues with profile selection" diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 3bc8ec0..571cb70 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -14,7 +14,9 @@ - rule_5.3.2.1 block: - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles" - when: prelim_authselect_current_config.stdout is not defined + when: + - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or + prelim_authselect_current_profile.stdout is not defined ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" args: creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}" diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index 89f39cc..4712373 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -51,7 +51,7 @@ - rule_5.3.3.4.2 block: - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state" - ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/{password,system}-auth | grep -P -- '\bremember\b' + ansible.builtin.shell: grep -E "password.*pam_unix.so.*remember" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq changed_when: false failed_when: rhel9cis_pam_remember.rc not in [ 0, 1 ] register: rhel9cis_pam_remember @@ -61,9 +61,10 @@ - not rhel9cis_allow_authselect_updates - rhel9cis_pam_remember.stdout | length > 0 ansible.builtin.replace: - path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwunix_file }}" - regexp: remember=\d+ + path: "{{ item }}" + regexp: remember replace: '' + loop: "{{ rhel9cis_pam_remember.stdout_lines }}" - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect" when: @@ -90,7 +91,7 @@ - NIST800-53R5_IA-5 block: - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state" - ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ rhel9cis_passwd_hash_algo }}")\b' /etc/pam.d/*-auth + ansible.builtin.shell: grep -E "password.*pam_unix.so.*(sha512|yescrypt)" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq changed_when: false failed_when: rhel9cis_pam_pwhash.rc not in [ 0, 1 ] register: rhel9cis_pam_pwhash @@ -100,17 +101,18 @@ - not rhel9cis_allow_authselect_updates - rhel9cis_pam_remember.stdout | length > 0 ansible.builtin.replace: - path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwunix_file }}" + path: "{{ item }}" regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)" replace: '{{ rhel9cis_passwd_hash_algo }}' + loop: "{{ rhel9cis_pam_remember.stdout_lines }}" - - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Remove remember from pam files AuthSelect" + - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect" when: - rhel9cis_allow_authselect_updates ansible.builtin.lineinfile: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" - regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)(sha512|yescrypt)(.*$) - line: \1\2 {{ rhel9cis_passwd_hash_algo }}\4 + regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)(sha512|yescrypt)(.*$) + line: \1\2\3\4{{ rhel9cis_passwd_hash_algo }}\6 backrefs: true loop: - password @@ -130,7 +132,7 @@ - NIST800-53R5_IA-5 block: - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state" - ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b' + ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b' changed_when: false failed_when: rhel9cis_pam_authtok.rc not in [ 0, 1 ] register: rhel9cis_pam_authtok @@ -142,8 +144,8 @@ - rhel9cis_pam_authtok.stdout | length > 0 ansible.builtin.lineinfile: path: "{{ item }}" - regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)use_authtok(.*$) - line: \1\2 use_authtok\3 + regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$) + line: \1\2\3\4use_authtok \5 backrefs: true loop: "{{ rhel9cis_pam_authtok.stdout_lines }}" @@ -152,8 +154,8 @@ - rhel9cis_allow_authselect_updates ansible.builtin.lineinfile: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" - regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)use_authtok(.*$) - line: \1\2 use_authtok\3 + regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$) + line: \1\2\3\4use_authtok\5 backrefs: true loop: - password diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 9da1ed0..a5cd8c5 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -19,10 +19,10 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MAX_DAYS' - line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" + line: "PASS_MAX_DAYS {{ rhel9cis_pass_max_days }}" - name: "5.4.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass_max_days }} || $5< {{ rhel9cis_pass_max_days }} || $5 == -1)){print $1}' /etc/shadow" changed_when: false failed_when: false register: discovered_max_days @@ -34,7 +34,7 @@ - rhel9cis_force_user_maxdays ansible.builtin.user: name: "{{ item }}" - password_expire_max: "{{ rhel9cis_pass['max_days'] }}" + password_expire_max: "{{ rhel9cis_pass_max_days }}" loop: "{{ discovered_max_days.stdout_lines }}" - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured" @@ -51,10 +51,10 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MIN_DAYS' - line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" + line: "PASS_MIN_DAYS {{ rhel9cis_pass_min_days }}" - name: "5.4.1.2 | AUDIT | Ensure minimum password days is configured | Get existing users PASS_MIN_DAYS" - ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass['min_days'] }} {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass_min_days }} {print $1}' /etc/shadow" changed_when: false failed_when: false register: discovered_min_days @@ -66,7 +66,7 @@ - rhel9cis_force_user_mindays ansible.builtin.user: name: "{{ item }}" - password_expire_max: "{{ rhel9cis_pass['min_days'] }}" + password_expire_max: "{{ rhel9cis_pass_min_days }}" loop: "{{ discovered_min_days.stdout_lines }}" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" @@ -83,10 +83,10 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_WARN_AGE' - line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" + line: "PASS_WARN_AGE {{ rhel9cis_pass_warn_age }}" - name: "5.4.1.3 | AUDIT | Ensure password expiration warning days is configured | Get existing users WARN_DAYS" - ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass['warn_age'] }} {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass_warn_age }} {print $1}' /etc/shadow" changed_when: false failed_when: false register: discovered_warn_days diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 5ff643b..95f8064 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -46,16 +46,32 @@ - patch - rule_6.1.2 - NIST800-53R5_AU-2 - ansible.builtin.cron: - name: Run AIDE integrity check - cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" - user: "{{ rhel9cis_aide_cron['cron_user'] }}" - minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ rhel9cis_aide_cron['aide_job'] }}" + block: + - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" + when: rhel9cis_aide_scan == "cron" + ansible.builtin.cron: + name: Run AIDE integrity check + cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" + user: "{{ rhel9cis_aide_cron['cron_user'] }}" + minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ rhel9cis_aide_cron['aide_job'] }}" + + - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" + when: rhel9cis_aide_scan == "timer" + ansible.builtin.systemd: + name: aidecheck.service + enabled: true + + - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" + when: rhel9cis_aide_scan == "timer" + ansible.builtin.systemd: + name: aidecheck.timer + state: running + enabled: true - name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" when: diff --git a/tasks/section_6/cis_6.2.2.1.x.yml b/tasks/section_6/cis_6.2.2.1.x.yml index 20b148b..00e949b 100644 --- a/tasks/section_6/cis_6.2.2.1.x.yml +++ b/tasks/section_6/cis_6.2.2.1.x.yml @@ -78,85 +78,3 @@ loop: - systemd-journal-remote.socket - systemd-journal-remote.service - -- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled" - when: - - rhel9cis_rule_6_2_2_2 - tags: - - level1-server - - level2-workstation - - patch - - journald - - rule_6.2.2.2 - - NIST800-53R5_AU-2 - - NIST800-53R5_AU-6 - - NIST800-53R5_AU-7 - - NIST800-53R5_AU-12 - notify: Restart journald - block: - - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file" - ansible.builtin.template: - src: etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 - dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf - owner: root - group: root - mode: '0640' - - - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" - ansible.builtin.replace: - path: /etc/systemd/journald.conf - regexp: ^(\s*ForwardToSyslog) - replace: '#\1' - -- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured" - when: - - rhel9cis_rule_6_2_2_3 - tags: - - level1-server - - level1-workstation - - patch - - journald - - rule_6.2.2.3 - - NIST800-53R5_AU-4 - notify: Restart journald - block: - - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | Add file" - ansible.builtin.template: - src: etc/systemd/journald.conf.d/storage.conf.j2 # Added to the same file as 6.2.1.1.4 - dest: /etc/systemd/journald.conf.d/storage.conf - owner: root - group: root - mode: '0640' - - - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" - ansible.builtin.replace: - path: /etc/systemd/journald.conf - regexp: ^(?i)(\s*compress=) - replace: '#\1' - -- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" - when: - - rhel9cis_rule_6_2_2_4 - tags: - - level1-server - - level1-workstation - - patch - - journald - - rule_6.2.2.4 - - NIST800-53R5_AU-3 - - NIST800-53R5_AU-12 - notify: Restart journald - block: - - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | Add file" - ansible.builtin.template: - src: etc/systemd/journald.conf.d/storage.conf.j2 - dest: /etc/systemd/journald.conf.d/storage.conf - owner: root - group: root - mode: '0640' - - - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" - ansible.builtin.replace: - path: /etc/systemd/journald.conf - regexp: ^(?i)(\s*storage=) - replace: '#\1' diff --git a/tasks/section_6/cis_6.2.2.x.yml b/tasks/section_6/cis_6.2.2.x.yml new file mode 100644 index 0000000..3dd8dab --- /dev/null +++ b/tasks/section_6/cis_6.2.2.x.yml @@ -0,0 +1,83 @@ +--- + +- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled" + when: + - rhel9cis_rule_6_2_2_2 + tags: + - level1-server + - level2-workstation + - patch + - journald + - rule_6.2.2.2 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-6 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + notify: Restart journald + block: + - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 + dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf + owner: root + group: root + mode: '0640' + + - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^(\s*ForwardToSyslog) + replace: '#\1' + +- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured" + when: + - rhel9cis_rule_6_2_2_3 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.2.3 + - NIST800-53R5_AU-4 + notify: Restart journald + block: + - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/storage.conf.j2 # Added to the same file as 6.2.1.1.4 + dest: /etc/systemd/journald.conf.d/storage.conf + owner: root + group: root + mode: '0640' + + - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^(?i)(\s*compress=) + replace: '#\1' + +- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" + when: + - rhel9cis_rule_6_2_2_4 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.2.4 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + notify: Restart journald + block: + - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/storage.conf.j2 + dest: /etc/systemd/journald.conf.d/storage.conf + owner: root + group: root + mode: '0640' + + - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^(?i)(\s*storage=) + replace: '#\1' diff --git a/tasks/section_6/cis_6.2.4.1.yml b/tasks/section_6/cis_6.2.4.1.yml index 68799c8..07ba04b 100644 --- a/tasks/section_6/cis_6.2.4.1.yml +++ b/tasks/section_6/cis_6.2.4.1.yml @@ -16,47 +16,37 @@ failed_when: false register: discovered_logfiles - - name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | set_fact" + - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" when: - discovered_logfiles.stdout_lines | length > 0 - - discovered_logfiles is defined - ansible.builtin.set_fact: - discovered_logfiles_flattened: "{{ discovered_logfiles.stdout_lines | flatten }}" - - - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" - when: - - discovered_logfiles_flattened is defined - - item == "/var/log/secure" - - item == "/var/log/auth.log" - - item == "/var/log/syslog" - - "'journal' in item" + - ('audit.log' in item or 'journal' in item) or + item == '/var/log/secure' or + item == '/var/log/syslog' or + item == '/var/log/messages' or + item == '/var/log/auth.log' ansible.builtin.file: path: "{{ item }}" mode: 'u-x,g-wx,o-rwx' - loop: "{{ discovered_logfiles_flattened }}" + loop: "{{ discovered_logfiles.stdout_lines }}" - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" when: - - discovered_logfiles_flattened is defined - - item == "/var/log/btmp" - - item == "/var/log/utmp" - - item == "/var/log/wtmp" - - item == "/var/log/lastlog" + - discovered_logfiles.stdout_lines | length > 0 + - ('anaconda' in item or 'dnf' in item or 'secure' in item or 'messages' in item or 'hawkey' in item) ansible.builtin.file: path: "{{ item }}" - mode: 'u-x,g-wx,o-rwx' - owner: root - group: root - loop: "{{ discovered_logfiles_flattened }}" + mode: 'u-x,g-x,o-rwx' + loop: "{{ discovered_logfiles.stdout_lines }}" - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" when: - - discovered_logfiles_flattened is defined - - "'sssd' in item" - - item == "/var/log/utmp" - - item == "/var/log/wtmp" - - item == "/var/log/lastlog" + - discovered_logfiles.stdout_lines | length > 0 + - ('sssd' in item or 'lastlog' in item) or + item == "/var/log/btmp" or + item == "/var/log/utmp" or + item == "/var/log/wtmp" or + item == "/var/log/lastlog" ansible.builtin.file: path: "{{ item }}" - mode: 'u-x,g-wx,o-rwx' - loop: "{{ discovered_logfiles_flattened }}" + mode: 'ug-x,o-wx' + loop: "{{ discovered_logfiles.stdout_lines }}" diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index c75ebed..a1909dc 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -8,11 +8,16 @@ ansible.builtin.import_tasks: file: cis_6.2.1.x.yml -- name: "SECTION | 6.2.2 | Configure journald" +- name: "SECTION | 6.2.2.1.x | Configure journald-remote" when: rhel9cis_syslog == 'journald' ansible.builtin.import_tasks: file: cis_6.2.2.1.x.yml +- name: "SECTION | 6.2.2.x | Configure journald" + when: rhel9cis_syslog == 'journald' + ansible.builtin.import_tasks: + file: cis_6.2.2.x.yml + - name: "SECTION | 6.2.3 | Configure rsyslog" when: rhel9cis_syslog == 'rsyslog' ansible.builtin.import_tasks: diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 20eb5df..bfb925b 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -46,6 +46,9 @@ -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity +-w /etc/nsswitch.conf -p wa -k identity +-w /etc/pam.conf -p wa -k identity +-w /etc/pam.d -p wa -k identity {% endif %} {% if rhel9cis_rule_6_3_3_9 %} -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod @@ -83,7 +86,7 @@ -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel9cis_rule_6_3_3_17 %} --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_cmd +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_chng {% endif %} {% if rhel9cis_rule_6_3_3_18 %} -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod diff --git a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 index ecf6e58..6a9855a 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 @@ -1,9 +1,9 @@ # CIS Configurations # 5.3.3.2.3 Ensure password complexity is configured -{% if rhel9cis_passwd_complex_option == minclass %} +{% if rhel9cis_passwd_complex_option == 'minclass' %} minclass = {{ rhel9cis_passwd_minclass }} -{ %endif %} -{% if rhel9cis_passwd_complex_option == credits %} +{% endif %} +{% if rhel9cis_passwd_complex_option == 'credits' %} dcredit = {{rhel9cis_passwd_dcredit }} ucredit = {{ rhel9cis_passwd_ucredit }} ocredit = {{ rhel9cis_passwd_ocredit }}