improved tests and updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/main.yml

@@ -124,14 +124,14 @@
           fail_msg: "You still have the default name for your authselect profile"
 
       - name: "PRELIM | AUDIT | Check authselect profile is selected"
-        ansible.builtin.shell: authselect current
+        ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
         changed_when: false
-        failed_when: prelim_authselect_current_config.rc not in [ 0, 1 ]
-        register: prelim_authselect_current_config
+        failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
+        register: prelim_authselect_current_profile
 
       - name: "PRELIM | AUDIT | Check authselect profile is selected"
         ansible.builtin.assert:
-          that: prelim_authselect_current_config is defined
+          that: prelim_authselect_current_profile is defined
           success_msg: "Authselect is running and profile is selected"
           fail_msg: Authselect updates have been selected there are issues with profile selection"
 

tasks/section_5/cis_5.3.2.x.yml

@@ -14,7 +14,9 @@
     - rule_5.3.2.1
   block:
     - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
-      when: prelim_authselect_current_config.stdout is not defined
+      when:
+        - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
+          prelim_authselect_current_profile.stdout is not defined
       ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
       args:
         creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}"

tasks/section_5/cis_5.3.3.4.x.yml

@@ -51,7 +51,7 @@
     - rule_5.3.3.4.2
   block:
     - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state"
-      ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/{password,system}-auth | grep -P -- '\bremember\b'
+      ansible.builtin.shell: grep -E "password.*pam_unix.so.*remember" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
       changed_when: false
       failed_when: rhel9cis_pam_remember.rc not in [ 0, 1 ]
       register: rhel9cis_pam_remember
@@ -61,9 +61,10 @@
         - not rhel9cis_allow_authselect_updates
         - rhel9cis_pam_remember.stdout | length > 0
       ansible.builtin.replace:
-        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwunix_file }}"
-        regexp: remember=\d+
+        path: "{{ item }}"
+        regexp: remember
         replace: ''
+      loop: "{{ rhel9cis_pam_remember.stdout_lines }}"
 
     - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember  | Remove remember from pam files AuthSelect"
       when:
@@ -90,7 +91,7 @@
     - NIST800-53R5_IA-5
   block:
     - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state"
-      ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ rhel9cis_passwd_hash_algo }}")\b' /etc/pam.d/*-auth
+      ansible.builtin.shell: grep -E "password.*pam_unix.so.*(sha512|yescrypt)" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
       changed_when: false
       failed_when: rhel9cis_pam_pwhash.rc not in [ 0, 1 ]
       register: rhel9cis_pam_pwhash
@@ -100,17 +101,18 @@
         - not rhel9cis_allow_authselect_updates
         - rhel9cis_pam_remember.stdout | length > 0
       ansible.builtin.replace:
-        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwunix_file }}"
+        path: "{{ item }}"
         regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)"
         replace: '{{ rhel9cis_passwd_hash_algo }}'
+      loop: "{{ rhel9cis_pam_remember.stdout_lines }}"
 
-    - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Remove remember from pam files AuthSelect"
+    - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect"
       when:
         - rhel9cis_allow_authselect_updates
       ansible.builtin.lineinfile:
         path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
-        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)(sha512|yescrypt)(.*$)
-        line: \1\2 {{ rhel9cis_passwd_hash_algo }}\4
+        regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)(sha512|yescrypt)(.*$)
+        line: \1\2\3\4{{ rhel9cis_passwd_hash_algo }}\6
         backrefs: true
       loop:
         - password
@@ -130,7 +132,7 @@
     - NIST800-53R5_IA-5
   block:
     - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state"
-      ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b'
+      ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b'
       changed_when: false
       failed_when: rhel9cis_pam_authtok.rc not in [ 0, 1 ]
       register: rhel9cis_pam_authtok
@@ -142,8 +144,8 @@
         - rhel9cis_pam_authtok.stdout | length > 0
       ansible.builtin.lineinfile:
         path: "{{ item }}"
-        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)use_authtok(.*$)
-        line: \1\2 use_authtok\3
+        regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)
+        line: \1\2\3\4use_authtok \5
         backrefs: true
       loop: "{{ rhel9cis_pam_authtok.stdout_lines }}"
 
@@ -152,8 +154,8 @@
         - rhel9cis_allow_authselect_updates
       ansible.builtin.lineinfile:
         path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
-        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)use_authtok(.*$)
-        line: \1\2 use_authtok\3
+        regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)
+        line: \1\2\3\4use_authtok\5
         backrefs: true
       loop:
         - password

tasks/section_5/cis_5.4.1.x.yml

@@ -19,10 +19,10 @@
       ansible.builtin.lineinfile:
         path: /etc/login.defs
         regexp: '^PASS_MAX_DAYS'
-        line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
+        line: "PASS_MAX_DAYS {{ rhel9cis_pass_max_days }}"
 
     - name: "5.4.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS"
-      ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow"
+      ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass_max_days }} || $5< {{ rhel9cis_pass_max_days }} || $5 == -1)){print $1}' /etc/shadow"
       changed_when: false
       failed_when: false
       register: discovered_max_days
@@ -34,7 +34,7 @@
         - rhel9cis_force_user_maxdays
       ansible.builtin.user:
         name: "{{ item }}"
-        password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
+        password_expire_max: "{{ rhel9cis_pass_max_days }}"
       loop: "{{ discovered_max_days.stdout_lines }}"
 
 - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
@@ -51,10 +51,10 @@
       ansible.builtin.lineinfile:
         path: /etc/login.defs
         regexp: '^PASS_MIN_DAYS'
-        line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
+        line: "PASS_MIN_DAYS {{ rhel9cis_pass_min_days }}"
 
     - name: "5.4.1.2 | AUDIT | Ensure minimum password days is configured | Get existing users PASS_MIN_DAYS"
-      ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass['min_days'] }} {print $1}' /etc/shadow"
+      ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass_min_days }} {print $1}' /etc/shadow"
       changed_when: false
       failed_when: false
       register: discovered_min_days
@@ -66,7 +66,7 @@
         - rhel9cis_force_user_mindays
       ansible.builtin.user:
         name: "{{ item }}"
-        password_expire_max: "{{ rhel9cis_pass['min_days'] }}"
+        password_expire_max: "{{ rhel9cis_pass_min_days }}"
       loop: "{{ discovered_min_days.stdout_lines }}"
 
 - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
@@ -83,10 +83,10 @@
       ansible.builtin.lineinfile:
         path: /etc/login.defs
         regexp: '^PASS_WARN_AGE'
-        line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
+        line: "PASS_WARN_AGE {{ rhel9cis_pass_warn_age }}"
 
     - name: "5.4.1.3 | AUDIT | Ensure password expiration warning days is configured | Get existing users WARN_DAYS"
-      ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass['warn_age'] }} {print $1}' /etc/shadow"
+      ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass_warn_age }} {print $1}' /etc/shadow"
       changed_when: false
       failed_when: false
       register: discovered_warn_days

tasks/section_6/cis_6.1.x.yml

@@ -46,6 +46,9 @@
     - patch
     - rule_6.1.2
     - NIST800-53R5_AU-2
+  block:
+    - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked"
+      when: rhel9cis_aide_scan == "cron"
       ansible.builtin.cron:
         name: Run AIDE integrity check
         cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}"
@@ -57,6 +60,19 @@
         weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}"
         job: "{{ rhel9cis_aide_cron['aide_job'] }}"
 
+    - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
+      when: rhel9cis_aide_scan == "timer"
+      ansible.builtin.systemd:
+        name: aidecheck.service
+        enabled: true
+
+    - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
+      when: rhel9cis_aide_scan == "timer"
+      ansible.builtin.systemd:
+        name: aidecheck.timer
+        state: running
+        enabled: true
+
 - name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
   when:
     - rhel9cis_rule_6_1_3

tasks/section_6/cis_6.2.2.1.x.yml

@@ -78,85 +78,3 @@
   loop:
     - systemd-journal-remote.socket
     - systemd-journal-remote.service
-
-- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled"
-  when:
-    - rhel9cis_rule_6_2_2_2
-  tags:
-    - level1-server
-    - level2-workstation
-    - patch
-    - journald
-    - rule_6.2.2.2
-    - NIST800-53R5_AU-2
-    - NIST800-53R5_AU-6
-    - NIST800-53R5_AU-7
-    - NIST800-53R5_AU-12
-  notify: Restart journald
-  block:
-    - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file"
-      ansible.builtin.template:
-        src: etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
-        dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf
-        owner: root
-        group: root
-        mode: '0640'
-
-    - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
-      ansible.builtin.replace:
-        path: /etc/systemd/journald.conf
-        regexp: ^(\s*ForwardToSyslog)
-        replace: '#\1'
-
-- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
-  when:
-    - rhel9cis_rule_6_2_2_3
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - journald
-    - rule_6.2.2.3
-    - NIST800-53R5_AU-4
-  notify: Restart journald
-  block:
-    - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | Add file"
-      ansible.builtin.template:
-        src: etc/systemd/journald.conf.d/storage.conf.j2  # Added to the same file as 6.2.1.1.4
-        dest: /etc/systemd/journald.conf.d/storage.conf
-        owner: root
-        group: root
-        mode: '0640'
-
-    - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
-      ansible.builtin.replace:
-        path: /etc/systemd/journald.conf
-        regexp: ^(?i)(\s*compress=)
-        replace: '#\1'
-
-- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
-  when:
-    - rhel9cis_rule_6_2_2_4
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - journald
-    - rule_6.2.2.4
-    - NIST800-53R5_AU-3
-    - NIST800-53R5_AU-12
-  notify: Restart journald
-  block:
-    - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | Add file"
-      ansible.builtin.template:
-        src: etc/systemd/journald.conf.d/storage.conf.j2
-        dest: /etc/systemd/journald.conf.d/storage.conf
-        owner: root
-        group: root
-        mode: '0640'
-
-    - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
-      ansible.builtin.replace:
-        path: /etc/systemd/journald.conf
-        regexp: ^(?i)(\s*storage=)
-        replace: '#\1'

tasks/section_6/cis_6.2.2.x.yml

@@ -0,0 +1,83 @@
+---
+
+- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled"
+  when:
+    - rhel9cis_rule_6_2_2_2
+  tags:
+    - level1-server
+    - level2-workstation
+    - patch
+    - journald
+    - rule_6.2.2.2
+    - NIST800-53R5_AU-2
+    - NIST800-53R5_AU-6
+    - NIST800-53R5_AU-7
+    - NIST800-53R5_AU-12
+  notify: Restart journald
+  block:
+    - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file"
+      ansible.builtin.template:
+        src: etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
+        dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf
+        owner: root
+        group: root
+        mode: '0640'
+
+    - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
+      ansible.builtin.replace:
+        path: /etc/systemd/journald.conf
+        regexp: ^(\s*ForwardToSyslog)
+        replace: '#\1'
+
+- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
+  when:
+    - rhel9cis_rule_6_2_2_3
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - journald
+    - rule_6.2.2.3
+    - NIST800-53R5_AU-4
+  notify: Restart journald
+  block:
+    - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | Add file"
+      ansible.builtin.template:
+        src: etc/systemd/journald.conf.d/storage.conf.j2  # Added to the same file as 6.2.1.1.4
+        dest: /etc/systemd/journald.conf.d/storage.conf
+        owner: root
+        group: root
+        mode: '0640'
+
+    - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
+      ansible.builtin.replace:
+        path: /etc/systemd/journald.conf
+        regexp: ^(?i)(\s*compress=)
+        replace: '#\1'
+
+- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
+  when:
+    - rhel9cis_rule_6_2_2_4
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - journald
+    - rule_6.2.2.4
+    - NIST800-53R5_AU-3
+    - NIST800-53R5_AU-12
+  notify: Restart journald
+  block:
+    - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | Add file"
+      ansible.builtin.template:
+        src: etc/systemd/journald.conf.d/storage.conf.j2
+        dest: /etc/systemd/journald.conf.d/storage.conf
+        owner: root
+        group: root
+        mode: '0640'
+
+    - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
+      ansible.builtin.replace:
+        path: /etc/systemd/journald.conf
+        regexp: ^(?i)(\s*storage=)
+        replace: '#\1'

tasks/section_6/cis_6.2.4.1.yml

@@ -16,47 +16,37 @@
       failed_when: false
       register: discovered_logfiles
 
-    - name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | set_fact"
+    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
       when:
         - discovered_logfiles.stdout_lines | length > 0
-        - discovered_logfiles is defined
-      ansible.builtin.set_fact:
-        discovered_logfiles_flattened: "{{ discovered_logfiles.stdout_lines | flatten }}"
-
-    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
-      when:
-        - discovered_logfiles_flattened is defined
-        - item == "/var/log/secure"
-        - item == "/var/log/auth.log"
-        - item == "/var/log/syslog"
-        - "'journal' in item"
+        - ('audit.log' in item or 'journal' in item) or
+          item == '/var/log/secure' or
+          item == '/var/log/syslog' or
+          item == '/var/log/messages' or
+          item == '/var/log/auth.log'
       ansible.builtin.file:
         path: "{{ item }}"
         mode: 'u-x,g-wx,o-rwx'
-      loop: "{{ discovered_logfiles_flattened }}"
+      loop: "{{ discovered_logfiles.stdout_lines }}"
 
     - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
       when:
-        - discovered_logfiles_flattened is defined
-        - item == "/var/log/btmp"
-        - item == "/var/log/utmp"
-        - item == "/var/log/wtmp"
-        - item == "/var/log/lastlog"
+        - discovered_logfiles.stdout_lines | length > 0
+        - ('anaconda' in item or 'dnf' in item or 'secure' in item  or 'messages' in item or 'hawkey' in item)
       ansible.builtin.file:
         path: "{{ item }}"
-        mode: 'u-x,g-wx,o-rwx'
-        owner: root
-        group: root
-      loop: "{{ discovered_logfiles_flattened }}"
+        mode: 'u-x,g-x,o-rwx'
+      loop: "{{ discovered_logfiles.stdout_lines }}"
 
     - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
       when:
-        - discovered_logfiles_flattened is defined
-        - "'sssd' in item"
-        - item == "/var/log/utmp"
-        - item == "/var/log/wtmp"
-        - item == "/var/log/lastlog"
+        - discovered_logfiles.stdout_lines | length > 0
+        - ('sssd' in item or 'lastlog' in item) or
+          item == "/var/log/btmp" or
+          item == "/var/log/utmp" or
+          item == "/var/log/wtmp" or
+          item == "/var/log/lastlog"
       ansible.builtin.file:
         path: "{{ item }}"
-        mode: 'u-x,g-wx,o-rwx'
-      loop: "{{ discovered_logfiles_flattened }}"
+        mode: 'ug-x,o-wx'
+      loop: "{{ discovered_logfiles.stdout_lines }}"

tasks/section_6/main.yml

@@ -8,11 +8,16 @@
   ansible.builtin.import_tasks:
     file: cis_6.2.1.x.yml
 
-- name: "SECTION | 6.2.2 | Configure journald"
+- name: "SECTION | 6.2.2.1.x | Configure journald-remote"
   when: rhel9cis_syslog == 'journald'
   ansible.builtin.import_tasks:
     file: cis_6.2.2.1.x.yml
 
+- name: "SECTION | 6.2.2.x | Configure journald"
+  when: rhel9cis_syslog == 'journald'
+  ansible.builtin.import_tasks:
+    file: cis_6.2.2.x.yml
+
 - name: "SECTION | 6.2.3 | Configure rsyslog"
   when: rhel9cis_syslog == 'rsyslog'
   ansible.builtin.import_tasks:

templates/audit/99_auditd.rules.j2

@@ -46,6 +46,9 @@
 -w /etc/gshadow -p wa -k identity
 -w /etc/shadow -p wa -k identity
 -w /etc/security/opasswd -p wa -k identity
+-w /etc/nsswitch.conf -p wa -k identity
+-w /etc/pam.conf -p wa -k identity
+-w /etc/pam.d -p wa -k identity
 {% endif %}
 {% if rhel9cis_rule_6_3_3_9 %}
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
@@ -83,7 +86,7 @@
 -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel9cis_rule_6_3_3_17 %}
--a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_cmd
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_chng
 {% endif %}
 {% if rhel9cis_rule_6_3_3_18 %}
 -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod

templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2

@@ -1,9 +1,9 @@
 # CIS Configurations
 # 5.3.3.2.3 Ensure password complexity is configured
-{% if rhel9cis_passwd_complex_option == minclass %}
+{% if rhel9cis_passwd_complex_option == 'minclass' %}
 minclass = {{ rhel9cis_passwd_minclass }}
-{ %endif %}
-{% if rhel9cis_passwd_complex_option == credits %}
+{% endif %}
+{% if rhel9cis_passwd_complex_option == 'credits' %}
 dcredit = {{rhel9cis_passwd_dcredit }}
 ucredit = {{ rhel9cis_passwd_ucredit }}
 ocredit = {{ rhel9cis_passwd_ocredit }}