Added fix for 5.3.2.2

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 22:23:06 +00:00 · 2025-01-13 11:55:27 +00:00 · 2025-01-13 11:55:27 +00:00 · 424e5f78eb
commit 424e5f78eb
parent b683b940f5
1 changed files with 50 additions and 12 deletions
--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@ -45,7 +45,6 @@
  when:
    - rhel9cis_rule_5_3_2_2
    - rhel9cis_disruption_high
-    - rhel9cis_allow_authselect_updates
  tags:
    - level1-server
    - level1-workstation
@ -58,19 +57,58 @@
    - NIST800-53R5_IA-5
    - authselect
    - rule_5.3.2.2
-  notify: Authselect update
  block:
-    - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config"
-      ansible.builtin.shell: |
-        authselect current | grep faillock
+    - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config authselect"
+      block:
+        - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config authselect"
+          when: rhel9cis_allow_authselect_updates
+          ansible.builtin.shell: authselect current | grep faillock
          changed_when: false
          failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
          register: discovered_authselect_current_faillock

-    - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"  # noqa syntax-check[specific]"
-      when: discovered_authselect_current_faillock.rc != 0
+        - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect"  # noqa syntax-check[specific]"
+          when:
+            - rhel9cis_allow_authselect_updates
+            - discovered_authselect_current_faillock.rc != 0
          ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
          changed_when: true
+          notify: Authselect update
+
+    - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Get current config not authselect"
+      block:
+        - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | not authselect"
+          when: not rhel9cis_allow_authselect_updates
+          ansible.builtin.command: grep -E "(auth|account)\s*required\s*pam_faillock.so" /etc/pam.d/{system,password}-auth
+          changed_when: false
+          failed_when: false
+          register: discovered_faillock_not_authselect
+
+        - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add lines system-auth"
+          when: not rhel9cis_allow_authselect_updates
+          ansible.builtin.lineinfile:
+            path: "/etc/pam.d/system-auth"
+            regexp: "{{ item.regexp }}"
+            insertbefore: "{{ item.before | default(omit) }}"
+            insertafter: "{{ item.after | default(omit) }}"
+            line: "{{ item.line }}"
+          loop:
+            - { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
+            - { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
+            - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: account     required      pam_faillock.so }
+
+        - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth"
+          when: not rhel9cis_allow_authselect_updates
+          ansible.builtin.lineinfile:
+            path: "/etc/pam.d/password-auth"
+            regexp: "{{ item.regexp }}"
+            insertbefore: "{{ item.before | default(omit) }}"
+            insertafter: "{{ item.after | default(omit) }}"
+            line: "{{ item.line }}"
+          loop:
+            - { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
+            - { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
+            - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: account     required      pam_faillock.so }

 - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
  when: