ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Use new prelim task for controls based on #273

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-01-22 08:53:27 +00:00
parent fb73b18596
commit 5e176d4dc9
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
1 changed files with 18 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

42
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -18,10 +18,9 @@
path: "{{ item }}"
regexp: 'difok\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- /etc/pam.d/*-auth
loop:
- /etc/security/pwquality.conf
- "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists"
ansible.builtin.template:
@ -74,10 +73,9 @@
path: "{{ item }}"
regexp: 'minlen\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
loop:
- /etc/security/pwquality.conf
- "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
ansible.builtin.template:
@ -130,10 +128,9 @@
path: "{{ item }}"
regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
loop:
- /etc/security/pwquality.conf
- "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists"
ansible.builtin.template:
@ -184,10 +181,9 @@
path: "{{ item }}"
regexp: 'maxrepeat\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
loop:
- /etc/security/pwquality.conf
- "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists"
ansible.builtin.template:
@ -240,10 +236,9 @@
path: "{{ item }}"
regexp: 'maxsequence\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
loop:
- /etc/security/pwquality.conf
- "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists"
ansible.builtin.template:
@ -295,10 +290,9 @@
path: "{{ item }}"
regexp: 'dictcheck\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
loop:
- /etc/security/pwquality.conf
- "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists"
ansible.builtin.template: