ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-26 15:13:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'lint_dec24' into alignment

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-11 13:36:08 +00:00
commit 82f7b53a67
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
49 changed files with 375 additions and 606 deletions
Download patch file Download diff file Expand all files Collapse all files

9
tasks/section_5/cis_5.3.2.x.yml
View file

@ -67,7 +67,7 @@
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" # noqa syntax-check[specific]"
when: discovered_authselect_current_faillock.rc != 0
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
@ -141,8 +141,7 @@
- rule_5.3.2.5
block:
- name: "5.3.2.5 | AUDIT | Ensure pam_unix module is enabled"
ansible.builtin.shell: |
grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
ansible.builtin.command: grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
changed_when: false
failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ]
register: discovered_discovered_authselect_pam_unix
@ -150,7 +149,7 @@
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth"
when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout"
ansible.builtin.lineinfile:
path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth
path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/system-auth
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
backrefs: true
@ -164,7 +163,7 @@
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth"
when: "'password-auth:password' not in discovered_authselect_pam_unix.stdout"
ansible.builtin.lineinfile:
path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth
path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/password-auth
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
backrefs: true