ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge pull request #278 from ansible-lockdown/issue_#272

Browse source 
Issue #272
This commit is contained in:
uk-bolly 2025-01-21 19:43:29 +00:00 committed by GitHub
commit 8b13921b2e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 58 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

62
tasks/section_5/cis_5.3.2.x.yml
View file

@ -45,7 +45,6 @@
when:
- rhel9cis_rule_5_3_2_2
- rhel9cis_disruption_high
- rhel9cis_allow_authselect_updates
tags:
- level1-server
- level1-workstation
@ -58,19 +57,58 @@
- NIST800-53R5_IA-5
- authselect
- rule_5.3.2.2
notify: Authselect update
block:
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config"
ansible.builtin.shell: |
authselect current | grep faillock
changed_when: false
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config authselect"
block:
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config authselect"
when: rhel9cis_allow_authselect_updates
ansible.builtin.shell: authselect current | grep faillock
changed_when: false
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" # noqa syntax-check[specific]"
when: discovered_authselect_current_faillock.rc != 0
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]"
when:
- rhel9cis_allow_authselect_updates
- discovered_authselect_current_faillock.rc != 0
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
notify: Authselect update
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Get current config not authselect"
block:
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | not authselect"
when: not rhel9cis_allow_authselect_updates
ansible.builtin.command: grep -E "(auth|account)\s*required\s*pam_faillock.so" /etc/pam.d/{system,password}-auth
changed_when: false
failed_when: false
register: discovered_faillock_not_authselect
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add lines system-auth"
when: not rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/pam.d/system-auth"
regexp: "{{ item.regexp }}"
insertbefore: "{{ item.before | default(omit) }}"
insertafter: "{{ item.after | default(omit) }}"
line: "{{ item.line }}"
loop:
- { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: account required pam_faillock.so }
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth"
when: not rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/pam.d/password-auth"
regexp: "{{ item.regexp }}"
insertbefore: "{{ item.before | default(omit) }}"
insertafter: "{{ item.after | default(omit) }}"
line: "{{ item.line }}"
loop:
- { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: account required pam_faillock.so }
- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
when:

52
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -54,43 +54,10 @@
- patch
- rule_5.3.3.3.2
- pam
block:
- name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/{system,password}-auth
register: discovered_pwhistory_enforce_for_root
changed_when: false
failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1]
- name: "5.3.3.3.2 | PATCH| Ensure password history is enforced for the root user | Ensure enforce_for_root is set pwhistory file"
ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf"
regexp: ^\s*(?#)enforce_for_root
line: enforce_for_root
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
when:
- not rhel9cis_allow_authselect_updates
- discovered_pwhistory_enforce_for_root.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.lineinfile:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root)
line: '\1\2\3 enforce_for_root'
backrefs: true
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
when:
- rhel9cis_allow_authselect_updates
- discovered_pwhistory_enforce_for_root.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\senforce_for_root(.*$)
replace: \1\2enforce_for_root\3
loop:
- password
- system
notify: Authselect update
ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf"
regexp: ^\s*(?#)enforce_for_root
line: enforce_for_root
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
when: rhel9cis_rule_5_3_3_3_3
@ -107,22 +74,19 @@
changed_when: false
failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Update pwhistory for use_authtok"
ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf"
regexp: ^\s*(?#)use_authtok
line: use_authtok
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set"
when:
- not rhel9cis_allow_authselect_updates
- discovered_pwhistory_use_authtok.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.lineinfile:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
path: "{{ item }}"
regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok)
line: '\1\2 use_authtok'
backrefs: true
loop:
- /etc/pam.d/password-auth
- /etc/pam.d/system-auth
- name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect"
when: