From 424e5f78eb9230b816c3f357b9b49fc50e0f8f04 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 13 Jan 2025 11:55:27 +0000
Subject: [PATCH 1/2] Added fix for 5.3.2.2

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_5/cis_5.3.2.x.yml | 62 ++++++++++++++++++++++++++-------
 1 file changed, 50 insertions(+), 12 deletions(-)

diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml
index d80e39a..ef84113 100644
--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@@ -45,7 +45,6 @@
   when:
     - rhel9cis_rule_5_3_2_2
     - rhel9cis_disruption_high
-    - rhel9cis_allow_authselect_updates
   tags:
     - level1-server
     - level1-workstation
@@ -58,19 +57,58 @@
     - NIST800-53R5_IA-5
     - authselect
     - rule_5.3.2.2
-  notify: Authselect update
   block:
-    - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config"
-      ansible.builtin.shell: |
-        authselect current | grep faillock
-      changed_when: false
-      failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
-      register: discovered_authselect_current_faillock
+    - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config authselect"
+      block:
+        - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config authselect"
+          when: rhel9cis_allow_authselect_updates
+          ansible.builtin.shell: authselect current | grep faillock
+          changed_when: false
+          failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
+          register: discovered_authselect_current_faillock
 
-    - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"  # noqa syntax-check[specific]"
-      when: discovered_authselect_current_faillock.rc != 0
-      ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
-      changed_when: true
+        - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect"  # noqa syntax-check[specific]"
+          when:
+            - rhel9cis_allow_authselect_updates
+            - discovered_authselect_current_faillock.rc != 0
+          ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+          changed_when: true
+          notify: Authselect update
+
+    - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Get current config not authselect"
+      block:
+        - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | not authselect"
+          when: not rhel9cis_allow_authselect_updates
+          ansible.builtin.command: grep -E "(auth|account)\s*required\s*pam_faillock.so" /etc/pam.d/{system,password}-auth
+          changed_when: false
+          failed_when: false
+          register: discovered_faillock_not_authselect
+
+        - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add lines system-auth"
+          when: not rhel9cis_allow_authselect_updates
+          ansible.builtin.lineinfile:
+            path: "/etc/pam.d/system-auth"
+            regexp: "{{ item.regexp }}"
+            insertbefore: "{{ item.before | default(omit) }}"
+            insertafter: "{{ item.after | default(omit) }}"
+            line: "{{ item.line }}"
+          loop:
+            - { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
+            - { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
+            - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: account     required      pam_faillock.so }
+
+        - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth"
+          when: not rhel9cis_allow_authselect_updates
+          ansible.builtin.lineinfile:
+            path: "/etc/pam.d/password-auth"
+            regexp: "{{ item.regexp }}"
+            insertbefore: "{{ item.before | default(omit) }}"
+            insertafter: "{{ item.after | default(omit) }}"
+            line: "{{ item.line }}"
+          loop:
+            - { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
+            - { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
+            - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: account     required      pam_faillock.so }
 
 - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
   when:

From c0ce0533387039e8f8d599b0ef98723e407daba9 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 13 Jan 2025 11:55:41 +0000
Subject: [PATCH 2/2] added origin #272 5.3.3.3.3

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_5/cis_5.3.3.3.x.yml | 52 +++++--------------------------
 1 file changed, 8 insertions(+), 44 deletions(-)

diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml
index ca5a5dc..8fe6036 100644
--- a/tasks/section_5/cis_5.3.3.3.x.yml
+++ b/tasks/section_5/cis_5.3.3.3.x.yml
@@ -54,43 +54,10 @@
     - patch
     - rule_5.3.3.3.2
     - pam
-  block:
-    - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files"
-      ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/{system,password}-auth
-      register: discovered_pwhistory_enforce_for_root
-      changed_when: false
-      failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1]
-
-    - name: "5.3.3.3.2 | PATCH| Ensure password history is enforced for the root user | Ensure enforce_for_root is set pwhistory file"
-      ansible.builtin.lineinfile:
-        path: "/etc/security/pwhistory.conf"
-        regexp: ^\s*(?#)enforce_for_root
-        line: enforce_for_root
-
-    - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
-      when:
-        - not rhel9cis_allow_authselect_updates
-        - discovered_pwhistory_enforce_for_root.stdout | length == 0
-        - rhel9cis_disruption_high
-      ansible.builtin.lineinfile:
-        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
-        regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root)
-        line: '\1\2\3 enforce_for_root'
-        backrefs: true
-
-    - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
-      when:
-        - rhel9cis_allow_authselect_updates
-        - discovered_pwhistory_enforce_for_root.stdout | length == 0
-        - rhel9cis_disruption_high
-      ansible.builtin.replace:
-        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
-        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\senforce_for_root(.*$)
-        replace: \1\2enforce_for_root\3
-      loop:
-        - password
-        - system
-      notify: Authselect update
+  ansible.builtin.lineinfile:
+    path: "/etc/security/pwhistory.conf"
+    regexp: ^\s*(?#)enforce_for_root
+    line: enforce_for_root
 
 - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
   when: rhel9cis_rule_5_3_3_3_3
@@ -107,22 +74,19 @@
       changed_when: false
       failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
 
-    - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Update pwhistory for use_authtok"
-      ansible.builtin.lineinfile:
-        path: "/etc/security/pwhistory.conf"
-        regexp: ^\s*(?#)use_authtok
-        line: use_authtok
-
     - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set"
       when:
         - not rhel9cis_allow_authselect_updates
         - discovered_pwhistory_use_authtok.stdout | length == 0
         - rhel9cis_disruption_high
       ansible.builtin.lineinfile:
-        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
+        path: "{{ item }}"
         regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok)
         line: '\1\2 use_authtok'
         backrefs: true
+      loop:
+        - /etc/pam.d/password-auth
+        - /etc/pam.d/system-auth
 
     - name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect"
       when: