ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

applied latest fix from public #386 thansk to @polski-g

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-09-30 14:38:45 +01:00
parent 3c3bdaeb38
commit caffb14671
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
1 changed files with 18 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

24
tasks/section_5/cis_5.3.2.x.yml
View file

@ -91,9 +91,15 @@
insertafter: "{{ item.after | default(omit) }}"
line: "{{ item.line }}"
loop:
- { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" }
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
before: "auth\\s+required\\s+pam_deny.so"
line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "account\\s+required\\s+pam_faillock.so"
before: "account\\s+required\\s+pam_unix.so"
line: "account required pam_faillock.so" # yamllint disable-line rule:colons
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth"
when: not rhel9cis_allow_authselect_updates
@ -104,9 +110,15 @@
insertafter: "{{ item.after | default(omit) }}"
line: "{{ item.line }}"
loop:
- { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" }
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
before: "auth\\s+required\\s+pam_deny.so"
line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "account\\s+required\\s+pam_faillock.so"
before: "account\\s+required\\s+pam_unix.so"
line: "account required pam_faillock.so" # yamllint disable-line rule:colons
- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
when: