fix: make 5.3.2.2 idempotent with 5.3.3.1.1

Signed-off-by: bol7742 <102948121+bol7742@users.noreply.github.com>
2025-12-24 14:23:05 +00:00 · 2025-12-22 11:28:49 +01:00 · 2025-12-22 11:28:49 +01:00 · f15407dcb4
commit f15407dcb4
parent 53287f31a9
1 changed files with 4 additions and 4 deletions
--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@ -93,10 +93,10 @@
          loop:
            - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
              after:  "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
-              line:   "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
            - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
              before: "auth\\s+required\\s+pam_deny.so"
-              line:   "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
            - regexp: "account\\s+required\\s+pam_faillock.so"
              before: "account\\s+required\\s+pam_unix.so"
              line:   "account     required      pam_faillock.so" # yamllint disable-line rule:colons
@ -112,10 +112,10 @@
          loop:
            - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
              after:  "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
-              line:   "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
            - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
              before: "auth\\s+required\\s+pam_deny.so"
-              line:   "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
            - regexp: "account\\s+required\\s+pam_faillock.so"
              before: "account\\s+required\\s+pam_unix.so"
              line:   "account     required      pam_faillock.so" # yamllint disable-line rule:colons