--- - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured" when: rhel9cis_rule_5_3_3_3_1 tags: - level1-server - level1-workstation - patch - rule_5.3.3.3.1 - pam block: - name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\s+[^#\n\r]+\h+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=\d+\b' /etc/pam.d/password-auth /etc/pam.d/system-auth changed_when: false failed_when: discovered_pwhistory_remember.rc not in [0, 1] register: discovered_pwhistory_remember - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file" ansible.builtin.lineinfile: path: "/etc/security/pwhistory.conf" regexp: remember\s*=\s*\d* line: remember = {{ rhel9cis_pamd_pwhistory_remember }} - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files NOT AuthSelect" when: - not rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/pam.d/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\sremember=\d*(.*$) replace: \1\2\3 loop: - password - system - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files AuthSelect" when: - rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\sremember=\d*(.*$) replace: \1\2\3 loop: - password - system notify: Authselect update - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user" when: rhel9cis_rule_5_3_3_3_2 tags: - level1-server - level1-workstation - patch - rule_5.3.3.3.2 - pam ansible.builtin.lineinfile: path: "/etc/security/pwhistory.conf" regexp: ^\s*(?#)enforce_for_root line: enforce_for_root - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok" when: rhel9cis_rule_5_3_3_3_3 tags: - level1-server - level1-workstation - patch - rule_5.3.3.3.3 - pam block: - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files" ansible.builtin.shell: grep -Psic -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth register: discovered_pwhistory_use_authtok changed_when: false failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1] - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set" when: - not rhel9cis_allow_authselect_updates - discovered_pwhistory_use_authtok.stdout | length == 0 - rhel9cis_disruption_high ansible.builtin.lineinfile: path: "{{ item }}" regexp: ^password\s*pam_pwhistory\.so\s*.*\s(!?use_authtok) line: password required pam_pwhistory.so use_authtok insertbefore: ^password.*pam_deny.so loop: - /etc/pam.d/password-auth - /etc/pam.d/system-auth - name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect" when: - rhel9cis_allow_authselect_updates - discovered_pwhistory_use_authtok.stdout | length == 0 - rhel9cis_disruption_high ansible.builtin.lineinfile: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\suse_authtok(.*$) line: \1\2 use_authtok\3 backrefs: true loop: - password - system notify: Authselect update