--- - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured" when: rhel9cis_rule_5_3_3_2_1 tags: - level1-server - level1-workstation - patch - rule_5.3.3.2.1 - NIST800-53R5_IA-5 - pam block: - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file" when: - item != rhel9cis_passwd_difok_file - rhel9cis_disruption_high ansible.builtin.replace: path: "{{ item }}" regexp: 'difok\s*=\s*\d+\b' replace: '' with_fileglob: - '/etc/security/pwquality.conf' - '/etc/security/pwquality.conf.d/*.conf' - /etc/pam.d/*-auth - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists" ansible.builtin.template: src: "{{ rhel9cis_passwd_difok_file }}.j2" dest: "/{{ rhel9cis_passwd_difok_file }}" owner: root group: root mode: 'go-rwx' - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files Not AuthSelect" when: - not rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/pam.d/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdifok=\d*(.*$) replace: \1\2\3 loop: - password - system - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files AuthSelect" when: - rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdifok=\d*(.*$) replace: \1\2\3 loop: - password - system notify: Authselect update - name: "5.3.3.2.2 | PATCH | Ensure password length is configured" when: rhel9cis_rule_5_3_3_2_2 tags: - level1-server - level1-workstation - patch - rule_5.3.3.2.2 - NIST800-53R5_IA-5 - pam block: - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file" when: - item != rhel9cis_passwd_minlen_file - rhel9cis_disruption_high ansible.builtin.replace: path: "{{ item }}" regexp: 'minlen\s*=\s*\d+\b' replace: '' with_fileglob: - '/etc/security/pwquality.conf' - '/etc/security/pwquality.conf.d/*.conf' - '/etc/pam.d/*-auth' - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists" ansible.builtin.template: src: "{{ rhel9cis_passwd_minlen_file }}.j2" dest: "/{{ rhel9cis_passwd_minlen_file }}" owner: root group: root mode: 'go-rwx' - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect" when: - not rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/pam.d/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sminlen=\d*(.*$) replace: \1\2\3 loop: - password - system - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files AuthSelect" when: - rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sminlen=\d*(.*$) replace: \1\2\3 loop: - password - system notify: Authselect update - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured" when: rhel9cis_rule_5_3_3_2_3 tags: - level1-server - level1-workstation - patch - rule_5.3.3.2.3 - NIST800-53R5_IA-5 - pam block: - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file" when: - item != rhel9cis_passwd_complex_file - rhel9cis_disruption_high ansible.builtin.replace: path: "{{ item }}" regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b' replace: '' with_fileglob: - '/etc/security/pwquality.conf' - '/etc/security/pwquality.conf.d/*.conf' - '/etc/pam.d/*-auth' - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists" ansible.builtin.template: src: "{{ rhel9cis_passwd_complex_file }}.j2" dest: "/{{ rhel9cis_passwd_complex_file }}" owner: root group: root mode: 'go-rwx' - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files NOT AuthSelect" when: - not rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/pam.d/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\s(minclass=[0-3]|[dulo]credit=[^-]\d*)(.*$) replace: \1\2\4 loop: - password - system - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files AuthSelect" when: - rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\s(minclass=[0-3]|[dulo]credit=[^-]\d*)(.*$) replace: \1\2\4 loop: - password - system notify: Authselect update - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured" when: rhel9cis_rule_5_3_3_2_4 tags: - level1-server - level1-workstation - patch - rule_5.3.3.2.4 - NIST800-53R5_IA-5 - pam block: - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" when: item != rhel9cis_passwd_maxrepeat_file ansible.builtin.replace: path: "{{ item }}" regexp: 'maxrepeat\s*=\s*\d+\b' replace: '' with_fileglob: - '/etc/security/pwquality.conf' - '/etc/security/pwquality.conf.d/*.conf' - '/etc/pam.d/*-auth' - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists" ansible.builtin.template: src: "{{ rhel9cis_passwd_maxrepeat_file }}.j2" dest: "/{{ rhel9cis_passwd_maxrepeat_file }}" owner: root group: root mode: 'go-rwx' - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files NOT AuthSelect" when: - not rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/pam.d/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxrepeat\s*=\s*\d*(.*$) replace: \1\2\3 loop: - password - system - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files AuthSelect" when: - rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxrepeat\s*=\s*\d*(.*$) replace: \1\2\3 loop: - password - system notify: Authselect update - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured" when: rhel9cis_rule_5_3_3_2_5 tags: - level1-server - level1-workstation - patch - rule_5.3.3.2.5 - NIST800-53R5_IA-5 - pam block: - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file" when: - item != rhel9cis_passwd_maxsequence_file - rhel9cis_disruption_high ansible.builtin.replace: path: "{{ item }}" regexp: 'maxsequence\s*=\s*\d+\b' replace: '' with_fileglob: - '/etc/security/pwquality.conf' - '/etc/security/pwquality.conf.d/*.conf' - '/etc/pam.d/*-auth' - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists" ansible.builtin.template: src: "{{ rhel9cis_passwd_maxsequence_file }}.j2" dest: "/{{ rhel9cis_passwd_maxsequence_file }}" owner: root group: root mode: 'go-rwx' - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files NOT AuthSelect" when: - not rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/pam.d/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxsequence\s*=\s*\d*(.*$) replace: \1\2\3 loop: - password - system - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files AuthSelect" when: - rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxsequence\s*=\s*\d*(.*$) replace: \1\2\3 loop: - password - system notify: Authselect update - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled" when: rhel9cis_rule_5_3_3_2_6 tags: - level1-server - level1-workstation - patch - rule_5.3.3.2.6 - NIST800-53R5_IA-5 - pam block: - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file" when: - item != rhel9cis_passwd_dictcheck_file ansible.builtin.replace: path: "{{ item }}" regexp: 'dictcheck\s*=\s*\d+\b' replace: '' with_fileglob: - '/etc/security/pwquality.conf' - '/etc/security/pwquality.conf.d/*.conf' - '/etc/pam.d/*-auth' - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists" ansible.builtin.template: src: "{{ rhel9cis_passwd_dictcheck_file }}.j2" dest: "/{{ rhel9cis_passwd_dictcheck_file }}" owner: root group: root mode: 'go-rwx' - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files NOT AuthSelect" when: - not rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/pam.d/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdictcheck\s*=\s*\d*(.*$) replace: \1\2\3 loop: - password - system notify: Authselect update - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files AuthSelect" when: - rhel9cis_allow_authselect_updates - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdictcheck\s*=\s*\d*(.*$) replace: \1\2\3 loop: - password - system notify: Authselect update - name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user" when: rhel9cis_rule_5_3_3_2_7 tags: - level1-server - level1-workstation - patch - rule_5.3.3.2.7 - NIST800-53R5_IA-5 - pam ansible.builtin.template: src: "{{ rhel9cis_passwd_quality_enforce_root_file }}.j2" dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}" owner: root group: root mode: 'o-rwx'