--- - name: "5.5.1 | PATCH | Ensure password creation requirements are configured" block: - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: ^{{ item.name }} line: "{{ item.name }} = {{ item.value }}" loop: - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings" ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' when: - rhel9cis_rule_5_5_1 tags: - level1-server - level1-workstation - patch - rule_5.5.1 - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured" block: - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs" ansible.builtin.lineinfile: path: /etc/security/faillock.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" loop: - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' } - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth" ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)' line: "auth required pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$' loop: - "/etc/pam.d/system-auth" - "/etc/pam.d/password-auth" - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail" ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)' line: "auth required pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$' loop: - "/etc/pam.d/system-auth" - "/etc/pam.d/password-auth" - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so" ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$' line: "account required pam_faillock.so" insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$' loop: - "/etc/pam.d/system-auth" - "/etc/pam.d/password-auth" when: - rhel9cis_rule_5_5_2 tags: - level1-server - level1-workstation - patch - rule_5.5.2 - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" block: - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertafter: '^password\s*requisite\s*pam_pwquality.so' - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings" ansible.builtin.lineinfile: path: /etc/pam.d/password-auth line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertafter: '^password\s*requisite\s*pam_pwquality.so' when: - rhel9cis_rule_5_5_3 tags: - level1-server - level1-workstation - patch - rule_5.5.3 - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt" block: - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" ansible.builtin.replace: path: /etc/libuser.conf regexp: '^crypt_style\s*=\s*.*$' replace: 'crypt_style = sha512' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" ansible.builtin.replace: path: /etc/login.defs regexp: '^ENCRYPT_METHOD.*' replace: 'ENCRYPT_METHOD SHA512' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" ansible.builtin.replace: path: /etc/pam.d/password-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_4 tags: - level1-server - level1-workstation - patch - rule_5.5.4