RHEL9-CIS/tasks/section_5/cis_5.5.x.yml

---

- name: "5.5.1 | PATCH | "
  block:
      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
        blockinfile:
            path: /etc/security/pwquality.conf
            marker: "<!-- {mark} CIS 5.5.1 ANSIBLE MANAGED BLOCK -->"
            block: "{{ rhel9cis_pam_password }}"

      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
        lineinfile:
            path: /etc/pam.d/system-auth
            state: present
            regexp: '^password\s*requisite\s*pam_pwquality.so'
            line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
            insertbefore: '^#?password ?'

      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
        lineinfile:
            path: /etc/pam.d/password-auth
            state: present
            regexp: '^password\s*requisite\s*pam_pwquality.so'
            line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
            insertbefore: '^#?password ?'
  when:
      - rhel9cis_rule_5_5_1
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.1

- name: "5.5.2 | PATCH | Ensure system accounts are secured | pre RHEL8.2"
  block:
      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth"
        lineinfile:
            path: /etc/pam.d/{{ item }}
            state: present
            regexp: '^auth\s*required\s*pam_faillock.so preauth'
            line: "auth        required                                     pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
            insertafter: '^#?auth ?'
        with_items:
            - "system-auth"
            - "password-auth"

      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail"
        lineinfile:
            path: /etc/pam.d/{{ item }}
            state: present
            regexp: '^auth\s*required\s*pam_faillock.so authfail'
            line: "auth        required                                     pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
            insertafter: '^#?auth ?'
        with_items:
            - "system-auth"
            - "password-auth"
  when:
      - ansible_distribution_version <= "8.1"
      - rhel9cis_rule_5_5_2

- name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ "
  lineinfile:
      path: /etc/security/faillock.conf
      state: present
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
  with_items:
      - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' }
      - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' }
  when:
      - ansible_distribution_version >= "8.2"
      - rhel9cis_rule_5_5_2

- name: "5.5.3 | PATCH | Ensure password reuse is limited"
  block:
      - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory"
        lineinfile:
            path: /etc/pam.d/system-auth
            state: present
            line: "password    requisite     pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
            insertafter: '^password\s*requisite\s*pam_pwquality.so'

      - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix"
        replace:
            path: /etc/pam.d/system-auth
            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
            replace: 'password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
  when:
      - rhel9cis_rule_5_5_3
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.3

- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512"
  block:
      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
        replace:
            path: /etc/libuser.conf
            regexp: '^crypt_style\s*=\s*.*$'
            replace: 'crypt_style = sha512'

      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
        replace:
            path: /etc/login.defs
            regexp: '^ENCRYPT_METHOD.*'
            replace: 'ENCRYPT_METHOD SHA512'

      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
        replace:
            path: /etc/pam.d/password-auth
            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
            replace: 'password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'

      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
        replace:
            path: /etc/pam.d/system-auth
            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
            replace: 'password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
  when:
      - rhel9cis_rule_5_5_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.4