mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-25 14:43:06 +00:00
86 lines
2.9 KiB
YAML
86 lines
2.9 KiB
YAML
---
|
|
|
|
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured"
|
|
when:
|
|
- rhel8cis_rule_5_3_3_1_1
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- automated
|
|
- patch
|
|
- pam
|
|
- rule_5.3.3.1.1
|
|
block:
|
|
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | faillock.conf"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/security/faillock.conf
|
|
state: present
|
|
regexp: '^(#|)\s*deny\s*=\s*\d'
|
|
line: "deny = {{ rhel8cis_pam_faillock['deny'] }}"
|
|
|
|
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | pam_files"
|
|
when: not rhel8cis_allow_authselect_updates
|
|
ansible.builtin.replace:
|
|
path: "/etc/pam.d/{{ item }}-auth"
|
|
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$)
|
|
replace: \1\2\3
|
|
loop:
|
|
- password
|
|
- system
|
|
|
|
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
|
|
when:
|
|
- rhel8cis_rule_5_3_3_1_2
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- automated
|
|
- patch
|
|
- pam
|
|
- rule_5.3.3.1.2
|
|
block:
|
|
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | faillock.conf"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/security/faillock.conf
|
|
state: present
|
|
regexp: '^(#|)\s*unlock_time\s*=\s*\d'
|
|
line: "unlock_time = {{ rhel8cis_pam_faillock['unlock_time'] }}"
|
|
|
|
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | pam_files"
|
|
when: not rhel8cis_allow_authselect_updates
|
|
ansible.builtin.replace:
|
|
path: "/etc/pam.d/{{ item }}-auth"
|
|
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+unlock_time\s*=\s*\S+(.*$)
|
|
replace: \1\2\3
|
|
loop:
|
|
- password
|
|
- system
|
|
|
|
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
|
|
when:
|
|
- rhel9cis_rule_5_3_3_1_3
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- automated
|
|
- patch
|
|
- pam
|
|
- rule_5.3.3.1.3
|
|
block:
|
|
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | configure faillock.conf"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/security/faillock.conf
|
|
regexp: '^{{ rhel9cis_pamroot_lock_option }}'
|
|
line: "{{ rhel9cis_pamroot_lock_string }}"
|
|
insertafter: '^# end of pam-auth-update config'
|
|
create: true
|
|
|
|
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | pam_files"
|
|
when: not rhel9cis_allow_authselect_updates
|
|
ansible.builtin.replace:
|
|
path: "/etc/pam.d/{{ item }}-auth"
|
|
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s(even_deny_root|root_unlock_time=\d*)"(\s*=\s*\d|.*)\S+(.*$)
|
|
replace: \1\2\4
|
|
loop:
|
|
- password
|
|
- system
|