RHEL9-CIS/tasks/section_5/cis_5.4.x.yml

---

- name: "5.4.1 | PATCH | Ensure custom authselect profile is used"
  block:
      - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles"
        ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"'
        failed_when: false
        changed_when: false
        check_mode: false
        register: rhel9cis_5_4_1_profiles

      - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
        ansible.builtin.debug:
            msg:
                - "Below are the current custom profiles"
                - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}"

      - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
        ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
        when: rhel9cis_authselect_custom_profile_create
  when:
      - rhel9cis_rule_5_4_1
  tags:
      - level1-server
      - level1-workstation
      - manual
      - patch
      - authselect
      - rule_5.4.1

- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile"
  block:
      - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
        ansible.builtin.shell: "authselect current | grep with-faillock"
        failed_when: false
        changed_when: false
        check_mode: false
        register: rhel9cis_5_4_2_profiles_faillock

      - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Show profiles"
        ansible.builtin.debug:
            msg:
                - "Below are the current custom profiles"
                - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}"

      - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }}  {{ rhel9cis_authselect['options'] }}"
        when: rhel9cis_authselect_custom_profile_select

      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/password-auth"
            regexp: "{{ item.regexp }}"
            line: "{{ item.line }}"
            insertbefore: "{{ item.before }}"
        loop:
            - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth            required       pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
            - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth            required       pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'}
            - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account      required       pam_faillock.so', 'before':'^account     required      pam_unix.so'}
        when:
            - rhel9cis_add_faillock_without_authselect
            - rhel9cis_5_4_2_risks == 'ACCEPT'

      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/system-auth"
            regexp: "{{ item.regexp }}"
            line: "{{ item.line }}"
            insertbefore: "{{ item.before | default(omit)}}"
            insertafter: "{{ item.after | default(omit)}}"
        loop:
            - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line':'auth        required      pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
            - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth        required      pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'}
            - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account     required      pam_faillock.so', 'before':'^account     required      pam_unix.so'}
        when:
            - rhel9cis_add_faillock_without_authselect
            - rhel9cis_5_4_2_risks == 'ACCEPT'
  when:
      - rhel9cis_rule_5_4_2
  tags:
      - level1-server
      - level1-workstation
      - patch
      - authselect
      - rule_5.4.2