ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
RHEL9-CIS/tasks/section_5/cis_5.3.3.3.x.yml
Mark Bolwell fecfb7e793
addressed issue #282 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-01-30 12:40:52 +00:00

104 lines
4.1 KiB
YAML
Raw Blame History

---
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured"
when: rhel9cis_rule_5_3_3_3_1
tags:
- level1-server
- level1-workstation
- patch
- rule_5.3.3.3.1
- pam
block:
- name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\h*password\s+[^#\n\r]+\h+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=\d+\b' /etc/pam.d/password-auth /etc/pam.d/system-auth
changed_when: false
failed_when: discovered_pwhistory_remember.rc not in [0, 1]
register: discovered_pwhistory_remember
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file"
ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf"
regexp: remember\s*=\s*\d*
line: remember = {{ rhel9cis_pamd_pwhistory_remember }}
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files NOT AuthSelect"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\sremember=\d*(.*$)
replace: \1\2\3
loop:
- password
- system
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\sremember=\d*(.*$)
replace: \1\2\3
loop:
- password
- system
notify: Authselect update
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user"
when: rhel9cis_rule_5_3_3_3_2
tags:
- level1-server
- level1-workstation
- patch
- rule_5.3.3.3.2
- pam
ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf"
regexp: ^\s*(?#)enforce_for_root
line: enforce_for_root
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
when: rhel9cis_rule_5_3_3_3_3
tags:
- level1-server
- level1-workstation
- patch
- rule_5.3.3.3.3
- pam
block:
- name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
ansible.builtin.shell: grep -Psic -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth
register: discovered_pwhistory_use_authtok
changed_when: false
failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set"
when:
- not rhel9cis_allow_authselect_updates
- discovered_pwhistory_use_authtok.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: ^password\s*pam_pwhistory\.so\s*.*\s(!?use_authtok)
line: password required pam_pwhistory.so use_authtok
insertbefore: ^password.*pam_deny.so
loop:
- /etc/pam.d/password-auth
- /etc/pam.d/system-auth
- name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
- discovered_pwhistory_use_authtok.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\suse_authtok(.*$)
line: \1\2 use_authtok\3
backrefs: true
loop:
- password
- system
notify: Authselect update
Reference in a new issue View git blame Copy permalink