mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 14:23:05 +00:00
131 lines
6.6 KiB
YAML
131 lines
6.6 KiB
YAML
---
|
|
|
|
- name: |
|
|
"5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
|
|
5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
|
|
5.4.3 | L1 | PATCH | Ensure password reuse is limited
|
|
5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
|
|
block:
|
|
- name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/security/pwquality.conf
|
|
regexp: ^{{ item.name }}
|
|
line: "{{ item.name }} = {{ item.value }}"
|
|
with_items:
|
|
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
|
|
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
|
|
when: rhel9cis_rule_5_4_1
|
|
|
|
- name: |
|
|
"5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings
|
|
5.4.3| L1 | PATCH | Ensure password reuse is limited | Set system-auth remember settings"
|
|
lineinfile:
|
|
dest: /etc/pam.d/system-auth
|
|
state: present
|
|
regexp: '^password requisite pam_pwquality.so'
|
|
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
|
|
insertbefore: '^#?password ?'
|
|
when:
|
|
- rhel9cis_rule_5_4_1 or
|
|
rhel9cis_rule_5_4_3
|
|
|
|
- name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
|
|
lineinfile:
|
|
dest: /etc/pam.d/password-auth
|
|
state: present
|
|
regexp: '^password requisite pam_pwquality.so'
|
|
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3"
|
|
insertbefore: '^#?password ?'
|
|
when: rhel9cis_rule_5_4_1
|
|
|
|
- name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock time for preauth"
|
|
lineinfile:
|
|
dest: /etc/pam.d/{{ item }}
|
|
state: present
|
|
regexp: '^auth required pam_faillock.so preauth'
|
|
line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
|
|
insertafter: '^#?auth ?'
|
|
with_items:
|
|
- "system-auth"
|
|
- "password-auth"
|
|
when: rhel9cis_rule_5_4_2
|
|
|
|
- name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock times for authfail"
|
|
lineinfile:
|
|
dest: /etc/pam.d/{{ item }}
|
|
state: present
|
|
regexp: '^auth required pam_faillock.so authfail'
|
|
line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
|
|
insertafter: '^#?auth ?'
|
|
with_items:
|
|
- "system-auth"
|
|
- "password-auth"
|
|
when: rhel9cis_rule_5_4_2
|
|
|
|
- name: |
|
|
"5.4.3 | L1 | PATCH | Ensure password reuse is limited | Set system-auth remember remember settings
|
|
5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings"
|
|
lineinfile:
|
|
dest: /etc/pam.d/system-auth
|
|
state: present
|
|
regexp: '^password sufficient pam_unix.so'
|
|
line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}"
|
|
insertafter: '^#?password ?'
|
|
when:
|
|
- rhel9cis_rule_5_4_3 or
|
|
rhel9cis_rule_5_4_4
|
|
|
|
- name: "5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings"
|
|
lineinfile:
|
|
dest: /etc/pam.d/password-auth
|
|
state: present
|
|
regexp: '^password sufficient pam_unix.so'
|
|
line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok"
|
|
insertafter: '^#?password ?'
|
|
when: rhel9cis_rule_5_4_4
|
|
|
|
# The two steps below were added to keep authconfig from overwritting the above configs. This follows steps from here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services
|
|
# With the steps below you will score five (5) points lower due to false positive results
|
|
- name: |
|
|
"5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
|
|
5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
|
|
5.4.3 | L1 | PATCH | Ensure password reuse is limited
|
|
5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
|
|
copy:
|
|
src: /etc/pam.d/{{ item }}
|
|
dest: /etc/pam.d/{{ item }}-local
|
|
remote_src: yes
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
with_items:
|
|
- "system-auth"
|
|
- "password-auth"
|
|
|
|
- name: |
|
|
"5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
|
|
5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
|
|
5.4.3 | L1 | PATCH | Ensure password reuse is limited
|
|
5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
|
|
file:
|
|
src: /etc/pam.d/{{ item }}-local
|
|
dest: /etc/pam.d/{{ item }}
|
|
state: link
|
|
force: yes
|
|
with_items:
|
|
- "system-auth"
|
|
- "password-auth"
|
|
when:
|
|
- rhel9cis_rule_5_4_1 or
|
|
rhel9cis_rule_5_4_2 or
|
|
rhel9cis_rule_5_4_3 or
|
|
rhel9cis_rule_5_4_4
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.4.1
|
|
- rule_5.4.2
|
|
- rule_5.4.3
|
|
- rule_5.4.4
|