RHEL9-CIS/tasks/section_5/cis_5.5.x_authselect.yml

---

- name: "5.5.1 | PATCH | Ensure password creation requirements are configured"
  block:
      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
        ansible.builtin.lineinfile:
            path: /etc/security/pwquality.conf
            regexp: ^{{ item.name }}
            line: "{{ item.name }} = {{ item.value }}"
        loop:
            - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
            - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }

      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
        ansible.builtin.lineinfile:
            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
            regexp: '^password\s*requisite\s*pam_pwquality.so'
            line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
            insertbefore: '^#?password ?'
        notify: Apply_authselect

      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
        ansible.builtin.lineinfile:
            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
            regexp: '^password\s*requisite\s*pam_pwquality.so'
            line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
            insertbefore: '^#?password ?'
        notify: Apply_authselect
  when:
      - rhel9cis_rule_5_5_1
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.1

- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured"
  block:
      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs"
        ansible.builtin.lineinfile:
            path: /etc/security/faillock.conf
            regexp: "{{ item.regexp }}"
            line: "{{ item.line }}"
        loop:
            - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
            - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }

      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)'
            line: "auth         required     pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
            insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$'
        loop:
            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
        notify: Apply_authselect

      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)'
            line: "auth         required     pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
            insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$'
        loop:
            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
        notify: Apply_authselect

      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$'
            line: "account     required     pam_faillock.so"
            insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$'
        loop:
            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
        notify: Apply_authselect
  when:
      - rhel9cis_rule_5_5_2
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.2

- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
  block:
      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
        ansible.builtin.lineinfile:
            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
            insertafter: '^password\s*requisite\s*pam_pwquality.so'
        notify: Apply_authselect

      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
        ansible.builtin.lineinfile:
            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
            insertafter: '^password\s*requisite\s*pam_pwquality.so'
        notify: Apply_authselect
  when:
      - rhel9cis_rule_5_5_3
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.3

- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt"
  block:
      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
        ansible.builtin.replace:
            path: /etc/libuser.conf
            regexp: '^crypt_style\s*=\s*.*$'
            replace: 'crypt_style = sha512'

      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
        ansible.builtin.replace:
            path: /etc/login.defs
            regexp: '^ENCRYPT_METHOD.*'
            replace: 'ENCRYPT_METHOD SHA512'

      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
        ansible.builtin.replace:
            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
            replace: 'password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
        notify: Apply_authselect

      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
        ansible.builtin.replace:
            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
            replace: 'password    sufficient     pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
        notify: Apply_authselect
  when:
      - rhel9cis_rule_5_5_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.4