RHEL9-CIS/tasks/section_5/cis_5.4.x.yml

---

- name: |
    "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
     5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
     5.4.3 | L1 | PATCH | Ensure password reuse is limited
     5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
  block:
      - name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
        lineinfile:
            state: present
            dest: /etc/security/pwquality.conf
            regexp: ^{{ item.name }}
            line: "{{ item.name }} = {{ item.value }}"
        with_items:
            - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
            - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
        when: rhel9cis_rule_5_4_1

      - name: |
          "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings
           5.4.3| L1 | PATCH | Ensure password reuse is limited | Set system-auth remember settings"
        lineinfile:
            dest: /etc/pam.d/system-auth
            state: present
            regexp: '^password    requisite                                    pam_pwquality.so'
            line: "password    requisite                                    pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
            insertbefore: '^#?password ?'
        when:
            - rhel9cis_rule_5_4_1 or
              rhel9cis_rule_5_4_3

      - name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
        lineinfile:
            dest: /etc/pam.d/password-auth
            state: present
            regexp: '^password    requisite                                    pam_pwquality.so'
            line: "password    requisite                                    pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3"
            insertbefore: '^#?password ?'
        when: rhel9cis_rule_5_4_1

      - name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock time for preauth"
        lineinfile:
            dest: /etc/pam.d/{{ item }}
            state: present
            regexp: '^auth        required                                     pam_faillock.so preauth'
            line: "auth        required                                     pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
            insertafter: '^#?auth ?'
        with_items:
            - "system-auth"
            - "password-auth"
        when: rhel9cis_rule_5_4_2

      - name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock times for authfail"
        lineinfile:
            dest: /etc/pam.d/{{ item }}
            state: present
            regexp: '^auth        required                                     pam_faillock.so authfail'
            line: "auth        required                                     pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
            insertafter: '^#?auth ?'
        with_items:
            - "system-auth"
            - "password-auth"
        when: rhel9cis_rule_5_4_2

      - name: |
           "5.4.3 | L1 | PATCH | Ensure password reuse is limited | Set system-auth remember remember settings
            5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings"
        lineinfile:
            dest: /etc/pam.d/system-auth
            state: present
            regexp: '^password    sufficient                                   pam_unix.so'
            line: "password    sufficient                                   pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}"
            insertafter: '^#?password ?'
        when:
            - rhel9cis_rule_5_4_3 or
              rhel9cis_rule_5_4_4

      - name: "5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings"
        lineinfile:
            dest: /etc/pam.d/password-auth
            state: present
            regexp: '^password    sufficient                                   pam_unix.so'
            line: "password    sufficient                                   pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok"
            insertafter: '^#?password ?'
        when: rhel9cis_rule_5_4_4

      # The two steps below were added to keep authconfig from overwritting the above configs. This follows steps from here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services
      # With the steps below you will score five (5) points lower due to false positive results
      - name: |
           "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
            5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
            5.4.3 | L1 | PATCH | Ensure password reuse is limited
            5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
        copy:
            src: /etc/pam.d/{{ item }}
            dest: /etc/pam.d/{{ item }}-local
            remote_src: true
            owner: root
            group: root
            mode: '0644'
        with_items:
            - "system-auth"
            - "password-auth"

      - name: |
           "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
            5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
            5.4.3 | L1 | PATCH | Ensure password reuse is limited
            5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
        file:
            src: /etc/pam.d/{{ item }}-local
            dest: /etc/pam.d/{{ item }}
            state: link
            force: true
        with_items:
            - "system-auth"
            - "password-auth"
  when:
      - rhel9cis_rule_5_4_1 or
        rhel9cis_rule_5_4_2 or
        rhel9cis_rule_5_4_3 or
        rhel9cis_rule_5_4_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.4.1
      - rule_5.4.2
      - rule_5.4.3
      - rule_5.4.4
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`---`

			`- name: \|`
			`"5.4.1 \| L1 \| PATCH \| Ensure password creation requirements are configured`
			`5.4.2 \| L1 \| PATCH \| Ensure lockout for failed password attempts is configured`
			`5.4.3 \| L1 \| PATCH \| Ensure password reuse is limited`
			`5.4.4 \| L1 \| PATCH \| Ensure password hashing algorithm is SHA-512"`
			`block:`
			`- name: "5.4.1 \| L1 \| PATCH \| Ensure password creation requirements are configured \| Set pwquality config settings"`
			`lineinfile:`
			`state: present`
			`dest: /etc/security/pwquality.conf`
			`regexp: ^{{ item.name }}`
			`line: "{{ item.name }} = {{ item.value }}"`
			`with_items:`
			`- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }`
			`- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }`
			`when: rhel9cis_rule_5_4_1`

			`- name: \|`
			`"5.4.1 \| L1 \| PATCH \| Ensure password creation requirements are configured \| Set system-auth retry settings`
			`5.4.3\| L1 \| PATCH \| Ensure password reuse is limited \| Set system-auth remember settings"`
			`lineinfile:`
			`dest: /etc/pam.d/system-auth`
			`state: present`
			`regexp: '^password requisite pam_pwquality.so'`
			`line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"`
			`insertbefore: '^#?password ?'`
			`when:`
			`- rhel9cis_rule_5_4_1 or`
			`rhel9cis_rule_5_4_3`

			`- name: "5.4.1 \| L1 \| PATCH \| Ensure password creation requirements are configured \| Set system-auth retry settings"`
			`lineinfile:`
			`dest: /etc/pam.d/password-auth`
			`state: present`
			`regexp: '^password requisite pam_pwquality.so'`
			`line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3"`
			`insertbefore: '^#?password ?'`
			`when: rhel9cis_rule_5_4_1`

			`- name: "5.4.2 \| L1 \| PATCH \| Ensure lockout for failed password attempts is configured \| Add deny count and unlock time for preauth"`
			`lineinfile:`
			`dest: /etc/pam.d/{{ item }}`
			`state: present`
			`regexp: '^auth required pam_faillock.so preauth'`
			`line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) \| ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"`
			`insertafter: '^#?auth ?'`
			`with_items:`
			`- "system-auth"`
			`- "password-auth"`
			`when: rhel9cis_rule_5_4_2`

			`- name: "5.4.2 \| L1 \| PATCH \| Ensure lockout for failed password attempts is configured \| Add deny count and unlock times for authfail"`
			`lineinfile:`
			`dest: /etc/pam.d/{{ item }}`
			`state: present`
			`regexp: '^auth required pam_faillock.so authfail'`
			`line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) \| ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"`
			`insertafter: '^#?auth ?'`
			`with_items:`
			`- "system-auth"`
			`- "password-auth"`
			`when: rhel9cis_rule_5_4_2`

			`- name: \|`
			`"5.4.3 \| L1 \| PATCH \| Ensure password reuse is limited \| Set system-auth remember remember settings`
			`5.4.4 \| L1 \| PATCH \| Ensure password hashing algorithm is SHA-512 \| Set system-auth pwhash settings"`
			`lineinfile:`
			`dest: /etc/pam.d/system-auth`
			`state: present`
			`regexp: '^password sufficient pam_unix.so'`
			`line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}"`
			`insertafter: '^#?password ?'`
			`when:`
			`- rhel9cis_rule_5_4_3 or`
			`rhel9cis_rule_5_4_4`

			`- name: "5.4.4 \| L1 \| PATCH \| Ensure password hashing algorithm is SHA-512 \| Set system-auth pwhash settings"`
			`lineinfile:`
			`dest: /etc/pam.d/password-auth`
			`state: present`
			`regexp: '^password sufficient pam_unix.so'`
			`line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok"`
			`insertafter: '^#?password ?'`
			`when: rhel9cis_rule_5_4_4`

			`# The two steps below were added to keep authconfig from overwritting the above configs. This follows steps from here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services`
			`# With the steps below you will score five (5) points lower due to false positive results`
			`- name: \|`
			`"5.4.1 \| L1 \| PATCH \| Ensure password creation requirements are configured`
			`5.4.2 \| L1 \| PATCH \| Ensure lockout for failed password attempts is configured`
			`5.4.3 \| L1 \| PATCH \| Ensure password reuse is limited`
			`5.4.4 \| L1 \| PATCH \| Ensure password hashing algorithm is SHA-512"`
			`copy:`
			`src: /etc/pam.d/{{ item }}`
			`dest: /etc/pam.d/{{ item }}-local`
boolean variable true/false Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-13 16:51:17 +00:00			`remote_src: true`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`owner: root`
			`group: root`
			`mode: '0644'`
			`with_items:`
			`- "system-auth"`
			`- "password-auth"`

			`- name: \|`
			`"5.4.1 \| L1 \| PATCH \| Ensure password creation requirements are configured`
			`5.4.2 \| L1 \| PATCH \| Ensure lockout for failed password attempts is configured`
			`5.4.3 \| L1 \| PATCH \| Ensure password reuse is limited`
			`5.4.4 \| L1 \| PATCH \| Ensure password hashing algorithm is SHA-512"`
			`file:`
			`src: /etc/pam.d/{{ item }}-local`
			`dest: /etc/pam.d/{{ item }}`
			`state: link`
boolean variable true/false Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-13 16:51:17 +00:00			`force: true`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`with_items:`
			`- "system-auth"`
			`- "password-auth"`
			`when:`
			`- rhel9cis_rule_5_4_1 or`
			`rhel9cis_rule_5_4_2 or`
			`rhel9cis_rule_5_4_3 or`
			`rhel9cis_rule_5_4_4`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_5.4.1`
			`- rule_5.4.2`
			`- rule_5.4.3`
			`- rule_5.4.4`