RHEL9-CIS/tasks/section_5/cis_5.3.3.2.x.yml

---

- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured"
  when: rhel9cis_rule_5_3_3_2_1
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.3.3.2.1
    - NIST800-53R5_IA-5
    - pam
  block:
    - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file"
      when:
        - item != rhel9cis_passwd_difok_file
        - rhel9cis_disruption_high
      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: 'difok\s*=\s*\d+\b'
        state: absent
      loop:
        - /etc/security/pwquality.conf
        - /etc/pam.d/system-auth
        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"

    - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists"
      ansible.builtin.template:
        src: "{{ rhel9cis_passwd_difok_file }}.j2"
        dest: "/{{ rhel9cis_passwd_difok_file }}"
        owner: root
        group: root
        mode: 'go-rwx'

    - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files Not AuthSelect"
      when:
        - not rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/pam.d/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdifok=\d*(.*$)
        replace: \1\2\3
      loop:
        - password
        - system

    - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files AuthSelect"
      when:
        - rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdifok=\d*(.*$)
        replace: \1\2\3
      loop:
        - password
        - system
      notify: Authselect update

- name: "5.3.3.2.2 | PATCH | Ensure password length is configured"
  when: rhel9cis_rule_5_3_3_2_2
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.3.3.2.2
    - NIST800-53R5_IA-5
    - pam
  block:
    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
      when:
        - item != rhel9cis_passwd_minlen_file
        - rhel9cis_disruption_high
      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: 'minlen\s*=\s*\d+\b'
        state: absent
      loop:
        - /etc/security/pwquality.conf
        - /etc/pam.d/system-auth
        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"

    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
      ansible.builtin.template:
        src: "{{ rhel9cis_passwd_minlen_file }}.j2"
        dest: "/{{ rhel9cis_passwd_minlen_file }}"
        owner: root
        group: root
        mode: 'go-rwx'

    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect"
      when:
        - not rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/pam.d/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sminlen=\d*(.*$)
        replace: \1\2\3
      loop:
        - password
        - system

    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files AuthSelect"
      when:
        - rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sminlen=\d*(.*$)
        replace: \1\2\3
      loop:
        - password
        - system
      notify: Authselect update

- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured"
  when: rhel9cis_rule_5_3_3_2_3
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.3.3.2.3
    - NIST800-53R5_IA-5
    - pam
  block:
    - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file"
      when:
        - item != rhel9cis_passwd_complex_file
        - rhel9cis_disruption_high
      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
        state: absent
      loop:
        - /etc/security/pwquality.conf
        - /etc/pam.d/system-auth
        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"

    - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists"
      ansible.builtin.template:
        src: "{{ rhel9cis_passwd_complex_file }}.j2"
        dest: "/{{ rhel9cis_passwd_complex_file }}"
        owner: root
        group: root
        mode: 'go-rwx'

    - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files NOT AuthSelect"
      when:
        - not rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/pam.d/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\s(minclass=[0-3]|[dulo]credit=[^-]\d*)(.*$)
        replace: \1\2\4
      loop:
        - password
        - system

    - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files AuthSelect"
      when:
        - rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\s(minclass=[0-3]|[dulo]credit=[^-]\d*)(.*$)
        replace: \1\2\4
      loop:
        - password
        - system
      notify: Authselect update

- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured"
  when: rhel9cis_rule_5_3_3_2_4
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.3.3.2.4
    - NIST800-53R5_IA-5
    - pam
  block:
    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
      when: item != rhel9cis_passwd_maxrepeat_file
      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: 'maxrepeat\s*=\s*\d+\b'
        state: absent
      loop:
        - /etc/security/pwquality.conf
        - /etc/pam.d/system-auth
        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"

    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists"
      ansible.builtin.template:
        src: "{{ rhel9cis_passwd_maxrepeat_file }}.j2"
        dest: "/{{ rhel9cis_passwd_maxrepeat_file }}"
        owner: root
        group: root
        mode: 'go-rwx'

    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files NOT AuthSelect"
      when:
        - not rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/pam.d/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxrepeat\s*=\s*\d*(.*$)
        replace: \1\2\3
      loop:
        - password
        - system

    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files AuthSelect"
      when:
        - rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxrepeat\s*=\s*\d*(.*$)
        replace: \1\2\3
      loop:
        - password
        - system
      notify: Authselect update

- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
  when: rhel9cis_rule_5_3_3_2_5
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.3.3.2.5
    - NIST800-53R5_IA-5
    - pam
  block:
    - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file"
      when:
        - item != rhel9cis_passwd_maxsequence_file
        - rhel9cis_disruption_high
      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: 'maxsequence\s*=\s*\d+\b'
        state: absent
      loop:
        - /etc/security/pwquality.conf
        - /etc/pam.d/system-auth
        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"

    - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists"
      ansible.builtin.template:
        src: "{{ rhel9cis_passwd_maxsequence_file }}.j2"
        dest: "/{{ rhel9cis_passwd_maxsequence_file }}"
        owner: root
        group: root
        mode: 'go-rwx'

    - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files NOT AuthSelect"
      when:
        - not rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/pam.d/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxsequence\s*=\s*\d*(.*$)
        replace: \1\2\3
      loop:
        - password
        - system

    - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files AuthSelect"
      when:
        - rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\smaxsequence\s*=\s*\d*(.*$)
        replace: \1\2\3
      loop:
        - password
        - system
      notify: Authselect update

- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled"
  when: rhel9cis_rule_5_3_3_2_6
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.3.3.2.6
    - NIST800-53R5_IA-5
    - pam
  block:
    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file"
      when:
        - item != rhel9cis_passwd_dictcheck_file
      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: 'dictcheck\s*=\s*\d+\b'
        state: absent
      loop:
        - /etc/security/pwquality.conf
        - /etc/pam.d/system-auth
        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"

    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists"
      ansible.builtin.template:
        src: "{{ rhel9cis_passwd_dictcheck_file }}.j2"
        dest: "/{{ rhel9cis_passwd_dictcheck_file }}"
        owner: root
        group: root
        mode: 'go-rwx'

    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files NOT AuthSelect"
      when:
        - not rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/pam.d/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdictcheck\s*=\s*\d*(.*$)
        replace: \1\2\3
      loop:
        - password
        - system
      notify: Authselect update

    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files AuthSelect"
      when:
        - rhel9cis_allow_authselect_updates
        - rhel9cis_disruption_high
      ansible.builtin.replace:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwquality\.so)(.*)\sdictcheck\s*=\s*\d*(.*$)
        replace: \1\2\3
      loop:
        - password
        - system
      notify: Authselect update

- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
  when: rhel9cis_rule_5_3_3_2_7
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.3.3.2.7
    - NIST800-53R5_IA-5
    - pam
  ansible.builtin.template:
    src: "{{ rhel9cis_passwd_quality_enforce_root_file }}.j2"
    dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}"
    owner: root
    group: root
    mode: 'o-rwx'