RHEL9-CIS/tasks/section_5/cis_5.3.3.1.x.yml

---

- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured"
  when:
    - rhel8cis_rule_5_3_3_1_1
  tags:
    - level1-server
    - level1-workstation
    - automated
    - patch
    - pam
    - rule_5.3.3.1.1
  block:
    - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | faillock.conf"
      ansible.builtin.lineinfile:
        path: /etc/security/faillock.conf
        state: present
        regexp: '^(#|)\s*deny\s*=\s*\d'
        line: "deny = {{ rhel8cis_pam_faillock['deny'] }}"

    - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | pam_files"
      when: not rhel8cis_allow_authselect_updates
      ansible.builtin.replace:
        path: "/etc/pam.d/{{ item }}-auth"
        regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$)
        replace: \1\2\3
      loop:
        - password
        - system

- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
  when:
    - rhel8cis_rule_5_3_3_1_2
  tags:
    - level1-server
    - level1-workstation
    - automated
    - patch
    - pam
    - rule_5.3.3.1.2
  block:
    - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | faillock.conf"
      ansible.builtin.lineinfile:
        path: /etc/security/faillock.conf
        state: present
        regexp: '^(#|)\s*unlock_time\s*=\s*\d'
        line: "unlock_time = {{ rhel8cis_pam_faillock['unlock_time'] }}"

    - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | pam_files"
      when: not rhel8cis_allow_authselect_updates
      ansible.builtin.replace:
        path: "/etc/pam.d/{{ item }}-auth"
        regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+unlock_time\s*=\s*\S+(.*$)
        replace: \1\2\3
      loop:
        - password
        - system

- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
  when:
    - rhel9cis_rule_5_3_3_1_3
  tags:
    - level1-server
    - level1-workstation
    - automated
    - patch
    - pam
    - rule_5.3.3.1.3
  block:
    - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | configure faillock.conf"
      ansible.builtin.lineinfile:
        path: /etc/security/faillock.conf
        regexp: '^{{ rhel9cis_pamroot_lock_option }}'
        line: "{{ rhel9cis_pamroot_lock_string }}"
        insertafter: '^# end of pam-auth-update config'
        create: true

    - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | pam_files"
      when: not rhel9cis_allow_authselect_updates
      ansible.builtin.replace:
        path: "/etc/pam.d/{{ item }}-auth"
        regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s(even_deny_root|root_unlock_time=\d*)"(\s*=\s*\d|.*)\S+(.*$)
        replace: \1\2\4
      loop:
        - password
        - system
section 5 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:00:45 +01:00			`---`

			`- name: "5.3.3.1.1 \| PATCH \| Ensure password failed attempts lockout is configured"`
			`when:`
			`- rhel8cis_rule_5_3_3_1_1`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- automated`
			`- patch`
			`- pam`
			`- rule_5.3.3.1.1`
			`block:`
			`- name: "5.3.3.1.1 \| PATCH \| Ensure password failed attempts lockout is configured \| faillock.conf"`
			`ansible.builtin.lineinfile:`
			`path: /etc/security/faillock.conf`
			`state: present`
			`regexp: '^(#\|)\sdeny\s=\s*\d'`
			`line: "deny = {{ rhel8cis_pam_faillock['deny'] }}"`

			`- name: "5.3.3.1.1 \| PATCH \| Ensure password failed attempts lockout is configured \| pam_files"`
			`when: not rhel8cis_allow_authselect_updates`
			`ansible.builtin.replace:`
			`path: "/etc/pam.d/{{ item }}-auth"`
			`regexp: ^(\sauth\s+(requisite\|required\|sufficient)\s+pam_faillock\.so)(.)\s+deny\s=\s\S+(.*$)`
			`replace: \1\2\3`
			`loop:`
			`- password`
			`- system`

			`- name: "5.3.3.1.2 \| PATCH \| Ensure password unlock time is configured"`
			`when:`
			`- rhel8cis_rule_5_3_3_1_2`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- automated`
			`- patch`
			`- pam`
			`- rule_5.3.3.1.2`
			`block:`
			`- name: "5.3.3.1.2 \| PATCH \| Ensure password unlock time is configured \| faillock.conf"`
			`ansible.builtin.lineinfile:`
			`path: /etc/security/faillock.conf`
			`state: present`
			`regexp: '^(#\|)\sunlock_time\s=\s*\d'`
			`line: "unlock_time = {{ rhel8cis_pam_faillock['unlock_time'] }}"`

			`- name: "5.3.3.1.2 \| PATCH \| Ensure password unlock time is configured \| pam_files"`
			`when: not rhel8cis_allow_authselect_updates`
			`ansible.builtin.replace:`
			`path: "/etc/pam.d/{{ item }}-auth"`
			`regexp: ^(\sauth\s+(requisite\|required\|sufficient)\s+pam_faillock\.so)(.)\s+unlock_time\s=\s\S+(.*$)`
			`replace: \1\2\3`
			`loop:`
			`- password`
			`- system`

			`- name: "5.3.3.1.3 \| PATCH \| Ensure password failed attempts lockout includes root account"`
			`when:`
			`- rhel9cis_rule_5_3_3_1_3`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- automated`
			`- patch`
			`- pam`
			`- rule_5.3.3.1.3`
			`block:`
			`- name: "5.3.3.1.3 \| PATCH \| Ensure password failed attempts lockout includes root account \| configure faillock.conf"`
			`ansible.builtin.lineinfile:`
			`path: /etc/security/faillock.conf`
			`regexp: '^{{ rhel9cis_pamroot_lock_option }}'`
			`line: "{{ rhel9cis_pamroot_lock_string }}"`
			`insertafter: '^# end of pam-auth-update config'`
			`create: true`

			`- name: "5.3.3.1.3 \| PATCH \| Ensure password failed attempts lockout includes root account \| pam_files"`
			`when: not rhel9cis_allow_authselect_updates`
			`ansible.builtin.replace:`
			`path: "/etc/pam.d/{{ item }}-auth"`
			`regexp: ^(\sauth\s+(requisite\|required\|sufficient)\s+pam_faillock\.so)(.)\s(even_deny_root\|root_unlock_time=\d)"(\s=\s\d\|.)\S+(.*$)`
			`replace: \1\2\4`
			`loop:`
			`- password`
			`- system`