sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #386 from polski-g/regex_5_3_2_2

Browse source 
5.3.2.2: fix regex failing to match whitespace
This commit is contained in:
uk-bolly 2025-10-01 10:24:13 +01:00 committed by GitHub
commit 3e848dd6f1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 18 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

24
tasks/section_5/cis_5.3.2.x.yml
View file

@ -91,9 +91,15 @@
insertafter: "{{ item.after | default(omit) }}" insertafter: "{{ item.after | default(omit) }}"
line: "{{ item.line }}" line: "{{ item.line }}"
loop: loop:
- { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
- { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
- { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" } line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
before: "auth\\s+required\\s+pam_deny.so"
line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "account\\s+required\\s+pam_faillock.so"
before: "account\\s+required\\s+pam_unix.so"
line: "account required pam_faillock.so" # yamllint disable-line rule:colons
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth" - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth"
when: not rhel9cis_allow_authselect_updates when: not rhel9cis_allow_authselect_updates
@ -104,9 +110,15 @@
insertafter: "{{ item.after | default(omit) }}" insertafter: "{{ item.after | default(omit) }}"
line: "{{ item.line }}" line: "{{ item.line }}"
loop: loop:
- { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
- { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
- { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" } line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
before: "auth\\s+required\\s+pam_deny.so"
line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
- regexp: "account\\s+required\\s+pam_faillock.so"
before: "account\\s+required\\s+pam_unix.so"
line: "account required pam_faillock.so" # yamllint disable-line rule:colons
- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
when: when: