Merge pull request #279 from ansible-lockdown/pr_273_alternative

pwquality 5.3.3.2.x logic updates
2025-01-22 17:21:28 +00:00 · 2025-01-22 17:21:28 +00:00 · 469478e64e
commit 469478e64e
parent 8b13921b2e 9f3d8becf0
3 changed files with 54 additions and 40 deletions
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -177,14 +177,14 @@
      ansible.builtin.set_fact:
        grub2_path: /etc/grub2-efi.cfg
- name: "PRELIM | Discover Gnome Desktop Environment"
+- name: "PRELIM | AUDIT | Discover Gnome Desktop Environment"
  tags:
    - always
  ansible.builtin.stat:
    path: /usr/share/gnome/gnome-version.xml
  register: prelim_gnome_present
- name: "PRELIM | Install dconf if gui installed"
+- name: "PRELIM | PATCH | Install dconf if gui installed"
  when:
    - rhel9cis_gui
  tags:
@ -243,6 +243,14 @@
    mode: 'go-rwx'
    state: touch
 - name: "PRELIM | AUDIT | Capture pam security related files"
  tags: always
  ansible.builtin.find:
    paths:
      - /etc/security/pwquality.conf.d/
    patterns: '*.conf'
  register: prelim_pam_pwquality_confs
 - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root"
  when: rhel9cis_rule_5_4_2_1
  tags:
@ -326,7 +334,7 @@
      changed_when: false
      register: prelim_uid_max_id
-    - name: "PRELIM | AUDIT | set_facts for interactive uid/gid"
+    - name: "PRELIM | AUDIT | Set Fact for interactive uid/gid"
      ansible.builtin.set_fact:
        prelim_min_int_uid: "{{ prelim_uid_min_id.stdout }}"
        prelim_max_int_uid: "{{ prelim_uid_max_id.stdout }}"
--- a/tasks/section_5/cis_5.3.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.3.2.x.yml
@ -14,14 +14,15 @@
      when:
        - item != rhel9cis_passwd_difok_file
        - rhel9cis_disruption_high
-      ansible.builtin.replace:
+      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: 'difok\s*=\s*\d+\b'
-        replace: ''
+        state: absent
-      with_fileglob:
+      loop:
-        - '/etc/security/pwquality.conf'
+        - /etc/security/pwquality.conf
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - /etc/pam.d/system-auth
-        - /etc/pam.d/*-auth
+        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"
    - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists"
      ansible.builtin.template:
@ -70,14 +71,15 @@
      when:
        - item != rhel9cis_passwd_minlen_file
        - rhel9cis_disruption_high
-      ansible.builtin.replace:
+      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: 'minlen\s*=\s*\d+\b'
-        replace: ''
+        state: absent
-      with_fileglob:
+      loop:
-        - '/etc/security/pwquality.conf'
+        - /etc/security/pwquality.conf
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - /etc/pam.d/system-auth
-        - '/etc/pam.d/*-auth'
+        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"
    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
      ansible.builtin.template:
@ -126,14 +128,15 @@
      when:
        - item != rhel9cis_passwd_complex_file
        - rhel9cis_disruption_high
-      ansible.builtin.replace:
+      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
-        replace: ''
+        state: absent
-      with_fileglob:
+      loop:
-        - '/etc/security/pwquality.conf'
+        - /etc/security/pwquality.conf
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - /etc/pam.d/system-auth
-        - '/etc/pam.d/*-auth'
+        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"
    - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists"
      ansible.builtin.template:
@ -180,14 +183,15 @@
  block:
    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
      when: item != rhel9cis_passwd_maxrepeat_file
-      ansible.builtin.replace:
+      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: 'maxrepeat\s*=\s*\d+\b'
-        replace: ''
+        state: absent
-      with_fileglob:
+      loop:
-        - '/etc/security/pwquality.conf'
+        - /etc/security/pwquality.conf
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - /etc/pam.d/system-auth
-        - '/etc/pam.d/*-auth'
+        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"
    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists"
      ansible.builtin.template:
@ -236,14 +240,15 @@
      when:
        - item != rhel9cis_passwd_maxsequence_file
        - rhel9cis_disruption_high
-      ansible.builtin.replace:
+      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: 'maxsequence\s*=\s*\d+\b'
-        replace: ''
+        state: absent
-      with_fileglob:
+      loop:
-        - '/etc/security/pwquality.conf'
+        - /etc/security/pwquality.conf
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - /etc/pam.d/system-auth
-        - '/etc/pam.d/*-auth'
+        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"
    - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists"
      ansible.builtin.template:
@ -291,14 +296,15 @@
    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file"
      when:
        - item != rhel9cis_passwd_dictcheck_file
-      ansible.builtin.replace:
+      ansible.builtin.lineinfile:
        path: "{{ item }}"
        regexp: 'dictcheck\s*=\s*\d+\b'
-        replace: ''
+        state: absent
-      with_fileglob:
+      loop:
-        - '/etc/security/pwquality.conf'
+        - /etc/security/pwquality.conf
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - /etc/pam.d/system-auth
-        - '/etc/pam.d/*-auth'
+        - /etc/pam.d/password-auth
        - "{{ prelim_pam_pwquality_confs.files | default([]) }}"
    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists"
      ansible.builtin.template:
--- a/templates/etc/systemd/system/tmp.mount.j2
+++ b/templates/etc/systemd/system/tmp.mount.j2
@ -23,7 +23,7 @@ After=swap.target
 What=tmpfs
 Where=/tmp
 Type=tmpfs
-Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec{% endif %}
+Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_1_4 %}noexec{% endif %}
 # Make 'systemctl enable tmp.mount' work:
 [Install]