updated authselect logic

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

defaults/main.yml

@@ -641,7 +641,7 @@ rhel9cis_chrony_server_minsources: 2
 #
 # Setting both Service and Mask to false will remove the package if exists
 rhel9cis_autofs_services: false
-rhel9cis_autofs_mask: true
+rhel9cis_autofs_mask: false
 rhel9cis_avahi_server: false
 rhel9cis_avahi_mask: false
 rhel9cis_dhcp_server: false
@@ -860,7 +860,7 @@ rhel9cis_sudoers_exclude_nopasswd_list:
 ## Control 5.2 - Ensure access to the 'su' command is restricted
 # This variable determines the name of the group of users that are allowed to use the su command.
 # CIS requires that such a group be CREATED(named according to site policy) and be kept EMPTY.
-rhel9cis_sugroup: nosugroup
+rhel9cis_sugroup: sugroup
 
 ## 5.3.x PAM and Authselect
 # Do not use authselect if:
@@ -868,10 +868,30 @@ rhel9cis_sugroup: nosugroup
 # Joining your host to an IdM domain with the ipa-client-install command automatically configures SSSD authentication on your host.
 # Your host is part of Active Directory via SSSD.
 # Calling the realm join command to join your host to an Active Directory domain automatically configures SSSD authentication on your host.
-rhel9cis_allow_authselect_updates: false
+rhel9cis_allow_authselect_updates: true
 ##
 rhel9cis_authselect_pkg_update: false  # NOTE the risks if system is using SSSD or using ipa-client-install
 
+
+## PAM AND Authselect
+
+# To create a new profile (best for greenfield fresh sites not configured)
+# This allows creation of a custom profile using an existing one to build from
+# will only create if profiel does not already exist
+## options true or false
+rhel9cis_authselect_custom_profile_create: true
+## Controls:
+#  - 5.3.2.1 - Ensure custom authselect profile is used
+# Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple
+# options and ways to configure this control needs to be enabled and settings adjusted to minimise risk.
+
+# This variable configures the name of the custom profile to be created and selected.
+# To be changed from default - cis_example_profile
+rhel9cis_authselect_custom_profile_name: cis_example_profile
+# Name of the existing authselect profile to copy - options can be found with
+# ```authselect list``` on the host to be configured
+rhel9cis_authselect_default_profile_to_copy: "sssd --symlink-meta"
+
 ## Controls
 # - 5.3.3. - Ensure lockout for failed password attempts is configured
 # - 5.5.3 - Ensure password reuse is limited
@@ -905,7 +925,12 @@ rhel9cis_passwd_minlen_value: 14
 
 # 5.3.3.2.3 - password complex
 rhel9cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf  # pragma: allowlist secret
+# Choose if using minclass or credits options
+# Options are: minclass or credits
+# ensure only one is selected
+rhel9cis_passwd_complex_option: minclass
 rhel9cis_passwd_minclass: 3
+#rhel9cis_passwd_complex: credits
 rhel9cis_passwd_dcredit: -1
 rhel9cis_passwd_ucredit: -2
 rhel9cis_passwd_ocredit: 0
@@ -931,6 +956,11 @@ rhel9cis_passwd_quality_enforce_value: 1
 rhel9cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf  # pragma: allowlist secret
 rhel9cis_passwd_quality_enforce_root_value: enforce_for_root  # pragma: allowlist secret
 
+# PWhistory
+## 5.3.3.3.1 remember history
+# rhel9cis_pamd_pwhistory_remember: <N> -  <N> is the number of old passwords to remember
+rhel9cis_pamd_pwhistory_remember: 24
+
 # 5.3.3.4.x
 rhel9cis_passwd_hash_algo: sha512  # pragma: allowlist secret