updated authselect logic

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-08-08 11:08:09 +01:00 · 2024-08-08 11:08:09 +01:00 · 565ef20715
commit 565ef20715
parent 9598139f4c
4 changed files with 135 additions and 93 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -112,6 +112,29 @@
            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
            success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"

+- name: "PRELIM | AUDIT | Check authselect profile is selected"
+  when:
+      - rhel9cis_allow_authselect_updates
+  tags:
+      - always
+  block:
+      - name: "PRELIM | AUDIT | Check authselect profile name has been updated"
+        ansible.builtin.assert:
+          that: rhel9cis_authselect_custom_profile_name != 'cis_example_profile'
+          fail_msg: "You still have the default name for your authselect profile"
+
+      - name: "PRELIM | AUDIT | Check authselect profile is selected"
+        ansible.builtin.shell: authselect current
+        changed_when: false
+        failed_when: prelim_authselect_current_config.rc not in [ 0, 1 ]
+        register: prelim_authselect_current_config
+
+      - name: "PRELIM | AUDIT | Check authselect profile is selected"
+        ansible.builtin.assert:
+          that: prelim_authselect_current_config is defined
+          success_msg: "Authselect is running and profile is selected"
+          fail_msg: Authselect updates have been selected there are issues with profile selection"
+
 - name: "Ensure root password is set"
  when:
    - rhel9cis_rule_5_4_2_4
--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@ -14,19 +14,28 @@
    - rule_5.3.2.1
  block:
    - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
-      when:
-        - "rhel9cis_authselect['custom_profile_name'] not in authselect_running_config.stdout"
-        - rhel9cis_authselect_custom_profile_create
-        - not rhel9cis_5_3_2_1_profile.stat.exists
-      ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}"
+      when: prelim_authselect_current_config.stdout is not defined
+      ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
      args:
-        creates: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}"
+        creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}"

-    - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Select profiles"
-      when:
-        - "rhel9cis_authselect['custom_profile_name'] not in authselect_running_config.stdout"
-        - rhel9cis_authselect_custom_profile_select
-      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force"
+    - name: "5.3.2.1 | AUDIT | Ensure active authselect profile includes pam modules | get profile features"
+      ansible.builtin.shell: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}"
+      changed_when: false
+      register: discovered_authselect_profile_features
+
+    - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Add missing pam modules to config | pwquality"
+      when: "'with-pwquality' not in discovered_authselect_profile_features.stdout_lines"
+      ansible.builtin.lineinfile:
+        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
+        regexp: ^password\s*requisite\s*pam_pwquality.so.*
+        line: password    requisite                                    pam_pwquality.so local_users_only        {include if "with-pwquality"}
+      loop:
+        - system
+        - password
+
+    - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Backup and Add pam modules"
+      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}"

 - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled"
  when:
@ -45,17 +54,17 @@
    - NIST800-53R5_IA-5
    - authselect
    - rule_5.3.2.2
-  notify: Update_authselect
+  notify: Authselect update
  block:
    - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config"
      ansible.builtin.shell: authselect current | grep faillock
      changed_when: false
-      failed_when: rhel9cis_authselect_current.rc not in [ 0, 1 ]
-      register: rhel9cis_authselect_current
+      failed_when: rhel9cis_authselect_current_faillock.rc not in [ 0, 1 ]
+      register: rhel9cis_authselect_current_faillock

    - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"
-      when: rhel9cis_authselect_current.rc != 0
-      ansible.builtin.shell: "authselect enable-feature with-faillock"
+      when: rhel9cis_authselect_current_faillock.rc != 0
+      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"

 - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
  when:
@ -70,62 +79,17 @@
    - NIST800-53R5_IA-5
    - authselect
    - rule_5.3.2.3
-  notify: Update_authselect
  block:
    - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Get current config"
      ansible.builtin.shell: authselect current | grep quality
      changed_when: false
-      failed_when: rhel9cis_authselect_current.rc not in [ 0, 1 ]
-      register: rhel9cis_authselect_current
+      failed_when: rhel9cis_authselect_current_quality.rc not in [ 0, 1 ]
+      register: rhel9cis_authselect_current_quality

    - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing"
-      when: rhel9cis_authselect_current.rc != 0
-      ansible.builtin.shell: "authselect enable-feature with-pwquality"
-
-# - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
-#   when:
-#     - rhel9cis_rule_5_3_2_3
-#     - rhel9cis_disruption_high
-#     - rhel9cis_allow_authselect_updates
-#   tags:
-#     - level1-server
-#     - level1-workstation
-#     - automated
-#     - patch
-#     - NIST800-53R5_IA-5
-#     - authselect
-#     - rule_5.3.2.3
-#   notify: Update_authselect
-#   block:
-#     - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Capture current state"
-#       ansible.builtin.shell: |
-#         grep -P -- '\bpam_pwquality\.so\b' /etc/pam.d/{password,system}-auth
-#       changed_when: false
-#       failed_when: rhel9cis_pwquality_enabled.rc not in [ 0, 1 ]
-#       register: rhel9cis_pwquality_enabled
-
-#     - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled | system-auth"
-#       when: "'system-auth:password' not in rhel9cis_pwquality_enabled.stdout"
-#       ansible.builtin.lineinfile:
-#         path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth
-#         regexp: "{{ item.regexp }}"
-#         line: "{{ item.line }}"
-#         backrefs: true
-#         insertbefore: "{{ item.before | default (omit) }}"
-#         loop:
-#           - { regexp: '^(password\s+)(required|requisite|sufficient)(\s+pam_pwquality.so.*)(.*)', line: '\1requisite\3\4', before: '^password\s+[default=1 ignore=ignore success=ok]' }
-
-#     - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled | password-auth"
-#       when: "'password-auth:password' not in rhel9cis_pwquality_enabled.stdout"
-#       ansible.builtin.lineinfile:
-#         backrefs: true
-#         insertafter: "{{ item.after | default (omit) }}"
-#         insertbefore: "{{ item.before | default (omit) }}"
-#         line: "{{ item.line }}"
-#         path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth
-#         regexp: "{{ item.regexp }}"
-#         loop:
-#           - { regexp: '^(password\s+)(required|requisite|sufficient)(\s+pam_pwquality.so.*)(.*)', line: '\1requisite\3\4', before: '^password\s+[default=1 ignore=ignore success=ok]' }
+      when: rhel9cis_authselect_current_quality.rc != 0
+      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+      notify: Authselect update

 - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled"
  when:
@ -140,17 +104,17 @@
    - NIST800-53R5_IA-5
    - authselect
    - rule_5.3.2.4
-  notify: Update_authselect
  block:
    - name: "5.3.2.4 | AUDIT | Ensure pam_pwhistory module is enabled | Get current config"
      ansible.builtin.shell: authselect current | grep pwhistory
      changed_when: false
-      failed_when: rhel9cis_authselect_current.rc not in [ 0, 1 ]
-      register: rhel9cis_authselect_current
+      failed_when: rhel9cis_authselect_current_history.rc not in [ 0, 1 ]
+      register: rhel9cis_authselect_current_history

    - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature"
-      when: rhel9cis_authselect_current.rc != 0
-      ansible.builtin.shell: "authselect enable-feature with-pwhistory"
+      when: rhel9cis_authselect_current_history.rc != 0
+      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+      notify: Authselect update

 - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled"
  when:
@ -173,6 +137,9 @@
      failed_when: rhel9cis_authselect_pam_unix.rc not in [ 0, 1 ]
      register: rhel9cis_authselect_pam_unix

+    - debug:
+        msg: "{{ rhel9cis_authselect_pam_unix }}"
+
    - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth"
      when: "'system-auth:password' not in rhel9cis_authselect_pam_unix.stdout"
      ansible.builtin.lineinfile:
@ -185,6 +152,7 @@
        loop:
          - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', after: '^auth.*pam_faillock.*preauth' }
          - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }
+      notify: Authselect update

    - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth"
      when: "'password-auth:password' not in rhel9cis_authselect_pam_unix.stdout"
@ -198,3 +166,4 @@
        loop:
          - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\2', after: '^auth.*pam_faillock.*preauth' }
          - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }
+      notify: Authselect update
--- a/tasks/section_5/cis_5.3.3.3.x.yml
+++ b/tasks/section_5/cis_5.3.3.3.x.yml
@ -16,16 +16,11 @@
      changed_when: false
      failed_when: rhel9_pwhistory_remember.rc not in [0, 1]

-    - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set"
-      when:
-        - rhel9_pwhistory_remember.stdout | length > 0
-        - not rhel9cis_allow_authselect_updates
+    - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file"
      ansible.builtin.lineinfile:
-        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
-        regexp: ^(password\s+[^#\n\r]+\h+pam_pwhistory\.so\s+)(.*)(remember=\d+)
-        line: '\1\2 remember={{ rhel9cis_pamd_pwhistory_remember }}'
-        backrefs: true
-      notify: Pam_auth_update_pwhistory
+        path: "/etc/security/pwhistory.conf"
+        regexp: remember\s*=\s*\d*
+        line: remember = {{ rhel9cis_pamd_pwhistory_remember }}

    - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Remove remember from pam files NOT AuthSelect"
      when:
@ -55,7 +50,6 @@
 - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user"
  when:
    - rhel9cis_rule_5_3_3_3_2
-    - rhel9cis_disruption_high
  tags:
    - level1-server
    - level1-workstation
@ -69,26 +63,45 @@
      changed_when: false
      failed_when: rhel9_pwhistory_enforce_for_root.rc not in [0, 1]

-    - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set"
+    - name: "5.3.3.3.2 | PATCH| Ensure password history is enforced for the root user | Ensure enforce_for_root is set pwhistory file"
+      ansible.builtin.lineinfile:
+        path: "/etc/security/pwhistory.conf"
+        regexp: ^\s*(?#)enforce_for_root
+        line: enforce_for_root
+
+    - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
      when:
        - not rhel9cis_allow_authselect_updates
-        - rhel9_pwhistory_enforce_for_root.stdout | length > 0
+        - rhel9_pwhistory_enforce_for_root.stdout | length == 0
+        - rhel9cis_disruption_high
      ansible.builtin.lineinfile:
        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
        regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root)
        line: '\1\2\3 enforce_for_root'
        backrefs: true
-      notify: Pam_auth_update_pwhistory
+
+    - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
+      when:
+        - rhel9cis_allow_authselect_updates
+        - rhel9_pwhistory_enforce_for_root.stdout | length == 0
+        - rhel9cis_disruption_high
+      ansible.builtin.replace:
+        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
+        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\senforce_for_root(.*$)
+        replace: \1\2enforce_for_root\3
+      loop:
+        - password
+        - system
+      notify: Authselect update

 - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
  when:
    - rhel9cis_rule_5_3_3_3_3
-    - rhel9cis_disruption_high
  tags:
    - level1-server
    - level1-workstation
    - patch
-    - rule_5.3.3.3.2
+    - rule_5.3.3.3.3
    - pam
  block:
    - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
@ -97,20 +110,27 @@
      changed_when: false
      failed_when: rhel9_pwhistory_use_authtok.rc not in [0, 1]

-    - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set"
+    - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Update pwhistory for use_authtok"
+      ansible.builtin.lineinfile:
+        path: "/etc/security/pwhistory.conf"
+        regexp: ^\s*(?#)use_authtok
+        line: use_authtok
+
+    - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set"
      when:
        - not rhel9cis_allow_authselect_updates
-        - rhel9_pwhistory_use_authtok.stdout | length > 0
+        - rhel9_pwhistory_use_authtok.stdout | length == 0
+        - rhel9cis_disruption_high
      ansible.builtin.lineinfile:
        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
        regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok)
-        line: '\1\2\3 use_authtok'
+        line: '\1\2 use_authtok'
        backrefs: true
-      notify: Pam_auth_update_pwhistory

    - name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect"
      when:
        - rhel9cis_allow_authselect_updates
+        - rhel9_pwhistory_use_authtok.stdout | length == 0
        - rhel9cis_disruption_high
      ansible.builtin.lineinfile:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"