sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

removed rh8 checks

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-05-11 09:57:33 +01:00
parent 63c82f8305
commit 5ce4b873d7
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
1 changed files with 1 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

28
tasks/section_5/cis_5.5.x.yml
View file

@ -32,32 +32,7 @@
- patch - patch
- rule_5.5.1 - rule_5.5.1
- name: "5.5.2 | PATCH | Ensure system accounts are secured | pre RHEL8.2" - name: "5.5.2 | PATCH | Ensure system accounts are secured"
block:
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth"
lineinfile:
path: /etc/pam.d/{{ item }}
regexp: '^auth\s*required\s*pam_faillock.so preauth'
line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
insertafter: '^#?auth ?'
with_items:
- "system-auth"
- "password-auth"
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail"
lineinfile:
path: /etc/pam.d/{{ item }}
regexp: '^auth\s*required\s*pam_faillock.so authfail'
line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
insertafter: '^#?auth ?'
with_items:
- "system-auth"
- "password-auth"
when:
- ansible_distribution_version <= "8.1"
- rhel9cis_rule_5_5_2
- name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ "
lineinfile: lineinfile:
path: /etc/security/faillock.conf path: /etc/security/faillock.conf
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
@ -66,7 +41,6 @@
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' }
when: when:
- ansible_distribution_version >= "8.2"
- rhel9cis_rule_5_5_2 - rhel9cis_rule_5_5_2
- name: "5.5.3 | PATCH | Ensure password reuse is limited" - name: "5.5.3 | PATCH | Ensure password reuse is limited"