sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Use new prelim task for controls based on #273

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-01-22 08:53:27 +00:00
parent fb73b18596
commit 5e176d4dc9
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
1 changed files with 18 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

42
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -18,10 +18,9 @@
path: "{{ item }}" path: "{{ item }}"
regexp: 'difok\s*=\s*\d+\b' regexp: 'difok\s*=\s*\d+\b'
replace: '' replace: ''
with_fileglob: loop:
- '/etc/security/pwquality.conf' - /etc/security/pwquality.conf
- '/etc/security/pwquality.conf.d/*.conf' - "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- /etc/pam.d/*-auth
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists" - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists"
ansible.builtin.template: ansible.builtin.template:
@ -74,10 +73,9 @@
path: "{{ item }}" path: "{{ item }}"
regexp: 'minlen\s*=\s*\d+\b' regexp: 'minlen\s*=\s*\d+\b'
replace: '' replace: ''
with_fileglob: loop:
- '/etc/security/pwquality.conf' - /etc/security/pwquality.conf
- '/etc/security/pwquality.conf.d/*.conf' - "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- '/etc/pam.d/*-auth'
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists" - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
ansible.builtin.template: ansible.builtin.template:
@ -130,10 +128,9 @@
path: "{{ item }}" path: "{{ item }}"
regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b' regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
replace: '' replace: ''
with_fileglob: loop:
- '/etc/security/pwquality.conf' - /etc/security/pwquality.conf
- '/etc/security/pwquality.conf.d/*.conf' - "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- '/etc/pam.d/*-auth'
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists" - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists"
ansible.builtin.template: ansible.builtin.template:
@ -184,10 +181,9 @@
path: "{{ item }}" path: "{{ item }}"
regexp: 'maxrepeat\s*=\s*\d+\b' regexp: 'maxrepeat\s*=\s*\d+\b'
replace: '' replace: ''
with_fileglob: loop:
- '/etc/security/pwquality.conf' - /etc/security/pwquality.conf
- '/etc/security/pwquality.conf.d/*.conf' - "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- '/etc/pam.d/*-auth'
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists" - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists"
ansible.builtin.template: ansible.builtin.template:
@ -240,10 +236,9 @@
path: "{{ item }}" path: "{{ item }}"
regexp: 'maxsequence\s*=\s*\d+\b' regexp: 'maxsequence\s*=\s*\d+\b'
replace: '' replace: ''
with_fileglob: loop:
- '/etc/security/pwquality.conf' - /etc/security/pwquality.conf
- '/etc/security/pwquality.conf.d/*.conf' - "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- '/etc/pam.d/*-auth'
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists" - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists"
ansible.builtin.template: ansible.builtin.template:
@ -295,10 +290,9 @@
path: "{{ item }}" path: "{{ item }}"
regexp: 'dictcheck\s*=\s*\d+\b' regexp: 'dictcheck\s*=\s*\d+\b'
replace: '' replace: ''
with_fileglob: loop:
- '/etc/security/pwquality.conf' - /etc/security/pwquality.conf
- '/etc/security/pwquality.conf.d/*.conf' - "{{ prelim_pam_pwquality_confs.files | default ([]) }}"
- '/etc/pam.d/*-auth'
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists" - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists"
ansible.builtin.template: ansible.builtin.template: