From 60a9000dda634c97d5246e7298b39bd6e4be28cd Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Wed, 5 Jun 2024 09:46:14 +0100
Subject: [PATCH] Address #191

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 handlers/main.yml                        |   3 +
 tasks/section_5/cis_5.5.x.yml            |   7 +-
 tasks/section_5/cis_5.5.x_authselect.yml | 144 +++++++++++++++++++++++
 tasks/section_5/main.yml                 |   8 +-
 4 files changed, 159 insertions(+), 3 deletions(-)
 create mode 100644 tasks/section_5/cis_5.5.x_authselect.yml

diff --git a/handlers/main.yml b/handlers/main.yml
index 544dd4b..e0598e2 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -79,6 +79,9 @@
   ansible.builtin.systemd:
       daemon-reload: true
 
+- name: Apply_authselect
+  ansible.builtin.shell: authselect apply-changes
+
 ## Auditd tasks note order for handlers to run
 
 - name: Auditd immutable check
diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml
index 64abc47..57ad96b 100644
--- a/tasks/section_5/cis_5.5.x.yml
+++ b/tasks/section_5/cis_5.5.x.yml
@@ -11,14 +11,14 @@
             - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
             - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
 
-      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
         ansible.builtin.lineinfile:
             path: /etc/pam.d/system-auth
             regexp: '^password\s*requisite\s*pam_pwquality.so'
             line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
             insertbefore: '^#?password ?'
 
-      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings"
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
         ansible.builtin.lineinfile:
             path: /etc/pam.d/password-auth
             regexp: '^password\s*requisite\s*pam_pwquality.so'
@@ -42,6 +42,7 @@
         loop:
             - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
             - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }
+
       - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
         ansible.builtin.lineinfile:
             path: "{{ item }}"
@@ -51,6 +52,7 @@
         loop:
             - "/etc/pam.d/system-auth"
             - "/etc/pam.d/password-auth"
+
       - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
         ansible.builtin.lineinfile:
             path: "{{ item }}"
@@ -60,6 +62,7 @@
         loop:
             - "/etc/pam.d/system-auth"
             - "/etc/pam.d/password-auth"
+
       - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
         ansible.builtin.lineinfile:
             path: "{{ item }}"
diff --git a/tasks/section_5/cis_5.5.x_authselect.yml b/tasks/section_5/cis_5.5.x_authselect.yml
new file mode 100644
index 0000000..3188302
--- /dev/null
+++ b/tasks/section_5/cis_5.5.x_authselect.yml
@@ -0,0 +1,144 @@
+---
+
+- name: "5.5.1 | PATCH | Ensure password creation requirements are configured"
+  block:
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
+        ansible.builtin.lineinfile:
+            path: /etc/security/pwquality.conf
+            regexp: ^{{ item.name }}
+            line: "{{ item.name }} = {{ item.value }}"
+        loop:
+            - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
+            - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
+
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            regexp: '^password\s*requisite\s*pam_pwquality.so'
+            line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
+            insertbefore: '^#?password ?'
+        notify: Apply_authselect
+
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+            regexp: '^password\s*requisite\s*pam_pwquality.so'
+            line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
+            insertbefore: '^#?password ?'
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_1
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.1
+
+- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured"
+  block:
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs"
+        ansible.builtin.lineinfile:
+            path: /etc/security/faillock.conf
+            regexp: "{{ item.regexp }}"
+            line: "{{ item.line }}"
+        loop:
+            - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
+            - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }
+
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
+        ansible.builtin.lineinfile:
+            path: "{{ item }}"
+            regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)'
+            line: "auth    required     pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
+            insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$'
+        loop:
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+        notify: Apply_authselect
+
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
+        ansible.builtin.lineinfile:
+            path: "{{ item }}"
+            regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)'
+            line: "auth    required     pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
+            insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$'
+        loop:
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+        notify: Apply_authselect
+
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
+        ansible.builtin.lineinfile:
+            path: "{{ item }}"
+            regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$'
+            line: "account    required     pam_faillock.so"
+            insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$'
+        loop:
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.2
+
+- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
+  block:
+      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
+            insertafter: '^password\s*requisite\s*pam_pwquality.so'
+        notify: Apply_authselect
+
+      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
+            insertafter: '^password\s*requisite\s*pam_pwquality.so'
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_3
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.3
+
+- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt"
+  block:
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
+        ansible.builtin.replace:
+            path: /etc/libuser.conf
+            regexp: '^crypt_style\s*=\s*.*$'
+            replace: 'crypt_style = sha512'
+
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
+        ansible.builtin.replace:
+            path: /etc/login.defs
+            regexp: '^ENCRYPT_METHOD.*'
+            replace: 'ENCRYPT_METHOD SHA512'
+
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
+        ansible.builtin.replace:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
+            replace: 'password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
+        notify: Apply_authselect
+
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
+        ansible.builtin.replace:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
+            replace: 'password    sufficient     pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_4
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.4
diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml
index ed06b5a..be71ea5 100644
--- a/tasks/section_5/main.yml
+++ b/tasks/section_5/main.yml
@@ -20,9 +20,15 @@
   ansible.builtin.import_tasks:
       file: cis_5.4.x.yml
 
-- name: "SECTION | 5.5 | Configure PAM "
+- name: "SECTION | 5.5 | Configure PAM | not authselect"
   ansible.builtin.import_tasks:
       file: cis_5.5.x.yml
+  when: not rhel9cis_authselect_custom_profile_select
+
+- name: "SECTION | 5.5 | Configure PAM | authselect"
+  ansible.builtin.import_tasks:
+      file: cis_5.5.x_authselect.yml
+  when: rhel9cis_authselect_custom_profile_select
 
 - name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters"
   ansible.builtin.import_tasks: