sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Address #191

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-06-05 09:46:14 +01:00
parent bd7c4e3da2
commit 60a9000dda
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
4 changed files with 159 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
handlers/main.yml
View file

@ -79,6 +79,9 @@
ansible.builtin.systemd:
daemon-reload: true
- name: Apply_authselect
ansible.builtin.shell: authselect apply-changes
## Auditd tasks note order for handlers to run
- name: Auditd immutable check

7
tasks/section_5/cis_5.5.x.yml
View file

@ -11,14 +11,14 @@
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings"
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: /etc/pam.d/password-auth
regexp: '^password\s*requisite\s*pam_pwquality.so'
@ -42,6 +42,7 @@
loop:
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
ansible.builtin.lineinfile:
path: "{{ item }}"
@ -51,6 +52,7 @@
loop:
- "/etc/pam.d/system-auth"
- "/etc/pam.d/password-auth"
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
ansible.builtin.lineinfile:
path: "{{ item }}"
@ -60,6 +62,7 @@
loop:
- "/etc/pam.d/system-auth"
- "/etc/pam.d/password-auth"
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
ansible.builtin.lineinfile:
path: "{{ item }}"

144
tasks/section_5/cis_5.5.x_authselect.yml Normal file
View file

@ -0,0 +1,144 @@
---
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured"
block:
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
regexp: ^{{ item.name }}
line: "{{ item.name }} = {{ item.value }}"
loop:
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
notify: Apply_authselect
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
regexp: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
insertbefore: '^#?password ?'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_1
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.1
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured"
block:
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs"
ansible.builtin.lineinfile:
path: /etc/security/faillock.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)'
line: "auth required pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)'
line: "auth required pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$'
line: "account required pam_faillock.so"
insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$'
loop:
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_2
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.2
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
block:
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
notify: Apply_authselect
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_3
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.3
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt"
block:
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
ansible.builtin.replace:
path: /etc/libuser.conf
regexp: '^crypt_style\s*=\s*.*$'
replace: 'crypt_style = sha512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
ansible.builtin.replace:
path: /etc/login.defs
regexp: '^ENCRYPT_METHOD.*'
replace: 'ENCRYPT_METHOD SHA512'
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
notify: Apply_authselect
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
notify: Apply_authselect
when:
- rhel9cis_rule_5_5_4
tags:
- level1-server
- level1-workstation
- patch
- rule_5.5.4

8
tasks/section_5/main.yml
View file

@ -20,9 +20,15 @@
ansible.builtin.import_tasks:
file: cis_5.4.x.yml
- name: "SECTION | 5.5 | Configure PAM "
- name: "SECTION | 5.5 | Configure PAM | not authselect"
ansible.builtin.import_tasks:
file: cis_5.5.x.yml
when: not rhel9cis_authselect_custom_profile_select
- name: "SECTION | 5.5 | Configure PAM | authselect"
ansible.builtin.import_tasks:
file: cis_5.5.x_authselect.yml
when: rhel9cis_authselect_custom_profile_select
- name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters"
ansible.builtin.import_tasks: