section 5 v2 initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-07-24 14:00:45 +01:00 · 2024-07-24 14:00:45 +01:00 · 9755b0fb62
commit 9755b0fb62
parent f1c4d96412
9 changed files with 1404 additions and 537 deletions
--- a/tasks/section_5/cis_5.3.1.x.yml
+++ b/tasks/section_5/cis_5.3.1.x.yml
@ -0,0 +1,55 @@
+---
+
+- name: "5.3.1.1 | PATCH | Ensure latest version of pam is installed"
+  when:
+    - rhel9cis_rule_5_3_1_1
+    - ansible_facts.packages['pam'][0]['version'] is version('1.5.1-19', '<') or
+      "'pam' not in ansible_facts.packages"
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - pam
+    - rule_5.3.1.1
+  ansible.builtin.package:
+    name: pam
+    state: latest
+
+- name: "5.3.1.2 | PATCH | Ensure latest version of authselect is installed"
+  when:
+    - rhel9cis_rule_5_3_1_2
+    - rhel9cis_authselect_pkg_update
+    - ansible_facts.packages['authselect'][0]['version'] is version('1.2.6-2', '<') or
+      "'authselect' not in ansible_facts.packages"
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - pam
+    - rule_5.3.1.2
+  block:
+    - name: "5.3.1.2 | PATCH | Ensure latest version of authselect is installed | Patch"
+      ansible.builtin.package:
+        name: authselect
+        state: latest
+      register: rhel9cis_authselect_update
+
+    - name: "5.3.1.2 | AUDIT | Ensure latest version of authselect is installed | Patch"
+      when: rhel9cis_authselect_update.changed  # noqa no-handler
+      ansible.builtin.set_fact:
+        authselect_update: OK
+
+- name: "5.3.1.3 | PATCH | Ensure libpwquality is installed"
+  when:
+    - rhel9cis_rule_5_3_1_3
+    - ansible_facts.packages['libpwquality'][0]['version'] is version('1.4.4-8', '<')
+      "'libpwquality' not in ansible_facts.packages"
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - pam
+    - rule_5.3.1.3
+  ansible.builtin.package:
+    name: libpwquality
+    state: latest