section 5 v2 initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-07-24 14:00:45 +01:00 · 2024-07-24 14:00:45 +01:00 · 9755b0fb62
commit 9755b0fb62
parent f1c4d96412
9 changed files with 1404 additions and 537 deletions
--- a/tasks/section_5/cis_5.3.3.1.x.yml
+++ b/tasks/section_5/cis_5.3.3.1.x.yml
@ -0,0 +1,86 @@
+---
+
+- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured"
+  when:
+    - rhel8cis_rule_5_3_3_1_1
+  tags:
+    - level1-server
+    - level1-workstation
+    - automated
+    - patch
+    - pam
+    - rule_5.3.3.1.1
+  block:
+    - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | faillock.conf"
+      ansible.builtin.lineinfile:
+        path: /etc/security/faillock.conf
+        state: present
+        regexp: '^(#|)\s*deny\s*=\s*\d'
+        line: "deny = {{ rhel8cis_pam_faillock['deny'] }}"
+
+    - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | pam_files"
+      when: not rhel8cis_allow_authselect_updates
+      ansible.builtin.replace:
+        path: "/etc/pam.d/{{ item }}-auth"
+        regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$)
+        replace: \1\2\3
+      loop:
+        - password
+        - system
+
+- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
+  when:
+    - rhel8cis_rule_5_3_3_1_2
+  tags:
+    - level1-server
+    - level1-workstation
+    - automated
+    - patch
+    - pam
+    - rule_5.3.3.1.2
+  block:
+    - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | faillock.conf"
+      ansible.builtin.lineinfile:
+        path: /etc/security/faillock.conf
+        state: present
+        regexp: '^(#|)\s*unlock_time\s*=\s*\d'
+        line: "unlock_time = {{ rhel8cis_pam_faillock['unlock_time'] }}"
+
+    - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | pam_files"
+      when: not rhel8cis_allow_authselect_updates
+      ansible.builtin.replace:
+        path: "/etc/pam.d/{{ item }}-auth"
+        regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+unlock_time\s*=\s*\S+(.*$)
+        replace: \1\2\3
+      loop:
+        - password
+        - system
+
+- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
+  when:
+    - rhel9cis_rule_5_3_3_1_3
+  tags:
+    - level1-server
+    - level1-workstation
+    - automated
+    - patch
+    - pam
+    - rule_5.3.3.1.3
+  block:
+    - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | configure faillock.conf"
+      ansible.builtin.lineinfile:
+        path: /etc/security/faillock.conf
+        regexp: '^{{ rhel9cis_pamroot_lock_option }}'
+        line: "{{ rhel9cis_pamroot_lock_string }}"
+        insertafter: '^# end of pam-auth-update config'
+        create: true
+
+    - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | pam_files"
+      when: not rhel9cis_allow_authselect_updates
+      ansible.builtin.replace:
+        path: "/etc/pam.d/{{ item }}-auth"
+        regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s(even_deny_root|root_unlock_time=\d*)"(\s*=\s*\d|.*)\S+(.*$)
+        replace: \1\2\4
+      loop:
+        - password
+        - system