Add more safety around control 5.4.2

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2023-01-27 12:19:16 +00:00 · 2023-01-27 12:19:16 +00:00 · bf83a6b84c
commit bf83a6b84c
parent e88b3efbf0
2 changed files with 39 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -622,6 +622,14 @@ rhel9cis_sudolog_location: "/var/log/sudo.log"
 #### 5.3.6
 rhel9cis_sudo_timestamp_timeout: 15

+### 5.4.2 authselect and faillock
+## This option is used at your own risk it will enable faillock for users
+## Only to be used on a new clean system if not using authselect
+## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ##
+rhel9cis_add_faillock_without_authselect: false
+# This needs to be set to ACCEPT
+rhel9cis_5_4_2_risks: NEVER
+
 # RHEL-09-5.4.5
 # Session timeout setting file (TMOUT setting can be set in multiple files)
 # Timeout value is in seconds. (60 seconds * 10 = 600)
--- a/tasks/section_5/cis_5.4.x.yml
+++ b/tasks/section_5/cis_5.4.x.yml
@ -28,7 +28,7 @@
      - authselect
      - rule_5.4.1

- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock"
+- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile"
  block:
      - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
        ansible.builtin.shell: "authselect current | grep with-faillock"
@ -37,7 +37,7 @@
        check_mode: false
        register: rhel9cis_5_4_2_profiles_faillock

-      - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles"
+      - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Show profiles"
        ansible.builtin.debug:
            msg:
                - "Below are the current custom profiles"
@ -46,6 +46,35 @@
      - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
        when: rhel9cis_authselect_custom_profile_select
+
+      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
+        ansible.builtin.lineinfile:
+            path: "/etc/pam.d/password-auth"
+            regexp: "{{ item.regexp }}"
+            line: "{{ item.line }}"
+            insertbefore: "{{ item.before }}"
+        loop:
+            - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth        required      pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
+            - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth        required      pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'}
+            - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account     required      pam_faillock.so','before':'^account     required      pam_unix.so'}
+        when:
+            - rhel9cis_add_faillock_without_authselect
+            - rhel9cis_5_4_2_risks == 'ACCEPT'
+
+      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
+        ansible.builtin.lineinfile:
+            path: "/etc/pam.d/system-auth"
+            regexp: "{{ item.regexp }}"
+            line: "{{ item.line }}"
+            insertbefore: "{{ item.before | default(omit)}}"
+            insertafter: "{{ item.after | default(omit)}}"
+        loop:
+            - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth        required      pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
+            - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth        required      pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'}
+            - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account     required      pam_faillock.so','before':'^account     required      pam_unix.so'}
+        when:
+            - rhel9cis_add_faillock_without_authselect
+            - rhel9cis_5_4_2_risks == 'ACCEPT'
  when:
      - rhel9cis_rule_5_4_2
  tags: