sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Add more safety around control 5.4.2

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-27 12:19:16 +00:00
parent e88b3efbf0
commit bf83a6b84c
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
2 changed files with 39 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
defaults/main.yml
View file

@ -622,6 +622,14 @@ rhel9cis_sudolog_location: "/var/log/sudo.log"
#### 5.3.6 #### 5.3.6
rhel9cis_sudo_timestamp_timeout: 15 rhel9cis_sudo_timestamp_timeout: 15
### 5.4.2 authselect and faillock
## This option is used at your own risk it will enable faillock for users
## Only to be used on a new clean system if not using authselect
## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ##
rhel9cis_add_faillock_without_authselect: false
# This needs to be set to ACCEPT
rhel9cis_5_4_2_risks: NEVER
# RHEL-09-5.4.5 # RHEL-09-5.4.5
# Session timeout setting file (TMOUT setting can be set in multiple files) # Session timeout setting file (TMOUT setting can be set in multiple files)
# Timeout value is in seconds. (60 seconds * 10 = 600) # Timeout value is in seconds. (60 seconds * 10 = 600)

33
tasks/section_5/cis_5.4.x.yml
View file

@ -28,7 +28,7 @@
- authselect - authselect
- rule_5.4.1 - rule_5.4.1
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock" - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile"
block: block:
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
ansible.builtin.shell: "authselect current | grep with-faillock" ansible.builtin.shell: "authselect current | grep with-faillock"
@ -37,7 +37,7 @@
check_mode: false check_mode: false
register: rhel9cis_5_4_2_profiles_faillock register: rhel9cis_5_4_2_profiles_faillock
- name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Show profiles"
ansible.builtin.debug: ansible.builtin.debug:
msg: msg:
- "Below are the current custom profiles" - "Below are the current custom profiles"
@ -46,6 +46,35 @@
- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
when: rhel9cis_authselect_custom_profile_select when: rhel9cis_authselect_custom_profile_select
- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
ansible.builtin.lineinfile:
path: "/etc/pam.d/password-auth"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
insertbefore: "{{ item.before }}"
loop:
- { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
- { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'}
- { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so','before':'^account required pam_unix.so'}
when:
- rhel9cis_add_faillock_without_authselect
- rhel9cis_5_4_2_risks == 'ACCEPT'
- name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
ansible.builtin.lineinfile:
path: "/etc/pam.d/system-auth"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
insertbefore: "{{ item.before | default(omit)}}"
insertafter: "{{ item.after | default(omit)}}"
loop:
- { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
- { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'}
- { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so','before':'^account required pam_unix.so'}
when:
- rhel9cis_add_faillock_without_authselect
- rhel9cis_5_4_2_risks == 'ACCEPT'
when: when:
- rhel9cis_rule_5_4_2 - rhel9cis_rule_5_4_2
tags: tags: