sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

addressed issue #282

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-01-30 12:40:52 +00:00
parent b9a4503558
commit fecfb7e793
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -69,7 +69,7 @@
- pam - pam
block: block:
- name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files" - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth ansible.builtin.shell: grep -Psic -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth
register: discovered_pwhistory_use_authtok register: discovered_pwhistory_use_authtok
changed_when: false changed_when: false
failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1] failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
@ -81,9 +81,9 @@
- rhel9cis_disruption_high - rhel9cis_disruption_high
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ item }}" path: "{{ item }}"
regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok) regexp: ^password\s*pam_pwhistory\.so\s*.*\s(!?use_authtok)
line: '\1\2 use_authtok' line: password required pam_pwhistory.so use_authtok
backrefs: true insertbefore: ^password.*pam_deny.so
loop: loop:
- /etc/pam.d/password-auth - /etc/pam.d/password-auth
- /etc/pam.d/system-auth - /etc/pam.d/system-auth