---

- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured"
  when:
    - rhel9cis_rule_5_3_3_3_1
    - rhel9cis_disruption_high
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.3.3.3.1
    - pam
  block:
    - name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files"
      ansible.builtin.shell: grep -Psi -- '^\h*password\s+[^#\n\r]+\h+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=\d+\b' /etc/pam.d/password-auth /etc/pam.d/system-auth
      register: rhel9_pwhistory_remember
      changed_when: false
      failed_when: rhel9_pwhistory_remember.rc not in [0, 1]

    - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set"
      when: rhel9_pwhistory_remember.stdout | length > 0
      ansible.builtin.lineinfile:
        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
        regexp: ^(password\s+[^#\n\r]+\h+pam_pwhistory\.so\s+)(.*)(remember=\d+)
        line: '\1\2 remember={{ rhel9cis_pamd_pwhistory_remember }}'
        backrefs: true
      notify: Pam_auth_update_pwhistory

- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user"
  when:
    - rhel9cis_rule_5_3_3_3_2
    - rhel9cis_disruption_high
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.3.3.3.2
    - pam
  block:
    - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files"
      ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/common-password
      register: rhel9_pwhistory_enforce_for_root
      changed_when: false
      failed_when: rhel9_pwhistory_enforce_for_root.rc not in [0, 1]

    - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set"
      when: rhel9_pwhistory_enforce_for_root.stdout | length > 0
      ansible.builtin.lineinfile:
        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
        regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root)
        line: '\1\2\3 enforce_for_root'
        backrefs: true
      notify: Pam_auth_update_pwhistory

- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
  when:
    - rhel9cis_rule_5_3_3_3_3
    - rhel9cis_disruption_high
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.3.3.3.2
    - pam
  block:
    - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
      ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password
      register: rhel9_pwhistory_use_authtok
      changed_when: false
      failed_when: rhel9_pwhistory_use_authtok.rc not in [0, 1]

    - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set"
      when: rhel9_pwhistory_use_authtok.stdout | length > 0
      ansible.builtin.lineinfile:
        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
        regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok)
        line: '\1\2\3 use_authtok'
        backrefs: true
      notify: Pam_auth_update_pwhistory