added origin #272 5.3.3.3.3

Signed-off-by: Mark Bolwell <[email protected]>
ansible-lockdown · Jan 13, 2025 · c0ce053 · c0ce053
1 parent 424e5f7
commit c0ce053
Showing 1 changed file with 8 additions and 44 deletions.
diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml
@@ -54,43 +54,10 @@
     - patch
     - rule_5.3.3.3.2
     - pam
-  block:
-    - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files"
-      ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/{system,password}-auth
-      register: discovered_pwhistory_enforce_for_root
-      changed_when: false
-      failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1]
-
-    - name: "5.3.3.3.2 | PATCH| Ensure password history is enforced for the root user | Ensure enforce_for_root is set pwhistory file"
-      ansible.builtin.lineinfile:
-        path: "/etc/security/pwhistory.conf"
-        regexp: ^\s*(?#)enforce_for_root
-        line: enforce_for_root
-
-    - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
-      when:
-        - not rhel9cis_allow_authselect_updates
-        - discovered_pwhistory_enforce_for_root.stdout | length == 0
-        - rhel9cis_disruption_high
-      ansible.builtin.lineinfile:
-        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
-        regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root)
-        line: '\1\2\3 enforce_for_root'
-        backrefs: true
-
-    - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
-      when:
-        - rhel9cis_allow_authselect_updates
-        - discovered_pwhistory_enforce_for_root.stdout | length == 0
-        - rhel9cis_disruption_high
-      ansible.builtin.replace:
-        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
-        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\senforce_for_root(.*$)
-        replace: \1\2enforce_for_root\3
-      loop:
-        - password
-        - system
-      notify: Authselect update
+  ansible.builtin.lineinfile:
+    path: "/etc/security/pwhistory.conf"
+    regexp: ^\s*(?#)enforce_for_root
+    line: enforce_for_root
 
 - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
   when: rhel9cis_rule_5_3_3_3_3
@@ -107,22 +74,19 @@
       changed_when: false
       failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
 
-    - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Update pwhistory for use_authtok"
-      ansible.builtin.lineinfile:
-        path: "/etc/security/pwhistory.conf"
-        regexp: ^\s*(?#)use_authtok
-        line: use_authtok
-
     - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set"
       when:
         - not rhel9cis_allow_authselect_updates
         - discovered_pwhistory_use_authtok.stdout | length == 0
         - rhel9cis_disruption_high
       ansible.builtin.lineinfile:
-        path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
+        path: "{{ item }}"
         regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok)
         line: '\1\2 use_authtok'
         backrefs: true
+      loop:
+        - /etc/pam.d/password-auth
+        - /etc/pam.d/system-auth
 
     - name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect"
       when: