From c0ce0533387039e8f8d599b0ef98723e407daba9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Jan 2025 11:55:41 +0000 Subject: [PATCH] added origin #272 5.3.3.3.3 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.3.3.x.yml | 52 +++++-------------------------- 1 file changed, 8 insertions(+), 44 deletions(-) diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index ca5a5dcc..8fe6036a 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -54,43 +54,10 @@ - patch - rule_5.3.3.3.2 - pam - block: - - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files" - ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/{system,password}-auth - register: discovered_pwhistory_enforce_for_root - changed_when: false - failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1] - - - name: "5.3.3.3.2 | PATCH| Ensure password history is enforced for the root user | Ensure enforce_for_root is set pwhistory file" - ansible.builtin.lineinfile: - path: "/etc/security/pwhistory.conf" - regexp: ^\s*(?#)enforce_for_root - line: enforce_for_root - - - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set" - when: - - not rhel9cis_allow_authselect_updates - - discovered_pwhistory_enforce_for_root.stdout | length == 0 - - rhel9cis_disruption_high - ansible.builtin.lineinfile: - path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}" - regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root) - line: '\1\2\3 enforce_for_root' - backrefs: true - - - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set" - when: - - rhel9cis_allow_authselect_updates - - discovered_pwhistory_enforce_for_root.stdout | length == 0 - - rhel9cis_disruption_high - ansible.builtin.replace: - path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" - regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\senforce_for_root(.*$) - replace: \1\2enforce_for_root\3 - loop: - - password - - system - notify: Authselect update + ansible.builtin.lineinfile: + path: "/etc/security/pwhistory.conf" + regexp: ^\s*(?#)enforce_for_root + line: enforce_for_root - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok" when: rhel9cis_rule_5_3_3_3_3 @@ -107,22 +74,19 @@ changed_when: false failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1] - - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Update pwhistory for use_authtok" - ansible.builtin.lineinfile: - path: "/etc/security/pwhistory.conf" - regexp: ^\s*(?#)use_authtok - line: use_authtok - - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set" when: - not rhel9cis_allow_authselect_updates - discovered_pwhistory_use_authtok.stdout | length == 0 - rhel9cis_disruption_high ansible.builtin.lineinfile: - path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}" + path: "{{ item }}" regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok) line: '\1\2 use_authtok' backrefs: true + loop: + - /etc/pam.d/password-auth + - /etc/pam.d/system-auth - name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect" when: