-
Notifications
You must be signed in to change notification settings - Fork 100
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #210 from ansible-lockdown/devel
Release to main
- Loading branch information
Showing
13 changed files
with
217 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,144 @@ | ||
--- | ||
|
||
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured" | ||
block: | ||
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" | ||
ansible.builtin.lineinfile: | ||
path: /etc/security/pwquality.conf | ||
regexp: ^{{ item.name }} | ||
line: "{{ item.name }} = {{ item.value }}" | ||
loop: | ||
- { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } | ||
- { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } | ||
|
||
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect" | ||
ansible.builtin.lineinfile: | ||
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" | ||
regexp: '^password\s*requisite\s*pam_pwquality.so' | ||
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" | ||
insertbefore: '^#?password ?' | ||
notify: Apply_authselect | ||
|
||
- name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect" | ||
ansible.builtin.lineinfile: | ||
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" | ||
regexp: '^password\s*requisite\s*pam_pwquality.so' | ||
line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" | ||
insertbefore: '^#?password ?' | ||
notify: Apply_authselect | ||
when: | ||
- rhel9cis_rule_5_5_1 | ||
tags: | ||
- level1-server | ||
- level1-workstation | ||
- patch | ||
- rule_5.5.1 | ||
|
||
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured" | ||
block: | ||
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs" | ||
ansible.builtin.lineinfile: | ||
path: /etc/security/faillock.conf | ||
regexp: "{{ item.regexp }}" | ||
line: "{{ item.line }}" | ||
loop: | ||
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' } | ||
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' } | ||
|
||
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth" | ||
ansible.builtin.lineinfile: | ||
path: "{{ item }}" | ||
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)' | ||
line: "auth required pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" | ||
insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$' | ||
loop: | ||
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" | ||
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" | ||
notify: Apply_authselect | ||
|
||
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail" | ||
ansible.builtin.lineinfile: | ||
path: "{{ item }}" | ||
regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)' | ||
line: "auth required pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" | ||
insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$' | ||
loop: | ||
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" | ||
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" | ||
notify: Apply_authselect | ||
|
||
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so" | ||
ansible.builtin.lineinfile: | ||
path: "{{ item }}" | ||
regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$' | ||
line: "account required pam_faillock.so" | ||
insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$' | ||
loop: | ||
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" | ||
- "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" | ||
notify: Apply_authselect | ||
when: | ||
- rhel9cis_rule_5_5_2 | ||
tags: | ||
- level1-server | ||
- level1-workstation | ||
- patch | ||
- rule_5.5.2 | ||
|
||
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" | ||
block: | ||
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings" | ||
ansible.builtin.lineinfile: | ||
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" | ||
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" | ||
insertafter: '^password\s*requisite\s*pam_pwquality.so' | ||
notify: Apply_authselect | ||
|
||
- name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings" | ||
ansible.builtin.lineinfile: | ||
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" | ||
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" | ||
insertafter: '^password\s*requisite\s*pam_pwquality.so' | ||
notify: Apply_authselect | ||
when: | ||
- rhel9cis_rule_5_5_3 | ||
tags: | ||
- level1-server | ||
- level1-workstation | ||
- patch | ||
- rule_5.5.3 | ||
|
||
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt" | ||
block: | ||
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" | ||
ansible.builtin.replace: | ||
path: /etc/libuser.conf | ||
regexp: '^crypt_style\s*=\s*.*$' | ||
replace: 'crypt_style = sha512' | ||
|
||
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" | ||
ansible.builtin.replace: | ||
path: /etc/login.defs | ||
regexp: '^ENCRYPT_METHOD.*' | ||
replace: 'ENCRYPT_METHOD SHA512' | ||
|
||
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" | ||
ansible.builtin.replace: | ||
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" | ||
regexp: '^password\s*sufficient\s*pam_unix.so.*$' | ||
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' | ||
notify: Apply_authselect | ||
|
||
- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" | ||
ansible.builtin.replace: | ||
path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" | ||
regexp: '^password\s*sufficient\s*pam_unix.so.*$' | ||
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' | ||
notify: Apply_authselect | ||
when: | ||
- rhel9cis_rule_5_5_4 | ||
tags: | ||
- level1-server | ||
- level1-workstation | ||
- patch | ||
- rule_5.5.4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.