---

{{ if .Vars.ubtu24cis_level_1 }}
  {{ if .Vars.ubtu24cis_rule_5_3_3_2_2 }}
command:
  password_minlen:
    title: 5.3.3.2.2 | Ensure minimum password length is configured
    exec: grep -Psi -- '^\h*minlen\h*=\h*(1[4-9]|[2-9][0-9]|[1-9][0-9]{2,})\b' /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
    exit-status:
      or:
      - 0
      - 1
    stdout:
    - '/.*\:minlen\s*=\s*(1[4-9]|[2-4][0-9])/'
    meta:
      server: 1
      workstation: 1
      CIS_ID:
      - 5.3.3.2.2
      CISv8:
      - 5.2
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5: IA-5
  password_minlen_not_pamd:
    title: 5.3.3.2.2 | Ensure minimum password length is configured
    exec: grep -Psi -- '^\h*password\h+(requisite|required|sufficient)\h+pam_pwquality\.so\h+([^#\n\r]+\h+)?minlen\h*=\h*([0-9]|1[0-3])\b' /etc/pam.d/system-auth /etc/pam.d/common-password
    exit-status:
      or:
      - 0
      - 1
      - 2
    stdout:
    - '!/.*/'
    meta:
      server: 1
      workstation: 1
      CIS_ID:
      - 5.3.3.2.2
      CISv8:
      - 5.2
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5: IA-5
  {{ end }}
{{ end }}