83 lines
3.4 KiB
YAML
83 lines
3.4 KiB
YAML
---
|
|
|
|
- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured"
|
|
when:
|
|
- ubtu24cis_rule_5_3_3_3_1
|
|
- ubtu24cis_disruption_high
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.3.3.3.1
|
|
- NIST800-53R5_IA-5
|
|
- pam
|
|
block:
|
|
- name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files"
|
|
ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=\d+\b' /etc/pam.d/common-password
|
|
register: discovered_pwhistory_remember
|
|
changed_when: false
|
|
failed_when: discovered_pwhistory_remember.rc not in [0, 1]
|
|
|
|
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set"
|
|
when: discovered_pwhistory_remember.stdout | length > 0
|
|
ansible.builtin.lineinfile:
|
|
path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
|
|
regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(remember=\d+)
|
|
line: '\1\2\3 remember={{ ubtu24cis_pamd_pwhistory_remember }}'
|
|
backrefs: true
|
|
notify: Pam_auth_update_pwhistory
|
|
|
|
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user"
|
|
when:
|
|
- ubtu24cis_rule_5_3_3_3_2
|
|
- ubtu24cis_disruption_high
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.3.3.3.2
|
|
- NIST800-53R5_IA-5
|
|
- pam
|
|
block:
|
|
- name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files"
|
|
ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?enforce_for_root\b' /etc/pam.d/common-password
|
|
register: discovered_pwhistory_enforce_for_root
|
|
changed_when: false
|
|
failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1]
|
|
|
|
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set"
|
|
when: discovered_pwhistory_enforce_for_root.stdout | length > 0
|
|
ansible.builtin.lineinfile:
|
|
path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
|
|
regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(enforce_for_root)
|
|
line: '\1\2\3 enforce_for_root'
|
|
backrefs: true
|
|
notify: Pam_auth_update_pwhistory
|
|
|
|
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
|
|
when:
|
|
- ubtu24cis_rule_5_3_3_3_3
|
|
- ubtu24cis_disruption_high
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.3.3.3.2
|
|
- NIST800-53R5_IA-5
|
|
- pam
|
|
block:
|
|
- name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
|
|
ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?use_authtok\b' /etc/pam.d/common-password
|
|
register: discovered_pwhistory_use_authtok
|
|
changed_when: false
|
|
failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
|
|
|
|
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set"
|
|
when: discovered_pwhistory_use_authtok.stdout | length > 0
|
|
ansible.builtin.lineinfile:
|
|
path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
|
|
regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(use_authtok)
|
|
line: '\1\2\3 use_authtok'
|
|
backrefs: true
|
|
notify: Pam_auth_update_pwhistory
|