Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pwquality 5.3.3.2.x logic updates #279

Merged
merged 4 commits into from
Jan 22, 2025
Merged

pwquality 5.3.3.2.x logic updates #279

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fb73b18
Add new pwquality dicovery & title update
uk-bolly Jan 22, 2025
5e176d4
Use new prelim task for controls based on #273
uk-bolly Jan 22, 2025
7d49c0d
added fix for #280 thanks to @msachikanta
uk-bolly Jan 22, 2025
9f3d8be
Improve logic for 5.3.3.2.x controls
uk-bolly Jan 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions tasks/prelim.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,14 +177,14 @@
ansible.builtin.set_fact:
grub2_path: /etc/grub2-efi.cfg

- name: "PRELIM | Discover Gnome Desktop Environment"
- name: "PRELIM | AUDIT | Discover Gnome Desktop Environment"
tags:
- always
ansible.builtin.stat:
path: /usr/share/gnome/gnome-version.xml
register: prelim_gnome_present

- name: "PRELIM | Install dconf if gui installed"
- name: "PRELIM | PATCH | Install dconf if gui installed"
when:
- rhel9cis_gui
tags:
Expand Down Expand Up @@ -243,6 +243,14 @@
mode: 'go-rwx'
state: touch

- name: "PRELIM | AUDIT | Capture pam security related files"
tags: always
ansible.builtin.find:
paths:
- /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: prelim_pam_pwquality_confs

- name: "PRELIM | AUDIT | Gather UID 0 accounts other than root"
when: rhel9cis_rule_5_4_2_1
tags:
Expand Down Expand Up @@ -326,7 +334,7 @@
changed_when: false
register: prelim_uid_max_id

- name: "PRELIM | AUDIT | set_facts for interactive uid/gid"
- name: "PRELIM | AUDIT | Set Fact for interactive uid/gid"
ansible.builtin.set_fact:
prelim_min_int_uid: "{{ prelim_uid_min_id.stdout }}"
prelim_max_int_uid: "{{ prelim_uid_max_id.stdout }}"
Expand Down
78 changes: 42 additions & 36 deletions tasks/section_5/cis_5.3.3.2.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,15 @@
when:
- item != rhel9cis_passwd_difok_file
- rhel9cis_disruption_high
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: 'difok\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- /etc/pam.d/*-auth
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"

- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists"
ansible.builtin.template:
Expand Down Expand Up @@ -70,14 +71,15 @@
when:
- item != rhel9cis_passwd_minlen_file
- rhel9cis_disruption_high
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: 'minlen\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"

- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
ansible.builtin.template:
Expand Down Expand Up @@ -126,14 +128,15 @@
when:
- item != rhel9cis_passwd_complex_file
- rhel9cis_disruption_high
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"

- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists"
ansible.builtin.template:
Expand Down Expand Up @@ -180,14 +183,15 @@
block:
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
when: item != rhel9cis_passwd_maxrepeat_file
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: 'maxrepeat\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"

- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists"
ansible.builtin.template:
Expand Down Expand Up @@ -236,14 +240,15 @@
when:
- item != rhel9cis_passwd_maxsequence_file
- rhel9cis_disruption_high
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: 'maxsequence\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"

- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists"
ansible.builtin.template:
Expand Down Expand Up @@ -291,14 +296,15 @@
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file"
when:
- item != rhel9cis_passwd_dictcheck_file
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: 'dictcheck\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"

- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists"
ansible.builtin.template:
Expand Down
2 changes: 1 addition & 1 deletion templates/etc/systemd/system/tmp.mount.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ After=swap.target
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec{% endif %}
Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_1_4 %}noexec{% endif %}

# Make 'systemctl enable tmp.mount' work:
[Install]
Expand Down
Loading