Skip to content

Commit

Permalink
Merge pull request #62 from ansible-lockdown/may23_updates
Browse files Browse the repository at this point in the history
May23 updates
  • Loading branch information
uk-bolly authored May 18, 2023
2 parents aa2c44a + 3ee1923 commit a888834
Show file tree
Hide file tree
Showing 5 changed files with 12 additions and 11 deletions.
5 changes: 3 additions & 2 deletions Changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@

## 1.0.7

lint and yamll updates
improvemnst to 6.1.10, 6.1.11, 6.1.13, 6.1.14
lint and yaml updates
improvements to 6.1.10, 6.1.11, 6.1.13, 6.1.14
4.1.3.6 updated on process discovery

## 1.0.6

Expand Down
2 changes: 1 addition & 1 deletion tasks/section_4/cis_4.1.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
block:
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
changed_when: false
failed_when: false
check_mode: false
Expand Down
6 changes: 3 additions & 3 deletions tasks/section_5/cis_5.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,9 @@
line: "{{ item.line }}"
insertbefore: "{{ item.before }}"
loop:
- { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
- { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'}
- { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'}
- { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
- { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'}
- { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'}
when:
- rhel9cis_add_faillock_without_authselect
- rhel9cis_5_4_2_risks == 'ACCEPT'
Expand Down
6 changes: 3 additions & 3 deletions tasks/section_5/cis_5.5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -82,14 +82,14 @@
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'

- name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix"
ansible.builtin.replace:
path: /etc/pam.d/system-auth
regexp: '^password\s*(sufficient|requisite|sufficient)\s*pam_unix.so.*$'
replace: 'password requisite pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
when:
- rhel9cis_rule_5_5_3
tags:
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_5/cis_5.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
- item.id != "shutdown"
- item.id != "halt"
- item.id != "nfsnobody"
- item.gid < min_int_uid | int
- item.uid < min_int_uid | int
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
loop_control:
Expand All @@ -30,7 +30,7 @@
- item.id != "sync"
- item.id != "root"
- item.id != "nfsnobody"
- item.gid < min_int_uid | int
- item.uid < min_int_uid | int
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
loop_control:
Expand Down

0 comments on commit a888834

Please sign in to comment.