-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make PAM macros more flexible to variables #12133
Make PAM macros more flexible to variables #12133
Conversation
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts' differs.
--- xccdf_org.ssgproject.content_rule_display_login_attempts
+++ xccdf_org.ssgproject.content_rule_display_login_attempts
@@ -2,7 +2,7 @@
if rpm --quiet -q pam; then
if [ -f /usr/bin/authselect ]; then
- if authselect list-features minimal | grep -q with-silent-lastlog; then
+ if authselect list-features sssd | grep -q with-silent-lastlog; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
@@ -77,23 +77,23 @@
authselect apply-changes -b
fi
- if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1\[default=1\] \2/" "$PAM_FILE_PATH"
else
LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a session \[default=1\] pam_lastlog.so" "$PAM_FILE_PATH"
else
- echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH"
+ echo "session \[default=1\] pam_lastlog.so" >> "$PAM_FILE_PATH"
fi
fi
fi
# Check the option
- if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH"
+ if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "/\s*session\s+\[default=1\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -136,8 +136,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s.*\bsilent\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*session.*\[default=1\].*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -181,23 +181,23 @@
authselect apply-changes -b
fi
- if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"\[default=1\]"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1\[default=1\] \2/" "$PAM_FILE_PATH"
else
LAST_MATCH_LINE=$(grep -nP "^\s*session\s+.*pam_succeed_if\.so.*" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a session '"\[default=1\]"' pam_lastlog.so' "$PAM_FILE_PATH"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a session \[default=1\] pam_lastlog.so" "$PAM_FILE_PATH"
else
- echo 'session '"\[default=1\]"' pam_lastlog.so' >> "$PAM_FILE_PATH"
+ echo "session \[default=1\] pam_lastlog.so" >> "$PAM_FILE_PATH"
fi
fi
fi
# Check the option
- if ! grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks '/\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH"
+ if ! grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s*.*\sshowfailed\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "/\s*session\s+\[default=1\]\s+pam_lastlog.so.*/ s/$/ showfailed/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -240,8 +240,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*session\s+'"\[default=1\]"'\s+pam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*session.*'"\[default=1\]"'.*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*session\s+\[default=1\]\s+pam_lastlog.so\s.*\bsilent\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*session.*\[default=1\].*pam_lastlog.so.*)\ssilent=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts' differs.
--- xccdf_org.ssgproject.content_rule_display_login_attempts
+++ xccdf_org.ssgproject.content_rule_display_login_attempts
@@ -40,7 +40,7 @@
- name: Ensure PAM Displays Last Logon/Access Notification - Collect the Available
authselect Features
ansible.builtin.command:
- cmd: authselect list-features minimal
+ cmd: authselect list-features sssd
register: result_authselect_available_features
changed_when: false
when:
@@ -281,11 +281,16 @@
when:
- result_authselect_present.stat.exists
+ - name: Ensure PAM Displays Last Logon/Access Notification - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: '[default=1]'
+
- name: Ensure PAM Displays Last Logon/Access Notification - Check if expected PAM
module line is present in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*session\s+{{ '[default=1]' | regex_escape() }}\s+pam_lastlog.so\s*.*
+ regexp: ^\s*session\s+{{ pam_module_control | regex_escape() }}\s+pam_lastlog.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -310,7 +315,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*session\s+).*(\bpam_lastlog.so.*)
- replace: \1[default=1] \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -320,7 +325,7 @@
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^\s*session\s+.*pam_succeed_if\.so.*
- line: session [default=1] pam_lastlog.so
+ line: session {{ pam_module_control }} pam_lastlog.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -340,33 +345,43 @@
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
+ - name: Ensure PAM Displays Last Logon/Access Notification - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: '[default=1]'
+
- name: Ensure PAM Displays Last Logon/Access Notification - Check if the required
PAM module option is present in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*session\s+{{ '[default=1]' | regex_escape() }}\s+pam_lastlog.so\s*.*\sshowfailed\b
+ regexp: ^\s*session\s+{{ pam_module_control | regex_escape() }}\s+pam_lastlog.so\s*.*\sshowfailed\b
state: absent
check_mode: true
changed_when: false
- register: result_pam_module_showfailed_option_present
+ register: result_pam_module_display_login_attempts_option_present
- name: Ensure PAM Displays Last Logon/Access Notification - Ensure the "showfailed"
PAM option for "pam_lastlog.so" is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*session\s+{{ '[default=1]' | regex_escape() }}\s+pam_lastlog.so.*)
+ regexp: ^(\s*session\s+{{ pam_module_control | regex_escape() }}\s+pam_lastlog.so.*)
line: \1 showfailed
state: present
- register: result_pam_showfailed_add
- when:
- - result_pam_module_showfailed_option_present.found == 0
+ register: result_pam_display_login_attempts_add
+ when:
+ - result_pam_module_display_login_attempts_option_present.found == 0
+
+ - name: Ensure PAM Displays Last Logon/Access Notification - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: '[default=1]'
- name: Ensure PAM Displays Last Logon/Access Notification - Ensure the "silent"
option from "pam_lastlog.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
- regexp: (.*session.*{{ '[default=1]' | regex_escape() }}.*pam_lastlog.so.*)\bsilent\b=?[0-9a-zA-Z]*(.*)
+ regexp: (.*session.*{{ pam_module_control | regex_escape() }}.*pam_lastlog.so.*)\bsilent\b=?[0-9a-zA-Z]*(.*)
replace: \1\2
register: result_pam_option_removal
when: '"pam" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -71,8 +71,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
@@ -322,6 +322,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Account Lockouts Must Be Logged - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Account Lockouts Must Be Logged - Ensure the "audit" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -489,6 +494,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Account Lockouts Must Be Logged - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Account Lockouts Must Be Logged - Ensure the "audit" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -8,7 +8,7 @@
var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)"
if [ -f /usr/bin/authselect ]; then
- if authselect list-features minimal | grep -q with-pwhistory; then
+ if authselect list-features sssd | grep -q with-pwhistory; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
@@ -50,33 +50,33 @@
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
- if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1$var_password_pam_remember_control_flag \2/" "$PAM_FILE_PATH"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password $var_password_pam_remember_control_flag pam_pwhistory.so" "$PAM_FILE_PATH"
else
- echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password $var_password_pam_remember_control_flag pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
fi
fi
else
- if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/password-auth"; then
+ if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "/etc/pam.d/password-auth"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/password-auth")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/password-auth"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1$var_password_pam_remember_control_flag \2/" "/etc/pam.d/password-auth"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/password-auth" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/password-auth"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password $var_password_pam_remember_control_flag pam_pwhistory.so" "/etc/pam.d/password-auth"
else
- echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/password-auth"
+ echo "password $var_password_pam_remember_control_flag pam_pwhistory.so" >> "/etc/pam.d/password-auth"
fi
fi
fi
@@ -125,8 +125,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -168,20 +168,20 @@
authselect apply-changes -b
fi
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH"
else
- echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
# Check the option
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH"
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "/\s*password\s+requisite\s+pam_pwhistory.so.*/ s/$/ remember=$var_password_pam_remember/" "$PAM_FILE_PATH"
else
- sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_remember \3/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
@@ -51,7 +51,7 @@
- name: 'Limit Password Reuse: password-auth - Collect the available authselect features'
ansible.builtin.command:
- cmd: authselect list-features minimal
+ cmd: authselect list-features sssd
register: result_authselect_available_features
changed_when: false
when:
@@ -289,12 +289,17 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: password-auth - Define a fact for control already
+ filtered in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: '{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}'
+
- name: 'Limit Password Reuse: password-auth - Check if expected PAM module line
is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ '{{ var_password_pam_remember_control_flag.split(",")[0]
- }}' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -319,7 +324,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1{{ var_password_pam_remember_control_flag.split(",")[0] }} \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -329,8 +334,7 @@
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality\.so
- line: password {{ var_password_pam_remember_control_flag.split(",")[0]
- }} pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -559,6 +563,11 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: password-auth - Define a fact for control already
+ filtered in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: 'Limit Password Reuse: password-auth - Ensure the "remember" option
from "pam_pwhistory.so" is not present in {{ pam_file_path }}'
ansible.builtin.replace:
@@ -740,11 +749,16 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: password-auth - Define a fact for control already
+ filtered in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: 'Limit Password Reuse: password-auth - Check if expected PAM module line
is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -769,7 +783,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1requisite \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -778,7 +792,7 @@
line is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
- line: password requisite pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -797,38 +811,45 @@
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
+ - name: 'Limit Password Reuse: password-auth - Define a fact for control already
+ filtered in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: 'Limit Password Reuse: password-auth - Check if the required PAM module
option is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
- register: result_pam_module_remember_option_present
+ register: result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present
- name: 'Limit Password Reuse: password-auth - Ensure the "remember" PAM option
for "pam_pwhistory.so" is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_remember }}
state: present
- register: result_pam_remember_add
- when:
- - result_pam_module_remember_option_present.found == 0
+ register: result_pam_accounts_password_pam_pwhistory_remember_password_auth_add
+ when:
+ - result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found
+ == 0
- name: 'Limit Password Reuse: password-auth - Ensure the required value for "remember"
PAM option from "pam_pwhistory.so" in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{ var_password_pam_remember }} \3
- register: result_pam_remember_edit
- when:
- - result_pam_module_remember_option_present.found > 0
+ register: result_pam_accounts_password_pam_pwhistory_remember_password_auth_edit
+ when:
+ - result_pam_module_accounts_password_pam_pwhistory_remember_password_auth_option_present.found
+ > 0
- name: 'Limit Password Reuse: password-auth - Ensure authselect changes are applied'
ansible.builtin.command:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -8,7 +8,7 @@
var_password_pam_remember_control_flag="$(echo $var_password_pam_remember_control_flag | cut -d \, -f 1)"
if [ -f /usr/bin/authselect ]; then
- if authselect list-features minimal | grep -q with-pwhistory; then
+ if authselect list-features sssd | grep -q with-pwhistory; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
@@ -50,33 +50,33 @@
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
- if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1$var_password_pam_remember_control_flag \2/" "$PAM_FILE_PATH"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "$PAM_FILE_PATH"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password $var_password_pam_remember_control_flag pam_pwhistory.so" "$PAM_FILE_PATH"
else
- echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password $var_password_pam_remember_control_flag pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
fi
fi
else
- if ! grep -qP '^\s*password\s+'"$var_password_pam_remember_control_flag"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then
+ if ! grep -qP "^\s*password\s+$var_password_pam_remember_control_flag\s+pam_pwhistory.so\s*.*" "/etc/pam.d/system-auth"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"$var_password_pam_remember_control_flag"' \2/' "/etc/pam.d/system-auth"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1$var_password_pam_remember_control_flag \2/" "/etc/pam.d/system-auth"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' "/etc/pam.d/system-auth"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password $var_password_pam_remember_control_flag pam_pwhistory.so" "/etc/pam.d/system-auth"
else
- echo 'password '"$var_password_pam_remember_control_flag"' pam_pwhistory.so' >> "/etc/pam.d/system-auth"
+ echo "password $var_password_pam_remember_control_flag pam_pwhistory.so" >> "/etc/pam.d/system-auth"
fi
fi
fi
@@ -125,8 +125,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -168,20 +168,20 @@
authselect apply-changes -b
fi
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH"
else
- echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
# Check the option
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_remember"'/' "$PAM_FILE_PATH"
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "/\s*password\s+requisite\s+pam_pwhistory.so.*/ s/$/ remember=$var_password_pam_remember/" "$PAM_FILE_PATH"
else
- sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_remember"' \3/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_remember \3/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
@@ -51,7 +51,7 @@
- name: 'Limit Password Reuse: system-auth - Collect the available authselect features'
ansible.builtin.command:
- cmd: authselect list-features minimal
+ cmd: authselect list-features sssd
register: result_authselect_available_features
changed_when: false
when:
@@ -289,12 +289,17 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered
+ in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: '{{ var_password_pam_remember_control_flag.split(",")[0]
+ }}'
+
- name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is
present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ '{{ var_password_pam_remember_control_flag.split(",")[0]
- }}' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -319,7 +324,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1{{ var_password_pam_remember_control_flag.split(",")[0] }} \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -329,8 +334,7 @@
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality\.so
- line: password {{ var_password_pam_remember_control_flag.split(",")[0]
- }} pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -559,6 +563,11 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: system-auth - Define a fact for control already
+ filtered in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: 'Limit Password Reuse: system-auth - Ensure the "remember" option from
"pam_pwhistory.so" is not present in {{ pam_file_path }}'
ansible.builtin.replace:
@@ -739,11 +748,16 @@
when:
- result_authselect_present.stat.exists
+ - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered
+ in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: 'Limit Password Reuse: system-auth - Check if expected PAM module line is
present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -768,7 +782,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1requisite \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -777,7 +791,7 @@
is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
- line: password requisite pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -796,38 +810,45 @@
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
+ - name: 'Limit Password Reuse: system-auth - Define a fact for control already filtered
+ in case filters are used'
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: 'Limit Password Reuse: system-auth - Check if the required PAM module option
is present in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
- register: result_pam_module_remember_option_present
+ register: result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present
- name: 'Limit Password Reuse: system-auth - Ensure the "remember" PAM option for
"pam_pwhistory.so" is included in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_remember }}
state: present
- register: result_pam_remember_add
- when:
- - result_pam_module_remember_option_present.found == 0
+ register: result_pam_accounts_password_pam_pwhistory_remember_system_auth_add
+ when:
+ - result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found
+ == 0
- name: 'Limit Password Reuse: system-auth - Ensure the required value for "remember"
PAM option from "pam_pwhistory.so" in {{ pam_file_path }}'
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{ var_password_pam_remember }} \3
- register: result_pam_remember_edit
- when:
- - result_pam_module_remember_option_present.found > 0
+ register: result_pam_accounts_password_pam_pwhistory_remember_system_auth_edit
+ when:
+ - result_pam_module_accounts_password_pam_pwhistory_remember_system_auth_option_present.found
+ > 0
- name: 'Limit Password Reuse: system-auth - Ensure authselect changes are applied'
ansible.builtin.command:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -9,7 +9,7 @@
if [ -f /usr/bin/authselect ]; then
- if authselect list-features minimal | grep -q with-pwhistory; then
+ if authselect list-features sssd | grep -q with-pwhistory; then
if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
@@ -51,33 +51,33 @@
PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
authselect apply-changes -b
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "$PAM_FILE_PATH" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "$PAM_FILE_PATH"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password requisite pam_pwhistory.so" "$PAM_FILE_PATH"
else
- echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
fi
fi
else
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "/etc/pam.d/system-auth"; then
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "/etc/pam.d/system-auth"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "/etc/pam.d/system-auth")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "/etc/pam.d/system-auth"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "/etc/pam.d/system-auth"
else
LAST_MATCH_LINE=$(grep -nP "^password.*requisite.*pam_pwquality\.so" "/etc/pam.d/system-auth" | tail -n 1 | cut -d: -f 1)
if [ ! -z $LAST_MATCH_LINE ]; then
- sed -i --follow-symlinks $LAST_MATCH_LINE' a password '"requisite"' pam_pwhistory.so' "/etc/pam.d/system-auth"
+ sed -i --follow-symlinks $LAST_MATCH_LINE" a password requisite pam_pwhistory.so" "/etc/pam.d/system-auth"
else
- echo 'password '"requisite"' pam_pwhistory.so' >> "/etc/pam.d/system-auth"
+ echo "password requisite pam_pwhistory.so" >> "/etc/pam.d/system-auth"
fi
fi
fi
@@ -126,8 +126,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*password\s.*\bpam_pwhistory.so\s.*\bremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*password.*pam_pwhistory.so.*)\bremember\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
@@ -169,20 +169,20 @@
authselect apply-changes -b
fi
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*' "$PAM_FILE_PATH"; then
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*" "$PAM_FILE_PATH"; then
# Line matching group + control + module was not found. Check group + module.
if [ "$(grep -cP '^\s*password\s+.*\s+pam_pwhistory.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
# The control is updated only if one single line matches.
- sed -i -E --follow-symlinks 's/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1'"requisite"' \2/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/^(\s*password\s+).*(\bpam_pwhistory.so.*)/\1requisite \2/" "$PAM_FILE_PATH"
else
- echo 'password '"requisite"' pam_pwhistory.so' >> "$PAM_FILE_PATH"
+ echo "password requisite pam_pwhistory.so" >> "$PAM_FILE_PATH"
fi
fi
# Check the option
- if ! grep -qP '^\s*password\s+'"requisite"'\s+pam_pwhistory.so\s*.*\sremember\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks '/\s*password\s+'"requisite"'\s+pam_pwhistory.so.*/ s/$/ remember='"$var_password_pam_unix_remember"'/' "$PAM_FILE_PATH"
+ if ! grep -qP "^\s*password\s+requisite\s+pam_pwhistory.so\s*.*\sremember\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "/\s*password\s+requisite\s+pam_pwhistory.so.*/ s/$/ remember=$var_password_pam_unix_remember/" "$PAM_FILE_PATH"
else
- sed -i -E --follow-symlinks 's/(\s*password\s+'"requisite"'\s+pam_pwhistory.so\s+.*)('"remember"'=)[[:alnum:]]+\s*(.*)/\1\2'"$var_password_pam_unix_remember"' \3/' "$PAM_FILE_PATH"
+ sed -i -E --follow-symlinks "s/(\s*password\s+requisite\s+pam_pwhistory.so\s+.*)(remember=)[[:alnum:]]+\s*(.*)/\1\2$var_password_pam_unix_remember \3/" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember
@@ -43,7 +43,7 @@
- name: Limit Password Reuse - Collect the available authselect features
ansible.builtin.command:
- cmd: authselect list-features minimal
+ cmd: authselect list-features sssd
register: result_authselect_available_features
changed_when: false
when:
@@ -271,11 +271,16 @@
when:
- result_authselect_present.stat.exists
+ - name: Limit Password Reuse - Define a fact for control already filtered in case
+ filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: Limit Password Reuse - Check if expected PAM module line is present in {{
pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -300,7 +305,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1requisite \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -310,7 +315,7 @@
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
insertafter: ^password.*requisite.*pam_pwquality\.so
- line: password requisite pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -529,6 +534,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Limit Password Reuse - Define a fact for control already filtered in
+ case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Limit Password Reuse - Ensure the "remember" option from "pam_pwhistory.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -702,11 +712,16 @@
when:
- result_authselect_present.stat.exists
+ - name: Limit Password Reuse - Define a fact for control already filtered in case
+ filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: Limit Password Reuse - Check if expected PAM module line is present in {{
pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*
state: absent
check_mode: true
changed_when: false
@@ -731,7 +746,7 @@
ansible.builtin.replace:
dest: '{{ pam_file_path }}'
regexp: ^(\s*password\s+).*(\bpam_pwhistory.so.*)
- replace: \1requisite \2
+ replace: \1{{ pam_module_control }} \2
register: result_pam_module_edit
when:
- result_pam_line_other_control_present.found == 1
@@ -740,7 +755,7 @@
in {{ pam_file_path }}
ansible.builtin.lineinfile:
dest: '{{ pam_file_path }}'
- line: password requisite pam_pwhistory.so
+ line: password {{ pam_module_control }} pam_pwhistory.so
register: result_pam_module_add
when:
- result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
@@ -759,38 +774,45 @@
- result_pam_line_present.found is defined
- result_pam_line_present.found == 0
+ - name: Limit Password Reuse - Define a fact for control already filtered in case
+ filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: requisite
+
- name: Limit Password Reuse - Check if the required PAM module option is present
in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
- regexp: ^\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
+ regexp: ^\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s*.*\sremember\b
state: absent
check_mode: true
changed_when: false
- register: result_pam_module_remember_option_present
+ register: result_pam_module_accounts_password_pam_unix_remember_option_present
- name: Limit Password Reuse - Ensure the "remember" PAM option for "pam_pwhistory.so"
is included in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so.*)
line: \1 remember={{ var_password_pam_unix_remember }}
state: present
- register: result_pam_remember_add
- when:
- - result_pam_module_remember_option_present.found == 0
+ register: result_pam_accounts_password_pam_unix_remember_add
+ when:
+ - result_pam_module_accounts_password_pam_unix_remember_option_present.found ==
+ 0
- name: Limit Password Reuse - Ensure the required value for "remember" PAM option
from "pam_pwhistory.so" in {{ pam_file_path }}
ansible.builtin.lineinfile:
path: '{{ pam_file_path }}'
backrefs: true
- regexp: ^(\s*password\s+{{ 'requisite' | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
+ regexp: ^(\s*password\s+{{ pam_module_control | regex_escape() }}\s+pam_pwhistory.so\s+.*)(remember)=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{ var_password_pam_unix_remember }} \3
- register: result_pam_remember_edit
- when:
- - result_pam_module_remember_option_present.found > 0
+ register: result_pam_accounts_password_pam_unix_remember_edit
+ when:
+ - result_pam_module_accounts_password_pam_unix_remember_option_present.found >
+ 0
- name: Limit Password Reuse - Ensure authselect changes are applied
ansible.builtin.command:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
@@ -73,8 +73,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\baudit\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\baudit\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
@@ -340,6 +340,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Account Lockouts Must Be Logged - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Account Lockouts Must Be Logged - Ensure the "audit" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -507,6 +512,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Account Lockouts Must Be Logged - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Account Lockouts Must Be Logged - Ensure the "audit" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -78,8 +78,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -392,6 +392,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Lock Accounts After Failed Password Attempts - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -564,6 +569,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Lock Accounts After Failed Password Attempts - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -73,8 +73,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -370,6 +370,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Configure the root Account for Failed Password Attempts - Define a fact
+ for control already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -542,6 +547,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Configure the root Account for Failed Password Attempts - Define a fact
+ for control already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -78,8 +78,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdir\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdir\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\bdir\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\bdir\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -366,6 +366,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Lock Accounts Must Persist - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Lock Accounts Must Persist - Ensure the "dir" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -530,6 +535,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Lock Accounts Must Persist - Define a fact for control already filtered
+ in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Lock Accounts Must Persist - Ensure the "dir" option from "pam_faillock.so"
is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -73,8 +73,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\blocal_users_only\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\blocal_users_only\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\blocal_users_only\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\blocal_users_only\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local
@@ -351,6 +351,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Enforce pam_faillock for Local Accounts Only - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Enforce pam_faillock for Local Accounts Only - Ensure the "local_users_only"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
@@ -523,6 +528,11 @@
when:
- result_authselect_present.stat.exists
+ - name: Enforce pam_faillock for Local Accounts Only - Define a fact for control
+ already filtered in case filters are used
+ ansible.builtin.set_fact:
+ pam_module_control: ''
+
- name: Enforce pam_faillock for Local Accounts Only - Ensure the "local_users_only"
option from "pam_faillock.so" is not present in {{ pam_file_path }}
ansible.builtin.replace:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -78,8 +78,8 @@
authselect apply-changes -b
fi
- if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b' "$PAM_FILE_PATH"; then
- sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
+ if grep -qP "^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b" "$PAM_FILE_PATH"; then
+ sed -i -E --follow-symlinks "s/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g" "$PAM_FILE_PATH"
fi
if [ -f /usr/bin/authselect ]; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -375,6 +375,11 @@
when:
- result_authselect_present.stat
... The diff is trimmed here ... |
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
I moved it to draft while I investigate the issues reported in CI tests. |
3542168
to
e3a7916
Compare
It may exist cases where variables are passed to these macros. In this case the variables can now be resolved. Signed-off-by: Marcus Burghardt <[email protected]>
When the option parameter is passed as an Ansible variable, the resulting Playbook will break. Now the registers are not impacted by the format of the parameters. Signed-off-by: Marcus Burghardt <[email protected]>
For the remove_pam_module_option_configuration macro an empty control argument is already treated by the macro. Signed-off-by: Marcus Burghardt <[email protected]>
408120a
to
4376311
Compare
There are PAM related rules where more than one control is allowed for an specific PAM module. In this case, an Ansible variable is passed to the macro including filters, such as in rule accounts_password_pam_pwhistory_remember_password_auth. The respective macros were updated to properly deal with these cases.
4376311
to
4a28512
Compare
Change in Ansible Please consider using more suitable Ansible module than |
The minimal profile is not present in containers, for example. On the other hand, the sssd profile is already used in many test scenarios and seems to be present both in contaiers and VMs used in CI tests.
It will be replaced by a profile called local. But the sssd profile will continue there and therefore will be used to check the available authselect features. It doesn't affect the existing rules since used features are part of both profiles. https://fedoramagazine.org/authselect-in-fedora-linux-40-migrating-to-the-new-local-profile/ Signed-off-by: Marcus Burghardt <[email protected]>
abb87be
to
c1e2d24
Compare
Change in Ansible Please consider using more suitable Ansible module than |
Code Climate has analyzed commit c1e2d24 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have run some Automatus test scenarios with both Bash and Ansible and they all look fine.
I love the great commit messages.
- name: '{{{ rule_title }}} - Define a fact for control already filtered in case filters are used' | ||
ansible.builtin.set_fact: | ||
pam_module_control: '{{{ control }}}' | ||
|
||
- name: '{{{ rule_title }}} - Check if expected PAM module line is present in {{{ pam_file }}}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if it's a problem but in build/rhel8/fixes/ansible/accounts_password_pam_pwhistory_remember_password_auth.yml
this gets translated to
754 - name: 'Limit Password Reuse: password-auth - Check if expected PAM module line
755 is present in {{ pam_file_path }}'
Is it fine?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the Ansible variable will be translated during the Playbook execution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks
Description:
It may exist cases where variables are passed to these macros
accounts_password_pam_pwhistory_remember_password_auth
In some cases it these variables were not resolved in Bash macros and the Playbooks were breaking.
These macros can now properly use the variables.
Rationale:
More flexibility for PAM settings.
Review Hints:
These macros are used by many rules.
Nothing is expected to break with these changes, but lets check the CI tests.
Just for information: https://fedoramagazine.org/authselect-in-fedora-linux-40-migrating-to-the-new-local-profile/