diff --git a/Changelog.md b/Changelog.md index adbc58b9..0a982244 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,13 @@ # Changes to rhel9CIS +## 1.0.10 + +- [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72) + - Only run check when paybook user not a superuser +- fix for 5.5.3 thanks to @nrg-fv + ## 1.0.9 + fixed assert for user password set thanks to @byjunks diff --git a/tasks/main.yml b/tasks/main.yml index f8958478..277e43fc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -38,6 +38,7 @@ sudo_password_rule: rhel9cis_rule_5_3_4 when: - rhel9cis_rule_5_3_4 + - ansible_env.SUDO_USER is defined - not system_is_ec2 tags: - user_passwd diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 566823ad..bb3cf346 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -77,19 +77,11 @@ - patch - rule_5.5.2 -- name: "5.5.3 | PATCH | Ensure password reuse is limited" - block: - - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" - ansible.builtin.lineinfile: - path: /etc/pam.d/system-auth - line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" - insertafter: '^password\s*requisite\s*pam_pwquality.so' - - - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" - ansible.builtin.replace: - path: /etc/pam.d/system-auth - regexp: '^password\s*sufficient\s*pam_unix.so.*$' - replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' +- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" + ansible.builtin.lineinfile: + path: /etc/pam.d/system-auth + line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' when: - rhel9cis_rule_5_5_3 tags: