ansible-lockdown · uk-bolly · Jun 6, 2024 · Jun 4, 2024 · Jun 5, 2024 · Jun 5, 2024
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,13 @@
 # Changes to rhel9CIS
 
+## 1.1.6 - Based on CIS v1.0.0
+
+- #190 - thanks to @ipruteanu-sie
+  - addressed requirements in PR with alternate method
+- #191 - thanks to @numericillustration
+  - Addressed authselect for pam
+- #193 thanks to brakkio86
+
 ## 1.1.5 - Based on CIS v1.0.0
 
 - added new interactive user discoveries

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -79,6 +79,13 @@
   ansible.builtin.systemd:
       daemon-reload: true
 
+- name: Apply_authselect
+  ansible.builtin.shell: authselect apply-changes
+  when: not rhel9cis_rule_5_4_2
+
+- name: Apply_authselect
+  ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}"
+  when: rhel9cis_rule_5_4_2
 ## Auditd tasks note order for handlers to run
 
 - name: Auditd immutable check

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -24,7 +24,7 @@
   tags:
       - always
   ansible.builtin.shell: >
-      grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $1 }'
+      grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
   changed_when: false
   register: discovered_interactive_usernames
 

diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml
@@ -59,7 +59,7 @@
 - name: "4.2.1.5 | PATCH | Ensure logging is configured"
   block:
       - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
-        ansible.builtin.shell: cat /etc/rsyslog.conf
+        ansible.builtin.shell: cat /etc/rsyslog.conf | grep -Ev "^#|^$"
         changed_when: false
         failed_when: false
         check_mode: false

diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml
@@ -3,21 +3,25 @@
 - name: "5.4.1 | PATCH | Ensure custom authselect profile is used"
   block:
       - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles"
-        ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"'
+        ansible.builtin.shell: 'authselect list | grep custom'
         failed_when: false
         changed_when: false
         check_mode: false
-        register: rhel9cis_5_4_1_profiles
-
-      - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
-        ansible.builtin.debug:
-            msg:
-                - "Below are the current custom profiles"
-                - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}"
+        register: rhel9cis_5_4_1_current_profile
 
       - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
         ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
-        when: rhel9cis_authselect_custom_profile_create
+        when:
+            - rhel9cis_authselect_custom_profile_create
+            - "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout"
+
+      - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Force custom profile creates backup"
+        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} --force --backup=rhel9cis_5_4_1_{{ ansible_date_time.epoch}}"
+        register: authselect_5_4_1_select
+        when:
+            - rhel9cis_authselect_custom_profile_create
+            - "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout"
+
   when:
       - rhel9cis_rule_5_4_1
   tags:
@@ -28,7 +32,7 @@
       - authselect
       - rule_5.4.1
 
-- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile"
+- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Get Authselect profile options"
   block:
       - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
         ansible.builtin.shell: "authselect current | grep with-faillock"
@@ -43,11 +47,11 @@
                 - "Below are the current custom profiles"
                 - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}"
 
-      - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
-        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }}  {{ rhel9cis_authselect['options'] }}"
+      - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Authselect add options"
+        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force"
         when: rhel9cis_authselect_custom_profile_select
 
-      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
+      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile"
         ansible.builtin.lineinfile:
             path: "/etc/pam.d/password-auth"
             regexp: "{{ item.regexp }}"
@@ -61,7 +65,7 @@
             - rhel9cis_add_faillock_without_authselect
             - rhel9cis_5_4_2_risks == 'ACCEPT'
 
-      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
+      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile"
         ansible.builtin.lineinfile:
             path: "/etc/pam.d/system-auth"
             regexp: "{{ item.regexp }}"

diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml
@@ -11,14 +11,14 @@
             - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
             - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
 
-      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
         ansible.builtin.lineinfile:
             path: /etc/pam.d/system-auth
             regexp: '^password\s*requisite\s*pam_pwquality.so'
             line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
             insertbefore: '^#?password ?'
 
-      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
         ansible.builtin.lineinfile:
             path: /etc/pam.d/password-auth
             regexp: '^password\s*requisite\s*pam_pwquality.so'
@@ -42,6 +42,7 @@
         loop:
             - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
             - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }
+
       - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
         ansible.builtin.lineinfile:
             path: "{{ item }}"
@@ -51,6 +52,7 @@
         loop:
             - "/etc/pam.d/system-auth"
             - "/etc/pam.d/password-auth"
+
       - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
         ansible.builtin.lineinfile:
             path: "{{ item }}"
@@ -60,6 +62,7 @@
         loop:
             - "/etc/pam.d/system-auth"
             - "/etc/pam.d/password-auth"
+
       - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
         ansible.builtin.lineinfile:
             path: "{{ item }}"
@@ -78,10 +81,18 @@
       - rule_5.5.2
 
 - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
-  ansible.builtin.lineinfile:
-      path: /etc/pam.d/system-auth
-      line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
-      insertafter: '^password\s*requisite\s*pam_pwquality.so'
+  block:
+      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
+        ansible.builtin.lineinfile:
+            path: /etc/pam.d/system-auth
+            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
+            insertafter: '^password\s*requisite\s*pam_pwquality.so'
+
+      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
+        ansible.builtin.lineinfile:
+            path: /etc/pam.d/password-auth
+            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
+            insertafter: '^password\s*requisite\s*pam_pwquality.so'
   when:
       - rhel9cis_rule_5_5_3
   tags:

diff --git a/tasks/section_5/cis_5.5.x_authselect.yml b/tasks/section_5/cis_5.5.x_authselect.yml
@@ -0,0 +1,144 @@
+---
+
+- name: "5.5.1 | PATCH | Ensure password creation requirements are configured"
+  block:
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
+        ansible.builtin.lineinfile:
+            path: /etc/security/pwquality.conf
+            regexp: ^{{ item.name }}
+            line: "{{ item.name }} = {{ item.value }}"
+        loop:
+            - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
+            - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
+
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            regexp: '^password\s*requisite\s*pam_pwquality.so'
+            line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
+            insertbefore: '^#?password ?'
+        notify: Apply_authselect
+
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+            regexp: '^password\s*requisite\s*pam_pwquality.so'
+            line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
+            insertbefore: '^#?password ?'
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_1
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.1
+
+- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured"
+  block:
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs"
+        ansible.builtin.lineinfile:
+            path: /etc/security/faillock.conf
+            regexp: "{{ item.regexp }}"
+            line: "{{ item.line }}"
+        loop:
+            - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
+            - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }
+
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
+        ansible.builtin.lineinfile:
+            path: "{{ item }}"
+            regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)'
+            line: "auth         required     pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
+            insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$'
+        loop:
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+        notify: Apply_authselect
+
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
+        ansible.builtin.lineinfile:
+            path: "{{ item }}"
+            regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)'
+            line: "auth         required     pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
+            insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$'
+        loop:
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+        notify: Apply_authselect
+
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
+        ansible.builtin.lineinfile:
+            path: "{{ item }}"
+            regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$'
+            line: "account     required     pam_faillock.so"
+            insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$'
+        loop:
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.2
+
+- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
+  block:
+      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
+            insertafter: '^password\s*requisite\s*pam_pwquality.so'
+        notify: Apply_authselect
+
+      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
+            insertafter: '^password\s*requisite\s*pam_pwquality.so'
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_3
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.3
+
+- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt"
+  block:
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
+        ansible.builtin.replace:
+            path: /etc/libuser.conf
+            regexp: '^crypt_style\s*=\s*.*$'
+            replace: 'crypt_style = sha512'
+
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
+        ansible.builtin.replace:
+            path: /etc/login.defs
+            regexp: '^ENCRYPT_METHOD.*'
+            replace: 'ENCRYPT_METHOD SHA512'
+
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
+        ansible.builtin.replace:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
+            replace: 'password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
+        notify: Apply_authselect
+
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
+        ansible.builtin.replace:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
+            replace: 'password    sufficient     pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_4
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.4
diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml
@@ -116,6 +116,7 @@
       - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
         ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
         loop: "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}"
+        when: item in discovered_interactive_usernames.stdout
   when:
       - rhel9cis_rule_5_6_1_4
   tags:

diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml
@@ -14,8 +14,10 @@
             - item.id != "halt"
             - item.id != "nfsnobody"
             - item.uid < min_int_uid | int
-            - item.shell != "      /bin/false"
-            - item.shell != "      /usr/sbin/nologin"
+            - item.shell != "/bin/false"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.shell != "/dev/null"
         loop_control:
             label: "{{ item.id }}"
 
@@ -31,8 +33,10 @@
             - item.id != "root"
             - item.id != "nfsnobody"
             - item.uid < min_int_uid | int
-            - item.shell != "      /bin/false"
-            - item.shell != "      /usr/sbin/nologin"
+            - item.shell != "/bin/false"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.shell != "/dev/null"
         loop_control:
             label: "{{ item.id }}"
   when:

diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml
@@ -20,9 +20,15 @@
   ansible.builtin.import_tasks:
       file: cis_5.4.x.yml
 
-- name: "SECTION | 5.5 | Configure PAM "
+- name: "SECTION | 5.5 | Configure PAM | not authselect"
   ansible.builtin.import_tasks:
       file: cis_5.5.x.yml
+  when: not rhel9cis_authselect_custom_profile_select
+
+- name: "SECTION | 5.5 | Configure PAM | authselect"
+  ansible.builtin.import_tasks:
+      file: cis_5.5.x_authselect.yml
+  when: rhel9cis_authselect_custom_profile_select
 
 - name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters"
   ansible.builtin.import_tasks: