anku33/RHEL9-CIS-Audit
1
0
Fork 0
mirror of https://github.com/ansible-lockdown/RHEL9-CIS-Audit.git synced 2026-06-02 02:51:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a95057d62c5a40769147359fa69ceb64eaf52a4c
RHEL9-CIS-Audit/section_5/cis_5.3.2/cis_5.3.2.1.yml
T
Mark Bolwell 2dc4b47eb7 Test improvements 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-02-26 14:04:55 +00:00

56 lines
2.2 KiB
YAML
Raw Blame History

---
{{ if .Vars.rhel9cis_level_1 }}
{{ if .Vars.rhel9cis_rule_5_3_2_1 }}
file:
passwd_auth_authselect_modules:
title: 5.3.2.1 | Ensure active authselect profile includes pam modules
path: /etc/authselect/custom/{{ .Vars.rhel9cis_authselect_custom_profile_name }}/password-auth
exists: true
contents:
- '/auth\s*required\s*pam_faillock.so\s*preauth silent\s*{include if "with-faillock"}/'
- '/auth\s*sufficient\s*pam_unix.so\s*{if not "without-nullok":nullok}/'
- '/auth\s*required\s*pam_faillock.so\s*authfail\s*{include if "with-faillock"}/'
- '/account\s*required\s*pam_faillock.so\s*{include if "with-faillock"}/'
- '/account\s*required\s*pam_unix.so/'
- '/password\s*requisite\s*pam_pwquality.so\s*local_users_only/'
- '/password\s*(required|requisite)\s*pam_pwhistory.so\s*use_authtok/'
- '/password\s*sufficient\s*pam_unix.so\s*sha512\s*shadow\s*{if not "without-nullok":nullok} use_authtok/'
- '/session\s*required\s*pam_unix.so/'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.3.2.1
CISv8: 16.2
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: NA
system_auth_authselect_modules:
title: 5.3.2.1 | Ensure active authselect profile includes pam modules
path: /etc/authselect/custom/{{ .Vars.rhel9cis_authselect_custom_profile_name }}/system-auth
exists: true
contents:
- '/auth\s*required\s*pam_faillock.so\s*preauth silent\s*{include if "with-faillock"}/'
- '/auth\s*sufficient\s*pam_unix.so\s*{if not "without-nullok":nullok}/'
- '/auth\s*required\s*pam_faillock.so\s*authfail\s*{include if "with-faillock"}/'
- '/account\s*required\s*pam_faillock.so\s*{include if "with-faillock"}/'
- '/account\s*required\s*pam_unix.so/'
- '/password\s*requisite\s*pam_pwquality.so\s*local_users_only/'
- '/password\s*(required|requisite)\s*pam_pwhistory.so\s*use_authtok/'
- '/password\s*sufficient\s*pam_unix.so\s*sha512\s*shadow\s*{if not "without-nullok":nullok} use_authtok/'
- '/session\s*required\s*pam_unix.so/'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.3.2.1
CISv8: 16.2
CISv8_IG1: false
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5: NA
{{ end }}
{{ end }}
Reference in New Issue View Git Blame Copy Permalink