From 973ef95e98c6c52ea6da678af5149a7117a79055 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 22 Nov 2023 14:41:26 +0200 Subject: [PATCH] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/69! Signed-off-by: Diana-Maria Dumitru --- tasks/section_5/cis_5.4.x.yml | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 1894dead..ef1e6769 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -106,14 +106,30 @@ - pam - notimplemented -- name: 5.4.3 | PATCH | Ensure password reuse is limited" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: "remember={{ ubtu22cis_pamd_pwhistory_remember }}" - state: args_present +- name: "5.4.3 | PATCH | Ensure password reuse is limited" + block: + - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + module_arguments: 'obscure + yescrypt' + state: args_present + + - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + new_type: password + new_module_path: pam_pwhistory.so + new_control: required + module_arguments: 'use_authtok + remember={{ ubtu22cis_pamd_pwhistory_remember }}' + state: before when: - ubtu22cis_rule_5_4_3 tags: