Updated tasks/main.yml

RedHatOfficial · Dec 10, 2021 · 5f1148c · 5f1148c
1 parent bb1d848
commit 5f1148c
Showing 1 changed file with 57 additions and 2 deletions.
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1380,6 +1380,60 @@
   - medium_severity
   - no_reboot_needed
 
+- name: Do not allow users to reuse recent passwords - system-auth (change)
+  replace:
+    dest: /etc/pam.d/system-auth
+    regexp: ^(password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so\s.*remember\s*=\s*)(\S+)(.*)$
+    replace: \g<1>{{ var_password_pam_unix_remember }}\g<3>
+  when:
+  - accounts_password_pam_unix_remember | bool
+  - configure_strategy | bool
+  - low_complexity | bool
+  - medium_disruption | bool
+  - medium_severity | bool
+  - no_reboot_needed | bool
+  - '"pam" in ansible_facts.packages'
+  tags:
+  - CCE-80666-1
+  - CJIS-5.6.2.1.1
+  - NIST-800-171-3.5.8
+  - NIST-800-53-IA-5(1)(e)
+  - NIST-800-53-IA-5(f)
+  - PCI-DSS-Req-8.2.5
+  - accounts_password_pam_unix_remember
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+
+- name: Do not allow users to reuse recent passwords - system-auth (add)
+  replace:
+    dest: /etc/pam.d/system-auth
+    regexp: ^password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so\s(?!.*remember\s*=\s*).*$
+    replace: \g<0> remember={{ var_password_pam_unix_remember }}
+  when:
+  - accounts_password_pam_unix_remember | bool
+  - configure_strategy | bool
+  - low_complexity | bool
+  - medium_disruption | bool
+  - medium_severity | bool
+  - no_reboot_needed | bool
+  - '"pam" in ansible_facts.packages'
+  tags:
+  - CCE-80666-1
+  - CJIS-5.6.2.1.1
+  - NIST-800-171-3.5.8
+  - NIST-800-53-IA-5(1)(e)
+  - NIST-800-53-IA-5(f)
+  - PCI-DSS-Req-8.2.5
+  - accounts_password_pam_unix_remember
+  - configure_strategy
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+
 - name: Gather the package facts
   package_facts:
     manager: auto
@@ -6787,6 +6841,7 @@
   tags:
   - CCE-81054-9
   - DISA-STIG-RHEL-08-010376
+  - NIST-800-53-AC-6
   - disable_strategy
   - low_complexity
   - medium_disruption
@@ -6857,6 +6912,7 @@
   tags:
   - CCE-80953-3
   - DISA-STIG-RHEL-08-040282
+  - NIST-800-53-SC-7(10)
   - disable_strategy
   - low_complexity
   - medium_disruption
@@ -7839,7 +7895,7 @@
 - name: Set permissions for /etc/ssh/ file(s)
   file:
     path: '{{ item.path }}'
-    mode: '0640'
+    mode: '0600'
   with_items:
   - '{{ files_found.files }}'
   when:
@@ -7906,7 +7962,6 @@
   - DISA-STIG-RHEL-08-010550
   - NIST-800-171-3.1.1
   - NIST-800-171-3.1.5
-  - NIST-800-53-
   - NIST-800-53-AC-17(a)
   - NIST-800-53-AC-6(2)
   - NIST-800-53-CM-6(a)