Skip to content

Commit

Permalink
Merge pull request #98 from siemens/siemens/ubuntu22/r5_4_3-pam_d-pas…
Browse files Browse the repository at this point in the history
…sword_reuse_limited

fix(R5.4.3). Correct regexes so that they match
  • Loading branch information
uk-bolly authored Sep 25, 2023
2 parents adc7620 + a463905 commit 083f9f7
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions tasks/section_5/cis_5.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,8 @@
- name: "5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_unix does exist"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: '^(password\s*\[success=1 default=ignore\] pam_unix.so)(.*)(remember=([0-9]{1,})|)(.*$)'
line: '\g<1>\g<2>\g<3> remember={{ ubtu22cis_pamd_pwhistory_remember }}'
regexp: '^(?P<begin>[^\S\n]*password[^\S\n]+.*pam_unix.so[^\S\n]+)(?P<remember>(?P<before>.+?)remember=[0-9]+[^\S\n]?)?(?P<after>.*)$'
line: '\g<begin>\g<before>remember={{ ubtu22cis_pamd_pwhistory_remember }} \g<after>'
backrefs: true
when:
- ubtu22cis_5_4_3_pam_unix_state.stdout | length > 0
Expand All @@ -123,7 +123,7 @@
- name: "5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_unix does not exist"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: '^password\s*\[success=1 default=ignore\] pam_unix.*'
regexp: '^password.+pam_unix.so.*'
line: 'password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass remember={{ ubtu22cis_pamd_pwhistory_remember }}'
insertafter: '^# end of pam-auth-update config'
when: ubtu22cis_5_4_3_pam_unix_state.stdout | length == 0
Expand Down

0 comments on commit 083f9f7

Please sign in to comment.