Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafte…

…r-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/69! Signed-off-by: Diana-Maria Dumitru <[email protected]>
ansible-lockdown · Nov 22, 2023 · 973ef95 · 973ef95
1 parent 3461d49
commit 973ef95
Showing 1 changed file with 24 additions and 8 deletions.
diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml
@@ -106,14 +106,30 @@
       - pam
       - notimplemented
 
-- name: 5.4.3 | PATCH | Ensure password reuse is limited"
-  community.general.pamd:
-      name: common-password
-      type: password
-      control: '[success=1 default=ignore]'
-      module_path: pam_unix.so
-      module_arguments: "remember={{ ubtu22cis_pamd_pwhistory_remember }}"
-      state: args_present
+- name: "5.4.3 | PATCH | Ensure password reuse is limited"
+  block:
+      - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" 
+        community.general.pamd:
+            name: common-password
+            type: password
+            control: '[success=1 default=ignore]'
+            module_path: pam_unix.so
+            module_arguments: 'obscure
+                yescrypt'
+            state: args_present
+
+      - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" 
+        community.general.pamd:
+            name: common-password
+            type: password
+            control: '[success=1 default=ignore]'
+            module_path: pam_unix.so
+            new_type: password
+            new_module_path: pam_pwhistory.so
+            new_control: required
+            module_arguments: 'use_authtok 
+                remember={{ ubtu22cis_pamd_pwhistory_remember }}'
+            state: before
   when:
       - ubtu22cis_rule_5_4_3
   tags: