Skip to content

Commit

Permalink
fix(R5.4.3). Correct regexes so that they match
Browse files Browse the repository at this point in the history
- The previous regex requires exactly *one* space between
    `default=ignore]` and `pam_unix.so` which on a default OS installetion never matches, is now fixed
- The `.*` in `(.*)(remember=([0-9]{1,})|)` was greedy, which means that
    everything after it never matches
- I name the groups now which is easier than the numbers
- I took care that when inserting a non-existing `remember=` before and after it is at least one space.
- A the same time I make sure that *not* on every run, an additonal
   space is added on replacement, so that the line is *not* endlessly
   growing.
- The `ansible.builtin.shell: grep 'password.*pam_unix.so' /etc/pam.d/common-password` do not require
    the `[success=1 default=ignore]` but the lineinfile regexs did,
    which would mean that the grep-regex match but not later lineinfile-regexes not ⇒
    I updated it, so that no one requires the `[success=1 default=ignore]`
    still prserves it.

Signed-off-by: Fabian Raab <[email protected]>
  • Loading branch information
raabf committed Sep 15, 2023
1 parent 50713b6 commit a463905
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions tasks/section_5/cis_5.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,8 @@
- name: "5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_unix does exist"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: '^(password\s*\[success=1 default=ignore\] pam_unix.so)(.*)(remember=([0-9]{1,})|)(.*$)'
line: '\g<1>\g<2>\g<3> remember={{ ubtu22cis_pamd_pwhistory_remember }}'
regexp: '^(?P<begin>[^\S\n]*password[^\S\n]+.*pam_unix.so[^\S\n]+)(?P<remember>(?P<before>.+?)remember=[0-9]+[^\S\n]?)?(?P<after>.*)$'
line: '\g<begin>\g<before>remember={{ ubtu22cis_pamd_pwhistory_remember }} \g<after>'
backrefs: true
when:
- ubtu22cis_5_4_3_pam_unix_state.stdout | length > 0
Expand All @@ -123,7 +123,7 @@
- name: "5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_unix does not exist"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: '^password\s*\[success=1 default=ignore\] pam_unix.*'
regexp: '^password.+pam_unix.so.*'
line: 'password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass remember={{ ubtu22cis_pamd_pwhistory_remember }}'
insertafter: '^# end of pam-auth-update config'
when: ubtu22cis_5_4_3_pam_unix_state.stdout | length == 0
Expand Down

0 comments on commit a463905

Please sign in to comment.