Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS 4.5.1.6 difok regex incorrectly matches any line #120

Merged
merged 1 commit into from
Dec 11, 2023
Merged

CIS 4.5.1.6 difok regex incorrectly matches any line #120

merged 1 commit into from
Dec 11, 2023

Conversation

kdebisschop
Copy link
Contributor

@kdebisschop kdebisschop commented Nov 27, 2023
edited
Loading

Overall Review of Changes:
Fixes typo in regex for difok so it no longer matches every line in the file.

As currently written, the regex is '^(#\s+|)difok|' which matches every line. Therefore, if the last line in /etc/security/pwquality.conf is not 'difok = n', a new copy of the difok setting will be inserted.

Issue Fixes:
Please list (using linking) any open issues this PR addresses

Enhancements:
Please list any enhancements/features that are not open issue tickets

How has this been tested?:
Please give an overview of how these changes were tested. If they were not please use N/A

Test file:

$ sudo grep difok /etc/security/pwquality.conf
difok = 5
$ sudo tail -n 5 /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

Before fix:

$ ansible-playbook -i inventory.yml -l 'server.example.com' cis-fixes.yml -CD

PLAY [all] *******************************************************************************************************

PLAY [ubuntu] *****************************************************************************************************************

TASK [UBUNTU20-CIS : PRELIM | Run apt update] *****************************************************************************************************************
changed: [server.example.com]

TASK [UBUNTU20-CIS : 4.5.1.6 | PATCH | Ensure the number of changed characters in a new password is configured] *****************************************************************************************************************
--- before: /etc/security/pwquality.conf (content)
+++ after: /etc/security/pwquality.conf (content)
@@ -77,4 +77,4 @@
dcredit = -1
ucredit = -1
ocredit = -1
-lcredit = -1
+difok = 5

changed: [server.example.com]

PLAY RECAP *****************************************************************************************************************
server.example.com : ok=289 changed=2 unreachable=0 failed=0 skipped=315 rescued=0 ignored=0

After fix:

$ ansible-playbook -i inventory.yml -l 'server.example.com' cis-fixes.yml -CD

PLAY [all] *******************************************************************************************************

PLAY [ubuntu] *****************************************************************************************************************

TASK [UBUNTU20-CIS : PRELIM | Run apt update] *****************************************************************************************************************
changed: [server.example.com]

PLAY RECAP *****************************************************************************************************************
server.example.com : ok=289 changed=1 unreachable=0 failed=0 skipped=315 rescued=0 ignored=0

@uk-bolly uk-bolly merged commit fbc71f0 into ansible-lockdown:devel Dec 11, 2023
4 checks passed
@uk-bolly uk-bolly mentioned this pull request Dec 12, 2023
Merged
@kdebisschop kdebisschop deleted the CIS-4_5_1_6-difok-regex-matches-any-line branch January 28, 2024 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uk-bolly uk-bolly uk-bolly approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kdebisschop @uk-bolly