search

ansible-lockdown / UBUNTU22-CIS

Ansible role for Ubuntu22 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
155 stars 68 forks source link

Task 5.4.3 does not completely implement the settings required by CIS #180

Closed DianaMariaDDM closed 3 months ago

DianaMariaDDM commented 7 months ago

Describe the Issue Wrong implementation of the settings required by CIS

Expected Behavior CIS clearly states in its assessments that for this rule ("Ensure password reuse is limited") the password required pam_pwhistory.so use_authtok remember=5 line should be placed directly above the password [success=1 default=ignore] pam_unix.so obscure yescrypt line in the "/etc/pam.d/common-password file".

Actual Behavior With the current situation, only this line password [success=1 default=ignore] pam_unix.so obscure gets edited in the file by adding remember=5. CIS does not consider this as compliant.

Control(s) Affected 5.4.3 Ensure password reuse is limited

Environment (please complete the following information):

Additional Notes Anything additional goes here

Possible Solution The solution will be provided in a PR.

uk-bolly commented 7 months ago

hi @DianaMariaDDM

Thank you for taking the time to raise this issue and related PR. I have been looking for the configuration you are referring. While we are aware it needs the pwhistory library added. This Is not shown in the remediation steps for downloaded pdf for the benchmark for released 1.0.0, the artifact 5.4.3.1 is only available on the online version While looking at the online version of the same document it mentions the configurations you have mentioned and the pwhistory library. We will investigate this issue further and look to get the PR approved asap.

many thanks

uk-bolly

uk-bolly commented 3 months ago

I believe that this issue has been addressed and the fix merged? I will close this issue, please feel free to reopen or raise a new one if this particular problem still exists.

Many thanks

uk-bolly