Merge pull request #12921 from teacup-on-rockingchair/sle15_cis_patches

Some small patches for SLE15 CIS related remediations
ComplianceAsCode · Jan 29, 2025 · 1bd83d3 · 1bd83d3
2 parents 95eed20 + bfcec76
commit 1bd83d3
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 3 deletions.
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_slmicro
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = configure
 # complexity = low

diff --git a/.../locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml b/.../locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
@@ -5,7 +5,6 @@
 # disruption = low
 {{{ ansible_instantiate_variables("var_password_pam_tally2")  }}}
 
-{{{ ansible_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'deny', "{{ var_password_pam_tally2 }}", '') }}}
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
diff --git a/...-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh b/...-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
@@ -5,7 +5,6 @@
 # disruption = low
 {{{ bash_instantiate_variables("var_password_pam_tally2") }}}
 
-{{{ bash_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'deny', "${var_password_pam_tally2}", '') }}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
diff --git a/...nts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml b/...nts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# complexity = low
+# strategy = restrict
+# disruption = medium
+
+- name: Ensure interactive local users are the owners of their respective initialization files
+  ansible.builtin.lineinfile:
+    dest: /etc/group
+    backrefs: yes
+    regexp: '(^shadow:[^:]*:[^:]*:)([^:]+$)'
+    line: '\1'