From 9b3ea39df49f37824a90dd4d84702811b7553a9e Mon Sep 17 00:00:00 2001 From: codejubilee Date: Mon, 12 Apr 2021 21:40:57 +0000 Subject: [PATCH] Added pam_auth_password to nullok check Change-Id: I692241ce21e8bd8912b8d1ff5a261ae10d7da1f2 --- tasks/rhel7stig/auth.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 4f6f8855..6a085041 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -48,15 +48,13 @@ - name: Prevent users with blank or null passwords from authenticating (Red Hat) lineinfile: - dest: "{{ pam_auth_file }}" + dest: "{{ item[1] }}" state: present - regexp: "^({{ item }}.*sufficient.*)nullok(.*)$" + regexp: "^({{ item[0] }}.*sufficient.*)nullok(.*)$" line: '\1\2' backup: yes backrefs: yes - with_items: - - auth - - password + loop: "{{ ['auth', 'password'] |product(['{{ pam_auth_file }}', '{{ pam_password_file }}'])|list }}" when: - ansible_facts['os_family'] == 'RedHat' - security_disallow_blank_password_login | bool