From fecfb7e79384aaf4caeaf3c4a7cc078e30bad690 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Thu, 30 Jan 2025 12:40:52 +0000
Subject: [PATCH] addressed issue #282

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_5/cis_5.3.3.3.x.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml
index 8fe6036..9daf71a 100644
--- a/tasks/section_5/cis_5.3.3.3.x.yml
+++ b/tasks/section_5/cis_5.3.3.3.x.yml
@@ -69,7 +69,7 @@
     - pam
   block:
     - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
-      ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth
+      ansible.builtin.shell: grep -Psic -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth
       register: discovered_pwhistory_use_authtok
       changed_when: false
       failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
@@ -81,9 +81,9 @@
         - rhel9cis_disruption_high
       ansible.builtin.lineinfile:
         path: "{{ item }}"
-        regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok)
-        line: '\1\2 use_authtok'
-        backrefs: true
+        regexp: ^password\s*pam_pwhistory\.so\s*.*\s(!?use_authtok)
+        line: password   required     pam_pwhistory.so use_authtok
+        insertbefore: ^password.*pam_deny.so
       loop:
         - /etc/pam.d/password-auth
         - /etc/pam.d/system-auth