From fd5c2f609aef9819eb77c3ed2f68fd0d46d8c776 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Tue, 28 Jan 2025 22:05:54 +0200
Subject: [PATCH 1/5] Add ansible remediation for ensure_shadow_group_empty

---
 .../ensure_shadow_group_empty/ansible/shared.yml             | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml
new file mode 100644
index 00000000000..09409646424
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml
@@ -0,0 +1,5 @@
+# platform = multi_platform_all
+
+- name: Ensure interactive local users are the owners of their respective initialization files
+  ansible.builtin.shell:
+    cmd: sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group
\ No newline at end of file

From 12e86c5784d2ebfd974a98735e0d56792b086b36 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Tue, 28 Jan 2025 22:24:49 +0200
Subject: [PATCH 2/5] Make sure accounts_passwords_pam_tally2_deny_root rule
 doesn't conflict with accounts_passwords_pam_tally2

---
 .../accounts_passwords_pam_tally2_deny_root/ansible/shared.yml | 3 +--
 .../accounts_passwords_pam_tally2_deny_root/bash/shared.sh     | 1 -
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
index ad38727f894..0c2977f9e9e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
@@ -5,7 +5,6 @@
 # disruption = low
 {{{ ansible_instantiate_variables("var_password_pam_tally2")  }}}
 
-{{{ ansible_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'deny', "{{ var_password_pam_tally2 }}", '') }}}
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-{{{ ansible_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
+{{{ ansible_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
\ No newline at end of file
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
index 4d5ef2de9a9..82db5148f8c 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
@@ -5,7 +5,6 @@
 # disruption = low
 {{{ bash_instantiate_variables("var_password_pam_tally2") }}}
 
-{{{ bash_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'deny', "${var_password_pam_tally2}", '') }}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}

From 78e6eb8c1ad7c41e6eb1169e869f555450777d6e Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Tue, 28 Jan 2025 22:26:07 +0200
Subject: [PATCH 3/5] Add multi_platform_sle support in ansible remediation for
 chronyd_run_as_chrony_user

---
 .../services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
index c48f7fe92dd..094a26d62f4 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_slmicro
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = configure
 # complexity = low

From 9e95276c6f8d0e98f4fa226f66e705a5323176f3 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Wed, 29 Jan 2025 00:55:24 +0200
Subject: [PATCH 4/5] Fix file endings and fix ansible - fix EOF warngins -
 replace executing of bash command from ansible with more standard approach
 using lineinfile

Thanks to @Mab879 for the notes :bow:
---
 .../ansible/shared.yml                                     | 2 +-
 .../ensure_shadow_group_empty/ansible/shared.yml           | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
index 0c2977f9e9e..c1c609abb1b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
@@ -7,4 +7,4 @@
 
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'deny', "{{ var_password_pam_tally2 }}", '') }}}
 {{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-{{{ ansible_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
\ No newline at end of file
+{{{ ansible_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml
index 09409646424..d18e83ee41c 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml
@@ -1,5 +1,8 @@
 # platform = multi_platform_all
 
 - name: Ensure interactive local users are the owners of their respective initialization files
-  ansible.builtin.shell:
-    cmd: sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group
\ No newline at end of file
+  ansible.builtin.lineinfile:
+    dest: /etc/group
+    backrefs: yes
+    regexp: '(^shadow:[^:]*:[^:]*:)([^:]+$)'
+    line: '\1'

From bfcec76cf6764d954533a4e28d784029ea3fc0cf Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Wed, 29 Jan 2025 07:17:28 +0200
Subject: [PATCH 5/5] Add ansible header

---
 .../ensure_shadow_group_empty/ansible/shared.yml              | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml
index d18e83ee41c..c4386325013 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/ansible/shared.yml
@@ -1,4 +1,8 @@
 # platform = multi_platform_all
+# reboot = false
+# complexity = low
+# strategy = restrict
+# disruption = medium
 
 - name: Ensure interactive local users are the owners of their respective initialization files
   ansible.builtin.lineinfile: