Merge "Configure pam_faildelay on Ubuntu"

2017-02-03 10:29:25 +00:00 · 2017-02-03 10:29:25 +00:00 · 1ff2d1b4aa
commit 1ff2d1b4aa
parent 91a5c64c8e c15d75ecf4
2 changed files with 24 additions and 0 deletions
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@ -79,6 +79,7 @@
    state: present
  when:
    - item.value != ''
+    - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
  with_items: "{{ shadow_utils_rhel7 }}"
  tags:
    - auth
@ -90,6 +91,23 @@
    - RHEL-07-020230
    - RHEL-07-020630

+# NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in
+# microseconds.
+- name: Set pam_faildelay configuration on Ubuntu
+  lineinfile:
+    dest: /etc/pam.d/login
+    regexp: '^(auth[\s]+optional[\s]+pam_faildelay.so).*$'
+    line: '\1 delay={{ security_shadow_utils_fail_delay * 10**6 }}'
+    state: present
+    backrefs: yes
+  when:
+    - security_shadow_utils_fail_delay is defined
+    - ansible_os_family | lower == 'debian'
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010420
+
 - name: RHEL-07-010190 - User and group account administration utilities must be configured to store only encrypted representations of passwords.
  ini_file:
    dest: /etc/libuser.conf
--- a/vars/common.yml
+++ b/vars/common.yml
@ -287,21 +287,27 @@ shadow_utils_rhel7:
  - parameter: ENCRYPT_METHOD
    value: "{{ security_password_encrypt_method | default('') }}"
    stig_id: RHEL-07-010180
+    ansible_os_family: all
  - parameter: PASS_MIN_DAYS
    value: "{{ security_password_min_lifetime_days | default('') }}"
    stig_id: RHEL-07-010200
+    ansible_os_family: all
  - parameter: PASS_MAX_DAYS
    value: "{{ security_password_max_lifetime_days | default('') }}"
    stig_id: RHEL-07-010220
+    ansible_os_family: all
  - parameter: FAIL_DELAY
    value: "{{ security_shadow_utils_fail_delay | default('') }}"
    stig_id: RHEL-07-010420
+    ansible_os_family: RedHat
  - parameter: UMASK
    value: "{{ security_shadow_utils_umask | default('') }}"
    stig_id: RHEL-07-020230
+    ansible_os_family: all
  - parameter: CREATE_HOME
    value: "{{ security_shadow_utils_create_home | default('') }}"
    stig_id: RHEL-07-020630
+    ansible_os_family: all

 ## sysctl settings
 # This variable is used in main/rhel7stig/kernel.yml to set sysctl