openstack/ansible-hardening
Code Issues Proposed changes

Merge "Configure pam_faildelay on Ubuntu"

Browse Source
This commit is contained in:
Jenkins 2017-02-03 10:29:25 +00:00 committed by Gerrit Code Review
commit 1ff2d1b4aa
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
tasks/rhel7stig/auth.yml
View File

@ -79,6 +79,7 @@
state: present state: present
when: when:
- item.value != '' - item.value != ''
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
with_items: "{{ shadow_utils_rhel7 }}" with_items: "{{ shadow_utils_rhel7 }}"
tags: tags:
- auth - auth
@ -90,6 +91,23 @@
- RHEL-07-020230 - RHEL-07-020230
- RHEL-07-020630 - RHEL-07-020630
# NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in
# microseconds.
- name: Set pam_faildelay configuration on Ubuntu
lineinfile:
dest: /etc/pam.d/login
regexp: '^(auth[\s]+optional[\s]+pam_faildelay.so).*$'
line: '\1 delay={{ security_shadow_utils_fail_delay * 10**6 }}'
state: present
backrefs: yes
when:
- security_shadow_utils_fail_delay is defined
- ansible_os_family | lower == 'debian'
tags:
- auth
- medium
- RHEL-07-010420
- name: RHEL-07-010190 - User and group account administration utilities must be configured to store only encrypted representations of passwords. - name: RHEL-07-010190 - User and group account administration utilities must be configured to store only encrypted representations of passwords.
ini_file: ini_file:
dest: /etc/libuser.conf dest: /etc/libuser.conf

6
vars/common.yml
View File

@ -287,21 +287,27 @@ shadow_utils_rhel7:
- parameter: ENCRYPT_METHOD - parameter: ENCRYPT_METHOD
value: "{{ security_password_encrypt_method | default('') }}" value: "{{ security_password_encrypt_method | default('') }}"
stig_id: RHEL-07-010180 stig_id: RHEL-07-010180
ansible_os_family: all
- parameter: PASS_MIN_DAYS - parameter: PASS_MIN_DAYS
value: "{{ security_password_min_lifetime_days | default('') }}" value: "{{ security_password_min_lifetime_days | default('') }}"
stig_id: RHEL-07-010200 stig_id: RHEL-07-010200
ansible_os_family: all
- parameter: PASS_MAX_DAYS - parameter: PASS_MAX_DAYS
value: "{{ security_password_max_lifetime_days | default('') }}" value: "{{ security_password_max_lifetime_days | default('') }}"
stig_id: RHEL-07-010220 stig_id: RHEL-07-010220
ansible_os_family: all
- parameter: FAIL_DELAY - parameter: FAIL_DELAY
value: "{{ security_shadow_utils_fail_delay | default('') }}" value: "{{ security_shadow_utils_fail_delay | default('') }}"
stig_id: RHEL-07-010420 stig_id: RHEL-07-010420
ansible_os_family: RedHat
- parameter: UMASK - parameter: UMASK
value: "{{ security_shadow_utils_umask | default('') }}" value: "{{ security_shadow_utils_umask | default('') }}"
stig_id: RHEL-07-020230 stig_id: RHEL-07-020230
ansible_os_family: all
- parameter: CREATE_HOME - parameter: CREATE_HOME
value: "{{ security_shadow_utils_create_home | default('') }}" value: "{{ security_shadow_utils_create_home | default('') }}"
stig_id: RHEL-07-020630 stig_id: RHEL-07-020630
ansible_os_family: all
## sysctl settings ## sysctl settings
# This variable is used in main/rhel7stig/kernel.yml to set sysctl # This variable is used in main/rhel7stig/kernel.yml to set sysctl