From c15d75ecf43efc5d61bbb0199aed3aee08c685a9 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Mon, 30 Jan 2017 13:14:39 -0600
Subject: [PATCH] Configure pam_faildelay on Ubuntu

As noted in the bug, Ubuntu 16.04 doesn't use FAIL_DELAY in
`/etc/login.defs` as CentOS 7 does. This patch ensures that
`pam_faildelay` is properly configured on Xenial.

Closes-Bug: 1659120
Change-Id: I9ff9f45c0c5bdd749c9491431e2dcb8836587e78
---
 tasks/rhel7stig/auth.yml | 18 ++++++++++++++++++
 vars/common.yml          |  6 ++++++
 2 files changed, 24 insertions(+)

diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index d6a18a65..2468c4b7 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -79,6 +79,7 @@
     state: present
   when:
     - item.value != ''
+    - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
   with_items: "{{ shadow_utils_rhel7 }}"
   tags:
     - auth
@@ -90,6 +91,23 @@
     - RHEL-07-020230
     - RHEL-07-020630
 
+# NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in
+# microseconds.
+- name: Set pam_faildelay configuration on Ubuntu
+  lineinfile:
+    dest: /etc/pam.d/login
+    regexp: '^(auth[\s]+optional[\s]+pam_faildelay.so).*$'
+    line: '\1 delay={{ security_shadow_utils_fail_delay * 10**6 }}'
+    state: present
+    backrefs: yes
+  when:
+    - security_shadow_utils_fail_delay is defined
+    - ansible_os_family | lower == 'debian'
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010420
+
 - name: RHEL-07-010190 - User and group account administration utilities must be configured to store only encrypted representations of passwords.
   ini_file:
     dest: /etc/libuser.conf
diff --git a/vars/common.yml b/vars/common.yml
index 3dcba6d9..6935e8d0 100644
--- a/vars/common.yml
+++ b/vars/common.yml
@@ -287,21 +287,27 @@ shadow_utils_rhel7:
   - parameter: ENCRYPT_METHOD
     value: "{{ security_password_encrypt_method | default('') }}"
     stig_id: RHEL-07-010180
+    ansible_os_family: all
   - parameter: PASS_MIN_DAYS
     value: "{{ security_password_min_lifetime_days | default('') }}"
     stig_id: RHEL-07-010200
+    ansible_os_family: all
   - parameter: PASS_MAX_DAYS
     value: "{{ security_password_max_lifetime_days | default('') }}"
     stig_id: RHEL-07-010220
+    ansible_os_family: all
   - parameter: FAIL_DELAY
     value: "{{ security_shadow_utils_fail_delay | default('') }}"
     stig_id: RHEL-07-010420
+    ansible_os_family: RedHat
   - parameter: UMASK
     value: "{{ security_shadow_utils_umask | default('') }}"
     stig_id: RHEL-07-020230
+    ansible_os_family: all
   - parameter: CREATE_HOME
     value: "{{ security_shadow_utils_create_home | default('') }}"
     stig_id: RHEL-07-020630
+    ansible_os_family: all
 
 ## sysctl settings
 # This variable is used in main/rhel7stig/kernel.yml to set sysctl