85 lines
2.9 KiB
YAML
85 lines
2.9 KiB
YAML
---
|
|
- name: Install latest libpam-modules
|
|
apt:
|
|
name: libpam-modules
|
|
state: latest
|
|
update_cache: yes
|
|
|
|
- name: Install PAM module to perform password quality checking
|
|
package:
|
|
name: libpam-pwquality
|
|
state: present
|
|
|
|
- name: Ensure password creation requirements are configured
|
|
lineinfile:
|
|
state: present
|
|
path: /etc/security/pwquality.conf
|
|
regexp: '^{{ item.key }}'
|
|
line: '{{ item.key }} = {{ item.value }}'
|
|
with_items:
|
|
- { key: 'minlen', value: '14' }
|
|
- { key: 'minclass', value: '4' }
|
|
|
|
- name: 5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
|
|
block:
|
|
- name: Add key value pairs in faillock config
|
|
lineinfile:
|
|
state: present
|
|
path: /etc/security/faillock.conf
|
|
regexp: '^{{ item.key }}'
|
|
line: '{{ item.key }} = {{ item.value }}'
|
|
with_items:
|
|
- { key: 'deny', value: '{{ pam_faillock.attempts }}' }
|
|
- { key: 'unlock_time', value: '{{ pam_faillock.unlock_time }}' }
|
|
- { key: 'fail_interval', value: '{{ pam_faillock.fail_interval }}' }
|
|
|
|
- name: Add fail_for_root setting in faillock config
|
|
lineinfile:
|
|
state: present
|
|
path: /etc/security/faillock.conf
|
|
regexp: '^even_deny_root'
|
|
line: "{{ pam_faillock.fail_for_root | ternary('even_deny_root','') }}"
|
|
|
|
- name: Add default, deny count, and unlock times for preauth
|
|
lineinfile:
|
|
path: /etc/pam.d/common-auth
|
|
state: present
|
|
line: "auth\trequired\tpam_faillock.so preauth audit silent"
|
|
insertafter: '^#?auth ?'
|
|
|
|
- name: Add success and default settings to pam_unix.so
|
|
lineinfile:
|
|
path: /etc/pam.d/common-auth
|
|
state: present
|
|
line: "auth\t[success=1 default=bad]\tpam_unix.so"
|
|
insertafter: '^#?auth ?'
|
|
backup: yes
|
|
|
|
- name: Add default, deny count, and unlock times for authfail
|
|
lineinfile:
|
|
path: /etc/pam.d/common-auth
|
|
state: present
|
|
line: "auth\t[default=die]\tpam_faillock.so authfail audit"
|
|
insertafter: '^#?auth ?'
|
|
|
|
- name: Add deny count and unlock times to authsucc
|
|
lineinfile:
|
|
path: /etc/pam.d/common-auth
|
|
state: present
|
|
line: "auth\tsufficient\tpam_faillock.so authsucc audit"
|
|
insertafter: '^#?auth ?'
|
|
|
|
- name: "5.4.3 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | add sha512 settings"
|
|
lineinfile:
|
|
path: /etc/pam.d/common-password
|
|
state: present
|
|
line: "password\tsufficient\tpam_unix.so {{ pam_faillock.pwhash }} shadow nullok try_first_pass use_authtok"
|
|
insertafter: '^#?password ?'
|
|
|
|
- name: "5.4.4 | L1 | PATCH | Ensure password reuse is limited | add remember settings"
|
|
lineinfile:
|
|
path: /etc/pam.d/common-password
|
|
state: present
|
|
line: "password\trequired\tpam_pwhistory.so remember={{ pam_faillock.remember }}"
|
|
insertafter: '^#?password ?'
|