accounts_passwords_pam_tally2: Move to bash_ensure_pam_module_option #10058
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bash_ensure_pam_module_option
dodys
changed the title
|
Start a new ephemeral environment with changes proposed in this pull request: sle12 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2
@@ -2,102 +2,51 @@
var_password_pam_tally2=''
# Use a non-number regexp to force update of the value of the deny option
-if [ -e "/etc/pam.d/common-auth" ] ; then
- valueRegex="°" defaultValue="${var_password_pam_tally2}"
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix 'type' if it's wrong
- if grep -q -P "^\\s*(?"'!'"auth\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_tally2.so)/\\1auth\\2/" "/etc/pam.d/common-auth"
+if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-auth"; then
+ # Line matching group + control + module was not found. Check group + module.
+ if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-auth")" -eq 1 ]; then
+ # The control is updated only if one single line matches.
+ sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/common-auth"
+ else
+ echo 'auth '"required"' pam_tally2.so' >> "/etc/pam.d/common-auth"
fi
-
- # fix 'control' if it's wrong
- if grep -q -P "^\\s*auth\\s+(?"'!'"required)[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+)[[:alnum:]]+(\\s+pam_tally2.so)/\\1required\\2/" "/etc/pam.d/common-auth"
+fi
+# Check the option
+if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*\sdeny\b' "/etc/pam.d/common-auth"; then
+ sed -i -E --follow-symlinks '/\s*auth\s+'"required"'\s+pam_tally2.so.*/ s/$/ deny='"${var_password_pam_tally2}"'/' "/etc/pam.d/common-auth"
+else
+ sed -i -E --follow-symlinks 's/(\s*auth\s+'"required"'\s+pam_tally2.so\s+.*)('"deny"'=)[[:alnum:]]+\s*(.*)/\1\2'"${var_password_pam_tally2}"' \3/' "/etc/pam.d/common-auth"
+fi
+if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-auth"; then
+ # Line matching group + control + module was not found. Check group + module.
+ if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-auth")" -eq 1 ]; then
+ # The control is updated only if one single line matches.
+ sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/common-auth"
+ else
+ LAST_MATCH_LINE=$(grep -nP "(fail)" "/etc/pam.d/common-auth" | tail -n 1 | cut -d: -f 1)
+ if [ ! -z $LAST_MATCH_LINE ]; then
+ sed -i --follow-symlinks $LAST_MATCH_LINE' a auth '"required"' pam_tally2.so' "/etc/pam.d/common-auth"
+ else
+ echo 'auth '"required"' pam_tally2.so' >> "/etc/pam.d/common-auth"
+ fi
fi
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s+deny(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s)deny=[^[:space:]]*/\\1deny${defaultValue}/" "/etc/pam.d/common-auth"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*auth\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-auth" &&
- grep -E "^\\s*auth\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-auth" | grep -q -E -v "\\sdeny(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_tally2.so[^\\n]*)/\\1 deny${defaultValue}/" "/etc/pam.d/common-auth"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s+deny${valueRegex}(\\s|\$)" < "/etc/pam.d/common-auth" ; then
- echo "auth required pam_tally2.so deny${defaultValue}" >> "/etc/pam.d/common-auth"
+fi
+# Check the option
+if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*\sonerr\b' "/etc/pam.d/common-auth"; then
+ sed -i -E --follow-symlinks '/\s*auth\s+'"required"'\s+pam_tally2.so.*/ s/$/ onerr='"fail"'/' "/etc/pam.d/common-auth"
+else
+ sed -i -E --follow-symlinks 's/(\s*auth\s+'"required"'\s+pam_tally2.so\s+.*)('"onerr"'=)[[:alnum:]]+\s*(.*)/\1\2'"fail"' \3/' "/etc/pam.d/common-auth"
+fi
+if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-account"; then
+ # Line matching group + control + module was not found. Check group + module.
+ if [ "$(grep -cP '^\s*account\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-account")" -eq 1 ]; then
+ # The control is updated only if one single line matches.
+ sed -i -E --follow-symlinks 's/^(\s*account\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/common-account"
+ else
+ echo 'account '"required"' pam_tally2.so' >> "/etc/pam.d/common-account"
fi
-else
- echo "/etc/pam.d/common-auth doesn't exist" >&2
fi
-if [ -e "/etc/pam.d/common-auth" ] ; then
- valueRegex="(fail)" defaultValue="fail"
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix 'type' if it's wrong
- if grep -q -P "^\\s*(?"'!'"auth\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_tally2.so)/\\1auth\\2/" "/etc/pam.d/common-auth"
- fi
-
- # fix 'control' if it's wrong
- if grep -q -P "^\\s*auth\\s+(?"'!'"required)[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+)[[:alnum:]]+(\\s+pam_tally2.so)/\\1required\\2/" "/etc/pam.d/common-auth"
- fi
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s+onerr(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s)onerr=[^[:space:]]*/\\1onerr${defaultValue}/" "/etc/pam.d/common-auth"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*auth\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-auth" &&
- grep -E "^\\s*auth\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-auth" | grep -q -E -v "\\sonerr(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_tally2.so[^\\n]*)/\\1 onerr${defaultValue}/" "/etc/pam.d/common-auth"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s+onerr${valueRegex}(\\s|\$)" < "/etc/pam.d/common-auth" ; then
- echo "auth required pam_tally2.so onerr${defaultValue}" >> "/etc/pam.d/common-auth"
- fi
-else
- echo "/etc/pam.d/common-auth doesn't exist" >&2
+# Check the option
+if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*\s\b' "/etc/pam.d/common-account"; then
+ sed -i -E --follow-symlinks '/\s*account\s+'"required"'\s+pam_tally2.so.*/ s/$/ /' "/etc/pam.d/common-account"
fi
-if [ -e "/etc/pam.d/common-account" ] ; then
- valueRegex="" defaultValue=""
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix 'type' if it's wrong
- if grep -q -P "^\\s*(?"'!'"account\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-account" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_tally2.so)/\\1account\\2/" "/etc/pam.d/common-account"
- fi
-
- # fix 'control' if it's wrong
- if grep -q -P "^\\s*account\\s+(?"'!'"required)[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-account" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*account\\s+)[[:alnum:]]+(\\s+pam_tally2.so)/\\1required\\2/" "/etc/pam.d/common-account"
- fi
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*account\\s+required\\s+pam_tally2.so(\\s.+)?\\s+(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-account" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*account\\s+required\\s+pam_tally2.so(\\s.+)?\\s)=[^[:space:]]*/\\1${defaultValue}/" "/etc/pam.d/common-account"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*account\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-account" &&
- grep -E "^\\s*account\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-account" | grep -q -E -v "\\s(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*account\\s+required\\s+pam_tally2.so[^\\n]*)/\\1 ${defaultValue}/" "/etc/pam.d/common-account"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*account\\s+required\\s+pam_tally2.so(\\s.+)?\\s+${valueRegex}(\\s|\$)" < "/etc/pam.d/common-account" ; then
- echo "account required pam_tally2.so ${defaultValue}" >> "/etc/pam.d/common-account"
- fi
-else
- echo "/etc/pam.d/common-account doesn't exist" >&2
-fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2
@@ -1,176 +1,402 @@
-- name: Check to see if pam_tally2.so is configured in /etc/pam.d/common-auth
- shell: grep -e '^\s*auth\s\+required\s\+pam_tally2\.so' /etc/pam.d/common-auth ||
- true
- register: check_pam_tally2_result
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Configure pam_tally2.so module in /etc/pam.d/common-auth
- lineinfile:
- path: /etc/pam.d/common-auth
- line: auth required pam_tally2.so
+- name: XCCDF Value var_password_pam_tally2 # promote to variable
+ set_fact:
+ var_password_pam_tally2: !!str
+ tags:
+ - always
+
+- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
+ is present in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+required\s+pam_tally2.so\s*.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
+ in /etc/pam.d/common-auth
+ block:
+
+ - name: Set Deny For Failed Password Attempts - Check if required PAM module line
+ is present in /etc/pam.d/common-auth with different control
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_other_control_present
+
+ - name: Set Deny For Failed Password Attempts - Ensure the correct control for the
+ required PAM module line in /etc/pam.d/common-auth
+ ansible.builtin.replace:
+ dest: /etc/pam.d/common-auth
+ regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
+ replace: \1required \2
+ register: result_pam_module_edit
+ when:
+ - result_pam_line_other_control_present.found == 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
+ is included in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ dest: /etc/pam.d/common-auth
+ line: auth required pam_tally2.so
+ register: result_pam_module_add
+ when:
+ - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
+ > 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when: |
+ result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_pam_line_present.found is defined
+ - result_pam_line_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
+ is present in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+required\s+pam_tally2.so\s*.*\sdeny\b
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_module_deny_option_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Ensure the "deny" PAM option for "pam_tally2.so"
+ is included in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ backrefs: true
+ regexp: ^(\s*auth\s+required\s+pam_tally2.so.*)
+ line: \1 deny={{ var_password_pam_tally2 }}
state: present
- when: '"pam_tally2" not in check_pam_tally2_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Check to see if 'onerr' parameter is present
- shell: grep -e '^\s*auth\s\+required\s\+pam_tally2\.so.*\sonerr=.*' /etc/pam.d/common-auth
- || true
- register: check_onerr_result
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Make sure pam_tally2.so has 'onerr' parameter set 'fail'
- replace:
- path: /etc/pam.d/common-auth
- regexp: ^(\s*auth\s+required\s+pam_tally2\.so\s+[^\n]*)(onerr=[A-Za-z]+)([^A-Za-z]?.*)
- replace: \1onerr=fail\3
- register: onerr_update_result
- when: '"onerr=" in check_onerr_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Add 'onerr' parameter for pam_tally2.so module in /etc/pam.d/common-auth
- lineinfile:
- path: /etc/pam.d/common-auth
- regexp: ^(\s*auth\s+required\s+pam_tally2\.so)((\s+\S+)*\s*(\\)*$)
- line: \1 onerr=fail\2
+ register: result_pam_deny_add
+ when: result_pam_module_deny_option_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Ensure the required value for "deny"
+ PAM option from "pam_tally2.so" in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
backrefs: true
+ regexp: ^(\s*auth\s+required\s+pam_tally2.so\s+.*)(deny)=[0-9a-zA-Z]+\s*(.*)
+ line: \1\2={{ var_password_pam_tally2 }} \3
+ register: result_pam_deny_edit
+ when: result_pam_module_deny_option_present.found > 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
+ is present in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+required\s+pam_tally2.so\s*.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
+ in /etc/pam.d/common-auth
+ block:
+
+ - name: Set Deny For Failed Password Attempts - Check if required PAM module line
+ is present in /etc/pam.d/common-auth with different control
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_other_control_present
+
+ - name: Set Deny For Failed Password Attempts - Ensure the correct control for the
+ required PAM module line in /etc/pam.d/common-auth
+ ansible.builtin.replace:
+ dest: /etc/pam.d/common-auth
+ regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
+ replace: \1required \2
+ register: result_pam_module_edit
+ when:
+ - result_pam_line_other_control_present.found == 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
+ is included in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ dest: /etc/pam.d/common-auth
+ insertafter: (fail)
+ line: auth required pam_tally2.so
+ register: result_pam_module_add
+ when:
+ - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
+ > 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when: |
+ result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_pam_line_present.found is defined
+ - result_pam_line_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
+ is present in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+required\s+pam_tally2.so\s*.*\sonerr\b
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_module_onerr_option_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Ensure the "onerr" PAM option for
+ "pam_tally2.so" is included in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ backrefs: true
+ regexp: ^(\s*auth\s+required\s+pam_tally2.so.*)
+ line: \1 onerr=fail
state: present
- when: '"onerr=" not in check_onerr_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Check to see if 'deny' parameter is present
- shell: grep -e '^\s*auth\s\+required\s\+pam_tally2\.so.*\sdeny=.*' /etc/pam.d/common-auth
- || true
- register: check_deny_result
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Make sure pam_tally2.so has 'deny' parameter set to less than 4
- replace:
- path: /etc/pam.d/common-auth
- regexp: ^(\s*auth\s+required\s+pam_tally2\.so\s+[^\n]*)deny=([4-9]|[1-9][0-9]+)(\s*.*)
- replace: \1deny=3\3
- when: '"deny=" in check_deny_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Add 'deny' parameter for pam_tally2.so module in /etc/pam.d/common-auth
- lineinfile:
- path: /etc/pam.d/common-auth
- regexp: ^(\s*auth\s+required\s+pam_tally2\.so)((\s+\S+)*\s*(\\)*$)
- line: \1 deny=3\2
+ register: result_pam_onerr_add
+ when: result_pam_module_onerr_option_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Ensure the required value for "onerr"
+ PAM option from "pam_tally2.so" in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
backrefs: true
+ regexp: ^(\s*auth\s+required\s+pam_tally2.so\s+.*)(onerr)=[0-9a-zA-Z]+\s*(.*)
+ line: \1\2=fail \3
+ register: result_pam_onerr_edit
+ when: result_pam_module_onerr_option_present.found > 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
+ is present in /etc/pam.d/common-account
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-account
+ regexp: ^\s*account\s+required\s+pam_tally2.so\s*.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
+ in /etc/pam.d/common-account
+ block:
+
+ - name: Set Deny For Failed Password Attempts - Check if required PAM module line
+ is present in /etc/pam.d/common-account with different control
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-account
+ regexp: ^\s*account\s+.*\s+pam_tally2.so\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_other_control_present
+
+ - name: Set Deny For Failed Password Attempts - Ensure the correct control for the
+ required PAM module line in /etc/pam.d/common-account
+ ansible.builtin.replace:
+ dest: /etc/pam.d/common-account
+ regexp: ^(\s*account\s+).*(\bpam_tally2.so.*)
+ replace: \1required \2
+ register: result_pam_module_edit
+ when:
+ - result_pam_line_other_control_present.found == 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
+ is included in /etc/pam.d/common-account
+ ansible.builtin.lineinfile:
+ dest: /etc/pam.d/common-account
+ line: account required pam_tally2.so
+ register: result_pam_module_add
+ when:
+ - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
+ > 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when: |
+ result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_pam_line_present.found is defined
+ - result_pam_line_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
+ is present in /etc/pam.d/common-account
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-account
+ regexp: ^\s*account\s+required\s+pam_tally2.so\s*.*\s\b
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_module__option_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Ensure the "" PAM option for "pam_tally2.so"
+ is included in /etc/pam.d/common-account
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-account
+ backrefs: true
+ regexp: ^(\s*account\s+required\s+pam_tally2.so.*)
+ line: \1
state: present
- when: '"deny=" not in check_deny_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Check to see if pam_tally2.so is configured in /etc/pam.d/common-account
- shell: grep -e '^\s*account\s\+required\s\+pam_tally2\.so' /etc/pam.d/common-account
- || true
- register: check_account_pam_tally2_result
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Configure pam_tally2.so module in /etc/pam.d/common-account
- lineinfile:
- path: /etc/pam.d/common-account
- line: account required pam_tally2.so
- state: present
- when: '"pam_tally2" not in check_account_pam_tally2_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
+ register: result_pam__add
+ when: result_pam_module__option_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed |
marcusburghardt
added
SLES
There was a problem hiding this comment.
@dodys , there is also a equivalent macro for Ansible. Do you plan to also update the Ansible remediation?
Pushed a new commit for that, hopefully got it right as I don't have a way to test it right now. |
marcusburghardt
requested changes
Jan 23, 2023
.../accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/ansible/shared.yml
Outdated
Show resolved
Hide resolved
ansible_ensure_pam_module_option macro
|
Code Climate has analyzed commit abb519d and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 49.7% (0.0% change). View more on Code Climate. |
marcusburghardt
approved these changes
Jan 23, 2023
|
@dodys: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
marcusburghardt
added
the
Update Rule
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
bash_ensure_pam_module_option.