update hardening
This commit is contained in:
Louis Abel
parent
c5a56975d0
commit
613a6029fe
GPG Key ID:
6735C0E1BD65D048
@ -2,19 +2,22 @@
|
||||
auth required pam_env.so
|
||||
auth required pam_faildelay.so delay=2000000
|
||||
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 {include if "with-faillock"}
|
||||
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
|
||||
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
|
||||
auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
|
||||
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
||||
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
||||
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
|
||||
auth sufficient pam_sss_gss.so {include if "with-gssapi"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
|
||||
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
@ -38,3 +41,4 @@ session optional pam_oddjob_mkhomedir.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
||||
session optional pam_sss.so
|
||||
session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
auth required pam_env.so
|
||||
auth required pam_faildelay.so delay=2000000
|
||||
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 {include if "with-faillock"}
|
||||
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
|
||||
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
|
||||
auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
|
||||
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
@ -10,11 +10,14 @@ auth required pam_u2f.so cue {if not
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
||||
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
||||
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
|
||||
auth sufficient pam_sss_gss.so {include if "with-gssapi"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
|
||||
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
@ -38,3 +41,4 @@ session optional pam_oddjob_mkhomedir.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
||||
session optional pam_sss.so
|
||||
session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
|
||||
|
||||
@ -165,15 +165,6 @@
|
||||
|
||||
- name: modprobe settings
|
||||
block:
|
||||
- name: remove vfat from filesystem list if we are EFI
|
||||
ansible.builtin.set_fact:
|
||||
modprobe_unused_filesystems: "{{ modprobe_unused_filesystems | difference('vfat') }}"
|
||||
when:
|
||||
- efi_installed.stat.isdir is defined
|
||||
- efi_installed.stat.isdir
|
||||
tags:
|
||||
- efi
|
||||
|
||||
- name: disable unused filesystems
|
||||
ansible.builtin.template:
|
||||
src: "etc/modprobe.d/cis.conf.j2"
|
||||
|
||||
@ -97,7 +97,6 @@ modprobe_unused_filesystems:
|
||||
- udf
|
||||
- tipc
|
||||
- usb_storage
|
||||
- vfat
|
||||
|
||||
# auditd
|
||||
audit_package: audit
|
||||
|
||||
Loading…
Reference in New Issue
Block a user