diff --git a/tasks/harden.yml b/tasks/harden.yml
index f9a2766..9203b34 100644
--- a/tasks/harden.yml
+++ b/tasks/harden.yml
@@ -103,7 +103,6 @@
tags:
- harden
- # TODO: Use pamd module to establish password policy
- name: pwquality - minlen
ansible.builtin.lineinfile:
line: "minlen = 14"
@@ -144,6 +143,16 @@
tags:
- harden
+ - name: account lock configuration
+ ansible.builtin.template:
+ src: "etc/security/faillock.conf.j2"
+ dest: /etc/security/faillock.conf
+ owner: root
+ group: root
+ mode: '0644'
+ tags:
+ - harden
+
- name: Remove packages not allowed by CIS
ansible.builtin.package:
name: "{{ remove_packages }}"
diff --git a/templates/etc/security/faillock.conf.j2 b/templates/etc/security/faillock.conf.j2
new file mode 100644
index 0000000..4fd125d
--- /dev/null
+++ b/templates/etc/security/faillock.conf.j2
@@ -0,0 +1,62 @@
+# Configuration for locking the user after multiple failed
+# authentication attempts.
+#
+# The directory where the user files with the failure records are kept.
+# The default is /var/run/faillock.
+# dir = /var/run/faillock
+#
+# Will log the user name into the system log if the user is not found.
+# Enabled if option is present.
+audit
+#
+# Don't print informative messages.
+# Enabled if option is present.
+silent
+#
+# Don't log informative messages via syslog.
+# Enabled if option is present.
+# no_log_info
+#
+# Only track failed user authentications attempts for local users
+# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
+# The `faillock` command will also no longer track user failed
+# authentication attempts. Enabling this option will prevent a
+# double-lockout scenario where a user is locked out locally and
+# in the centralized mechanism.
+# Enabled if option is present.
+# local_users_only
+#
+# Deny access if the number of consecutive authentication failures
+# for this user during the recent interval exceeds n tries.
+# The default is 3.
+deny = {{ faillock_deny_times }}
+#
+# The length of the interval during which the consecutive
+# authentication failures must happen for the user account
+# lock out is n seconds.
+# The default is 900 (15 minutes).
+fail_interval = {{ faillock_fail_interval }}
+#
+# The access will be reenabled after n seconds after the lock out.
+# The value 0 has the same meaning as value `never` - the access
+# will not be reenabled without resetting the faillock
+# entries by the `faillock` command.
+# The default is 600 (10 minutes).
+unlock_time = {{ faillock_unlock_time }}
+#
+# Root account can become locked as well as regular accounts.
+# Enabled if option is present.
+# even_deny_root
+#
+# This option implies the `even_deny_root` option.
+# Allow access after n seconds to root account after the
+# account is locked. In case the option is not specified
+# the value is the same as of the `unlock_time` option.
+# root_unlock_time = 900
+#
+# If a group name is specified with this option, members
+# of the group will be handled by this module the same as
+# the root account (the options `even_deny_root>` and
+# `root_unlock_time` will apply to them.
+# By default, the option is not set.
+# admin_group =
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
index 407ec4a..9dd9c87 100644
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@@ -169,4 +169,8 @@ enable_svc:
syslog_packages:
- rsyslog
+
+faillock_deny_times: '5'
+faillock_fail_interval: '900'
+faillock_unlock_time: '900'
...