add missing faillock configuration
This commit is contained in:
parent
59802542da
commit
cfdb44c204
3 changed files with 76 additions and 1 deletions
|
@ -103,7 +103,6 @@
|
||||||
tags:
|
tags:
|
||||||
- harden
|
- harden
|
||||||
|
|
||||||
# TODO: Use pamd module to establish password policy
|
|
||||||
- name: pwquality - minlen
|
- name: pwquality - minlen
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
line: "minlen = 14"
|
line: "minlen = 14"
|
||||||
|
@ -144,6 +143,16 @@
|
||||||
tags:
|
tags:
|
||||||
- harden
|
- harden
|
||||||
|
|
||||||
|
- name: account lock configuration
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "etc/security/faillock.conf.j2"
|
||||||
|
dest: /etc/security/faillock.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
tags:
|
||||||
|
- harden
|
||||||
|
|
||||||
- name: Remove packages not allowed by CIS
|
- name: Remove packages not allowed by CIS
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
name: "{{ remove_packages }}"
|
name: "{{ remove_packages }}"
|
||||||
|
|
62
templates/etc/security/faillock.conf.j2
Normal file
62
templates/etc/security/faillock.conf.j2
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
# Configuration for locking the user after multiple failed
|
||||||
|
# authentication attempts.
|
||||||
|
#
|
||||||
|
# The directory where the user files with the failure records are kept.
|
||||||
|
# The default is /var/run/faillock.
|
||||||
|
# dir = /var/run/faillock
|
||||||
|
#
|
||||||
|
# Will log the user name into the system log if the user is not found.
|
||||||
|
# Enabled if option is present.
|
||||||
|
audit
|
||||||
|
#
|
||||||
|
# Don't print informative messages.
|
||||||
|
# Enabled if option is present.
|
||||||
|
silent
|
||||||
|
#
|
||||||
|
# Don't log informative messages via syslog.
|
||||||
|
# Enabled if option is present.
|
||||||
|
# no_log_info
|
||||||
|
#
|
||||||
|
# Only track failed user authentications attempts for local users
|
||||||
|
# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
|
||||||
|
# The `faillock` command will also no longer track user failed
|
||||||
|
# authentication attempts. Enabling this option will prevent a
|
||||||
|
# double-lockout scenario where a user is locked out locally and
|
||||||
|
# in the centralized mechanism.
|
||||||
|
# Enabled if option is present.
|
||||||
|
# local_users_only
|
||||||
|
#
|
||||||
|
# Deny access if the number of consecutive authentication failures
|
||||||
|
# for this user during the recent interval exceeds n tries.
|
||||||
|
# The default is 3.
|
||||||
|
deny = {{ faillock_deny_times }}
|
||||||
|
#
|
||||||
|
# The length of the interval during which the consecutive
|
||||||
|
# authentication failures must happen for the user account
|
||||||
|
# lock out is <replaceable>n</replaceable> seconds.
|
||||||
|
# The default is 900 (15 minutes).
|
||||||
|
fail_interval = {{ faillock_fail_interval }}
|
||||||
|
#
|
||||||
|
# The access will be reenabled after n seconds after the lock out.
|
||||||
|
# The value 0 has the same meaning as value `never` - the access
|
||||||
|
# will not be reenabled without resetting the faillock
|
||||||
|
# entries by the `faillock` command.
|
||||||
|
# The default is 600 (10 minutes).
|
||||||
|
unlock_time = {{ faillock_unlock_time }}
|
||||||
|
#
|
||||||
|
# Root account can become locked as well as regular accounts.
|
||||||
|
# Enabled if option is present.
|
||||||
|
# even_deny_root
|
||||||
|
#
|
||||||
|
# This option implies the `even_deny_root` option.
|
||||||
|
# Allow access after n seconds to root account after the
|
||||||
|
# account is locked. In case the option is not specified
|
||||||
|
# the value is the same as of the `unlock_time` option.
|
||||||
|
# root_unlock_time = 900
|
||||||
|
#
|
||||||
|
# If a group name is specified with this option, members
|
||||||
|
# of the group will be handled by this module the same as
|
||||||
|
# the root account (the options `even_deny_root>` and
|
||||||
|
# `root_unlock_time` will apply to them.
|
||||||
|
# By default, the option is not set.
|
||||||
|
# admin_group = <admin_group_name>
|
|
@ -169,4 +169,8 @@ enable_svc:
|
||||||
|
|
||||||
syslog_packages:
|
syslog_packages:
|
||||||
- rsyslog
|
- rsyslog
|
||||||
|
|
||||||
|
faillock_deny_times: '5'
|
||||||
|
faillock_fail_interval: '900'
|
||||||
|
faillock_unlock_time: '900'
|
||||||
...
|
...
|
||||||
|
|
Loading…
Reference in a new issue