regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$'
line: 'PASS_MIN_DAYS 0'
+#
+# Linux Failed password attempts
+#
+
+- name: "Set Deny for failed password attempts 1"
+ lineinfile:
+ path: "{{item}}"
+ insertbefore: '^auth[\s]*sufficient[\s]*pam_unix.so'
+ line: 'auth required pam_faillock.so preauth silent audit deny=3 unlock_time=3600 fail_interval=900'
+ with_items:
+ - /etc/pam.d/system-auth-ac
+ - /etc/pam.d/password-auth-ac
+ tags:
+ - REC-443
+
+- name: "Set Deny for failed password attempts 2"
+ lineinfile:
+ path: "{{item}}"
+ insertafter: '^auth[\s]*sufficient[\s]*pam_unix.so'
+ line: 'auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=3600 fail_interval=900'
+ with_items:
+ - /etc/pam.d/system-auth-ac
+ - /etc/pam.d/password-auth-ac
+ tags:
+ - REC-443
+
+- name: "Set Deny for failed password attempts 3"
+ lineinfile:
+ path: "{{item}}"
+ insertbefore: '^account[\s]*required[\s]*pam_unix.so'
+ line: 'account required pam_faillock.so'
+ with_items:
+ - /etc/pam.d/system-auth-ac
+ - /etc/pam.d/password-auth-ac
+ tags:
+ - REC-443
+
+- name: "Set Account expiration following inactivity"
+ lineinfile:
+ create: yes
+ path: "/etc/default/useradd"
+ regexp: "^INACTIVE"
+ line: "INACTIVE=35"
+ tags:
+ - REC-443
+
#
# YUM config
#
- cramfs
- usb-storage
- udf
+ - nfsd
#
# Disable interactive boot
# Set file permissions
#
-- name: "Set set the 600 file permissions"
- file:
- path: "{{item}}"
- state: touch
- mode: 600
+- name: "Check files exist to determine the proper location of grub.cfg on UEFI systems"
+ stat: path={{item}}
with_items:
+ - /boot/efi/EFI/centos/grub.cfg
- /boot/grub2/grub.cfg
- /var/log/boot.log
- /var/log/cron
+ register: file_stat
+
+- name: "Set the 600 file permissions"
+ file:
+ path: "{{item.item}}"
+ state: touch
+ mode: "600"
+ with_items: "{{ file_stat.results }}"
+ when:
+ - item.stat.exists == true
#
# Disable direct root login
#define users
password_pbkdf2 root "{{ grub2_pass }}"
+- name: check whether grub-efi exists
+ stat:
+ path: /boot/efi/EFI/centos/grub.cfg
+ register: grub_efi_file_stat
+
- name: generate grub config
when: grub2_pass is defined and grub2_pass != 'Empty'
command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
+- name: generate grub-efi config
+ command: /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
+ when:
+ - grub2_pass is defined and grub2_pass != 'Empty'
+ - grub_efi_file_stat.stat.exists == true
+
#
#Setting the noexec option to the /dev/shm mount dir
#
state: "mounted"
fstype: "{{device_fstype.stdout}}"
+#
+# Disable NFS service
+#
+
+- name: disable NFS related services
+ service:
+ name: "{{ item }}"
+ enabled: no
+ state: stopped
+ ignore_errors: yes
+ with_items:
+ - nfslock
+ - rpcgssd
+ - rpcidmapd
+ - nfs-idmap
+ - nfs-server
+ - nfs
+
+- name: remove nfs-utils package
+ yum:
+ name: nfs-utils
+ state: absent
+
#
# Setting file permissions
#