X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=roles%2Fops-hardening%2Ftasks%2Fmain.yaml;h=3b75d16d88060e1662870ebf0cf672b1227d160d;hb=e5776805848728d0aac93078223585f725b84c5e;hp=3381cea22ba852b330f7eb92f6d120277b9e2401;hpb=95119f5474d6d585b173fdffcb922d3b2a8c7ac9;p=ta%2Finfra-ansible.git

diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml
index 3381cea..3b75d16 100644
--- a/roles/ops-hardening/tasks/main.yaml
+++ b/roles/ops-hardening/tasks/main.yaml
@@ -66,6 +66,60 @@
     regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$'
     line: 'PASS_MIN_DAYS   0'
 
+#
+# Linux Failed password attempts
+#
+- name: "Ensure authconfig is properly configured"
+  command: authconfig --updateall
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  when: not (item|exists and item|is_file)
+  tags:
+    - REC-443
+
+- name: "Set Deny for failed password attempts 1"
+  lineinfile:
+    path: "{{item}}"
+    insertbefore: '^auth[\s]*sufficient[\s]*pam_unix.so'
+    line: 'auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=3600 fail_interval=900'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Deny for failed password attempts 2"
+  lineinfile:
+    path: "{{item}}"
+    insertafter: '^auth[\s]*sufficient[\s]*pam_unix.so'
+    line: 'auth        [default=die]  pam_faillock.so authfail audit deny=3 unlock_time=3600 fail_interval=900'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Deny for failed password attempts 3"
+  lineinfile:
+    path: "{{item}}"
+    insertbefore: '^account[\s]*required[\s]*pam_unix.so'
+    line: 'account     required      pam_faillock.so'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Account expiration following inactivity"
+  lineinfile:
+    create: yes
+    path: "/etc/default/useradd"
+    regexp: "^INACTIVE"
+    line: "INACTIVE=35"
+  tags:
+    - REC-443
+
 #
 # YUM config
 #
@@ -140,15 +194,23 @@
 # Set file permissions
 #
 
-- name: "Set set the 600 file permissions"
-  file:
-    path: "{{item}}"
-    state: touch
-    mode: 600
+- name: "Check files exist to determine the proper location of grub.cfg on UEFI systems"
+  stat: path={{item}}
   with_items:
+    - /boot/efi/EFI/centos/grub.cfg
     - /boot/grub2/grub.cfg
     - /var/log/boot.log
     - /var/log/cron
+  register: file_stat
+
+- name: "Set the 600 file permissions"
+  file:
+    path: "{{item.item}}"
+    state: touch
+    mode: "600"
+  with_items: "{{ file_stat.results }}"
+  when:
+    - item.stat.exists == true
 
 #
 # Disable direct root login
@@ -314,10 +376,21 @@
       #define users
       password_pbkdf2 root "{{ grub2_pass }}"
 
+- name: check whether grub-efi exists
+  stat:
+    path: /boot/efi/EFI/centos/grub.cfg
+  register: grub_efi_file_stat
+
 - name: generate grub config
   when: grub2_pass is defined and grub2_pass != 'Empty'
   command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
 
+- name: generate grub-efi config
+  command: /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
+  when:
+    - grub2_pass is defined and grub2_pass != 'Empty'
+    - grub_efi_file_stat.stat.exists == true
+
 #
 #Setting the noexec option to the /dev/shm mount dir
 #