X-Git-Url: https://gerrit.akraino.org/r/gitweb?p=ta%2Finfra-ansible.git;a=blobdiff_plain;f=roles%2Fops-hardening%2Ftasks%2Fmain.yaml;fp=roles%2Fops-hardening%2Ftasks%2Fmain.yaml;h=193bfe28eea6148e26af56b4961aca18b6109ff8;hp=3381cea22ba852b330f7eb92f6d120277b9e2401;hb=546b3966551e02ad91d162ca75d0afad141f5bc2;hpb=05483a058fcc2c8a92890793a75f5b9bbbdc8daa

diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml
index 3381cea..193bfe2 100644
--- a/roles/ops-hardening/tasks/main.yaml
+++ b/roles/ops-hardening/tasks/main.yaml
@@ -66,6 +66,52 @@
     regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$'
     line: 'PASS_MIN_DAYS   0'
 
+#
+# Linux Failed password attempts
+#
+
+- name: "Set Deny for failed password attempts 1"
+  lineinfile:
+    path: "{{item}}"
+    insertbefore: '^auth[\s]*sufficient[\s]*pam_unix.so'
+    line: 'auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=3600 fail_interval=900'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Deny for failed password attempts 2"
+  lineinfile:
+    path: "{{item}}"
+    insertafter: '^auth[\s]*sufficient[\s]*pam_unix.so'
+    line: 'auth        [default=die]  pam_faillock.so authfail audit deny=3 unlock_time=3600 fail_interval=900'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Deny for failed password attempts 3"
+  lineinfile:
+    path: "{{item}}"
+    insertbefore: '^account[\s]*required[\s]*pam_unix.so'
+    line: 'account     required      pam_faillock.so'
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  tags:
+    - REC-443
+
+- name: "Set Account expiration following inactivity"
+  lineinfile:
+    create: yes
+    path: "/etc/default/useradd"
+    regexp: "^INACTIVE"
+    line: "INACTIVE=35"
+  tags:
+    - REC-443
+
 #
 # YUM config
 #