## file changes
+-w /opt/nokia/bin/hostcli -p aw -k hostcli
+-w /usr/bin/openstack -p aw -k openstackcli
-w /boot/ -p rwxa -k dir_boot
-w /opt/ -p aw -k dir_opt
-w /etc/ -p rwa -k dir_etc
--w /usr/bin -p aw -k usr-bin
--w /usr/sbin -p aw -k usr-sbin
+-w /usr/bin -p rwxa -k usr-bin
+-w /usr/sbin -p rwxa -k usr-sbin
-w /usr/libexec -p aw -k usr-libexex
--w /usr/local -p rwxa -k usr-local
+-w /usr/local -p awx -k usr-local
-w /mnt/symptomreport/ -p awr -k symptomreport
-w /usr/lib -p aw -k usr-lib
-w /usr/lib64 -p aw -k usr-lib64
## Make the configuration immutable - reboot is required to change audit rules
-#-e 2
+-e 2
## Temporarily the value is set to 1 until the upgrade issue will be solved.
--e 1
+#-e 1
- name: "remove the old public ssh key"
file:
- path: /home/{{ item.name }}/.ssh/{{ item.name }}
+ path: /home/{{ item.name }}/.ssh/authorized_keys
state: absent
with_items: "{{ linuxuser | default([]) }}"
- name: "add a new public ssh key"
when: item.state == 'present' and item.public_key != ""
lineinfile:
- path: /home/{{ item.name }}/.ssh/{{ item.name }}
+ path: /home/{{ item.name }}/.ssh/authorized_keys
create: yes
regexp: '.*'
state: "{{ item.state | default('absent') }}"
regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$'
line: 'PASS_MIN_DAYS 0'
+#
+# Linux Failed password attempts
+#
+
+- name: "Set Deny for failed password attempts 1"
+ lineinfile:
+ path: "{{item}}"
+ insertbefore: '^auth[\s]*sufficient[\s]*pam_unix.so'
+ line: 'auth required pam_faillock.so preauth silent audit deny=3 unlock_time=3600 fail_interval=900'
+ with_items:
+ - /etc/pam.d/system-auth-ac
+ - /etc/pam.d/password-auth-ac
+ tags:
+ - REC-443
+
+- name: "Set Deny for failed password attempts 2"
+ lineinfile:
+ path: "{{item}}"
+ insertafter: '^auth[\s]*sufficient[\s]*pam_unix.so'
+ line: 'auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=3600 fail_interval=900'
+ with_items:
+ - /etc/pam.d/system-auth-ac
+ - /etc/pam.d/password-auth-ac
+ tags:
+ - REC-443
+
+- name: "Set Deny for failed password attempts 3"
+ lineinfile:
+ path: "{{item}}"
+ insertbefore: '^account[\s]*required[\s]*pam_unix.so'
+ line: 'account required pam_faillock.so'
+ with_items:
+ - /etc/pam.d/system-auth-ac
+ - /etc/pam.d/password-auth-ac
+ tags:
+ - REC-443
+
+- name: "Set Account expiration following inactivity"
+ lineinfile:
+ create: yes
+ path: "/etc/default/useradd"
+ regexp: "^INACTIVE"
+ line: "INACTIVE=35"
+ tags:
+ - REC-443
+
#
# YUM config
#