RHEL-07-010320 and RHEL-07-010330: module arguments not updating?
mikerenfro opened this issue · comments
By default in defaults/main.yml:
rhel7stig_pam_faillock:
attempts: 3
interval: 900
unlock_time: 604800
fail_for_root: yesIf the playbook has already been run and the PAM files have been updated with faillock settings, it doesn't appear that the pamd lines will not modify module arguments once the faillock lines have been added.
One possible fix is to add additional pamd tasks that ensure the arguments are set correctly, resulting in something like:
- block:
- name: |
"MEDIUM | RHEL-07-010320 | PATCH | Accounts subject to three unsuccessful login attempts within 15 minutes must be locked for the maximum configurable period."
"MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked."
pamd:
name: "{{ item }}"
state: before
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: required
new_module_path: pam_faillock.so
module_arguments: "preauth silent audit deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }} unlock_time={{ rhel7stig_pam_faillock.unlock_time }}"
with_items:
- "system-auth"
- "password-auth"
- name: |
"MEDIUM | RHEL-07-010320 | PATCH | Accounts subject to three unsuccessful login attempts within 15 minutes must be locked for the maximum configurable period (update preauth)."
"MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked (update preauth)."
pamd:
name: "{{ item }}"
state: updated
type: auth
control: required
module_path: pam_faillock.so
module_arguments: "preauth silent audit deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }} unlock_time={{ rhel7stig_pam_faillock.unlock_time }}"
with_items:
- "system-auth"
- "password-auth"
- name: "MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked."
pamd:
name: "{{ item }}"
state: after
type: auth
control: sufficient
module_path: pam_unix.so
new_type: auth
new_control: "[default=die]"
new_module_path: pam_faillock.so
module_arguments: "authfail audit deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }} unlock_time={{ rhel7stig_pam_faillock.unlock_time }}"
with_items:
- "system-auth"
- "password-auth"
- name: "MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked (update authfail)."
pamd:
name: "{{ item }}"
state: updated
type: auth
control: "[default=die]"
module_path: pam_faillock.so
module_arguments: "authfail audit deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }} unlock_time={{ rhel7stig_pam_faillock.unlock_time }}"
with_items:
- "system-auth"
- "password-auth"
- name: "MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked."
pamd:
name: "{{ item }}"
state: before
type: account
control: required
module_path: pam_unix.so
new_type: account
new_control: required
new_module_path: pam_faillock.so
with_items:
- "system-auth"
- "password-auth"
when: rhel_07_010320 or rhel_07_010330
tags:
- RHEL-07-010320
- RHEL-07-010330
- pamdTo reduce code duplication, it might be possible to remove the module_arguments from the before/after tasks, and only have them in the additional tasks.
Thoughts?
Look at similar changes made to the RHEL6-STIG role a few months ago.
Haven't put this into testing yet, but this is shorter than what I had before, and resembles the RHEL6-STIG changes:
- block:
- name: |
"MEDIUM | RHEL-07-010320 | PATCH | Accounts subject to three unsuccessful login attempts within 15 minutes must be locked for the maximum configurable period (add modules)."
"MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked (add modules)."
pamd:
name: "{{ item.name }}"
state: "{{ item.state }}"
type: "{{ item.type }}"
control: "{{ item.control }}"
module_path: pam_unix.so
new_type: "{{ item.type }}"
new_control: "{{ item.new_control }}"
new_module_path: pam_faillock.so
module_arguments: "{{ item.args }}"
with_items:
- { name: "system-auth", state: "before", type: "auth", control: "sufficient", new_control: "required", args: "preauth silent {{ faillock_args }}" }
- { name: "password-auth", state: "before", type: "auth", control: "sufficient", new_control: "required", args: "preauth silent {{ faillock_args }}" }
- { name: "system-auth", state: "after", type: "auth", control: "sufficient", new_control: "[default=die]", args: "authfail {{ faillock_args }}" }
- { name: "password-auth", state: "after", type: "auth", control: "sufficient", new_control: "[default=die]", args: "authfail {{ faillock_args }}" }
- { name: "system-auth", state: "before", type: "account", control: "required", new_control: "required", args: ""}
- { name: "password-auth", state: "before", type: "account", control: "required", new_control: "required", args: ""}
- name: |
"MEDIUM | RHEL-07-010320 | PATCH | Accounts subject to three unsuccessful login attempts within 15 minutes must be locked for the maximum configurable period (update modules)."
"MEDIUM | RHEL-07-010330 | PATCH | If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked (update modules)."
pamd:
name: "{{ item.name }}"
state: updated
type: auth
control: "{{ item.control }}"
module_path: pam_faillock.so
module_arguments: "{{ item.args }}"
with_items:
- { name: "system-auth", control: "required", args: "preauth silent {{ faillock_args }}" }
- { name: "password-auth", control: "required", args: "preauth silent {{ faillock_args }}" }
- { name: "system-auth", control: "[default=die]", args: "authfail {{ faillock_args }}" }
- { name: "password-auth", control: "[default=die]", args: "authfail {{ faillock_args }}" }
vars:
faillock_args: "audit deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }} unlock_time={{ rhel7stig_pam_faillock.unlock_time }}"
when: rhel_07_010320 or rhel_07_010330
tags:
- RHEL-07-010320
- RHEL-07-010330
- pamd
This should be fixed in #180 - TLDR of the convo in that PR is that the pamd module is broken.