kubeasz/roles/os-harden/tasks/pam.yml

100 lines
3.5 KiB
YAML
Raw Normal View History

---
- name: update pam on Debian systems
command: 'pam-auth-update --package'
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
changed_when: False
environment:
DEBIAN_FRONTEND: noninteractive
2018-09-17 23:23:56 +08:00
# the reason for this is so a user cannot connect to a server,
# that isn't connected to an LDAP server anymore.
# normally caching credentials shouldn't be necessary for most machines.
# removing it provides some more security while not removing usability.
- name: remove pam ccreds to disable password caching
package:
name: '{{ os_packages_pam_ccreds }}'
state: 'absent'
- name: remove pam_cracklib, because it does not play nice with passwdqc
apt:
name: '{{ os_packages_pam_cracklib }}'
state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
- name: install the package for strong password checking
apt:
name: '{{ os_packages_pam_passwdqc }}'
state: 'present'
update_cache: 'yes'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
- name: configure passwdqc
template:
2018-09-17 23:23:56 +08:00
src: 'usr/share/pam-configs/pam_passwdqd.j2'
dest: '{{ passwdqc_path }}'
2018-09-17 23:23:56 +08:00
mode: '0644'
owner: 'root'
group: 'root'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
- name: remove passwdqc
apt:
name: '{{ os_packages_pam_passwdqc }}'
state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable
- name: install tally2
apt:
name: 'libpam-modules'
state: 'present'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
- name: configure tally2
template:
2018-09-17 23:23:56 +08:00
src: 'usr/share/pam-configs/pam_tally2.j2'
dest: '{{ tally2_path }}'
2018-09-17 23:23:56 +08:00
mode: '0644'
owner: 'root'
group: 'root'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
- name: delete tally2 when retries is 0
file:
path: '{{ tally2_path }}'
state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0
- name: remove pam_cracklib, because it does not play nice with passwdqc
yum:
name: '{{ os_packages_pam_cracklib }}'
state: 'absent'
2018-09-17 23:23:56 +08:00
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
- name: install the package for strong password checking
yum:
name: '{{ os_packages_pam_passwdqc }}'
state: 'present'
2018-09-17 23:23:56 +08:00
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
- name: remove passwdqc
yum:
name: '{{ os_packages_pam_passwdqc }}'
state: 'absent'
when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable
- name: configure passwdqc and tally via central system-auth confic
template:
2018-09-17 23:23:56 +08:00
src: 'etc/pam.d/rhel_system_auth.j2'
dest: '/etc/pam.d/system-auth-ac'
mode: '0640'
owner: 'root'
group: 'root'
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template:
2018-09-17 23:23:56 +08:00
src: 'etc/rhel_libuser.conf.j2'
dest: '/etc/libuser.conf'
mode: '0640'
owner: 'root'
group: 'root'