Check for pam_lastlogin [+Docs]

This patch adds a verification check for `pam_lastlogin` in PAM's configuration. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: Ib2135331efc0cfb6dca581ac7c70fac6dc7d3224
2016-12-06 14:13:51 -06:00 · 2016-12-06 14:13:51 -06:00 · 28cd87354d
parent 404175da27
commit 28cd87354d
4 changed files with 33 additions and 3 deletions
--- a/doc/metadata/rhel7/RHEL-07-040300.rst
+++ b/doc/metadata/rhel7/RHEL-07-040300.rst
@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040300
-status: not implemented
-tag: misc
+status: verification only
+tag: auth
 ---

-This STIG requirement is not yet implemented.
+The PAM configuration is checked for the presence of ``pam_lastlogin`` and a
+warning message is printed if the directive is not found. The tasks in the
+security role do not adjust PAM configurations since these changes might be
+disruptive in some environments.
+
+Deployers should review their PAM configurations and add ``pam_lastlogin`` to
+``/etc/pam.d/postlogin`` on CentOS and Red Hat Enterprise Linux or to
+``/etc/pam.d/login`` on Ubuntu.
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@ -444,3 +444,24 @@
    - medium
    - auth
    - RHEL-07-040040
+
+- name: Check for pam_lastlog in PAM configuration
+  command: "grep pam_lastlog {{ pam_postlogin_file }}"
+  register: pam_lastlog_check
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  tags:
+    - always
+
+- name: RHEL-07-040300 - Display date/time of last logon after logon
+  debug:
+    msg: >
+      The 'pam_lastlog' directive is missing in {{ pam_postlogin_file }}.
+      This is required by RHEL-07-040300.
+  when:
+    - pam_lastlog_check.rc != 0
+  tags:
+    - low
+    - auth
+    - RHEL-07-040300
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -22,6 +22,7 @@
 # Configuration file paths
 pam_auth_file: /etc/pam.d/system-auth
 pam_password_file: /etc/pam.d/password-auth
+pam_postlogin_file: /etc/pam.d/postlogin
 vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
 grub_conf_file: /boot/grub2/grub.cfg
 grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@ -25,6 +25,7 @@ cache_timeout: 600
 # Configuration file paths
 pam_auth_file: /etc/pam.d/common-auth
 pam_password_file: /etc/pam.d/common-password
+pam_postlogin_file: /etc/pam.d/login
 vsftpd_conf_file: /etc/vsftpd.conf
 grub_conf_file: /boot/grub/grub.cfg
 grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg