Configure pam_faildelay on Ubuntu

As noted in the bug, Ubuntu 16.04 doesn't use FAIL_DELAY in `/etc/login.defs` as CentOS 7 does. This patch ensures that `pam_faildelay` is properly configured on Xenial. A direct backport wasn't possible due to the vars/main.yml -> vars/common.yml migration done in pike. Closes-Bug: 1659120 Closes-Bug: 1714462 Change-Id: I9ff9f45c0c5bdd749c9491431e2dcb8836587e78 (cherry picked from commit c15d75ecf4)
2017-01-30 13:14:39 -06:00 · 2017-01-30 13:14:39 -06:00 · d0ec2e8dd0
parent 977a2138dc
commit d0ec2e8dd0
2 changed files with 24 additions and 0 deletions
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@ -79,6 +79,7 @@
    state: present
  when:
    - item.value != ''
+    - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
  with_items: "{{ shadow_utils_rhel7 }}"
  tags:
    - auth
@ -90,6 +91,23 @@
    - RHEL-07-020230
    - RHEL-07-020630

+# NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in
+# microseconds.
+- name: Set pam_faildelay configuration on Ubuntu
+  lineinfile:
+    dest: /etc/pam.d/login
+    regexp: '^(auth[\s]+optional[\s]+pam_faildelay.so).*$'
+    line: '\1 delay={{ security_shadow_utils_fail_delay * 10**6 }}'
+    state: present
+    backrefs: yes
+  when:
+    - security_shadow_utils_fail_delay is defined
+    - ansible_os_family | lower == 'debian'
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010420
+
 - name: RHEL-07-010190 - User and group account administration utilities must be configured to store only encrypted representations of passwords.
  ini_file:
    dest: /etc/libuser.conf
--- a/vars/main.yml
+++ b/vars/main.yml
@ -287,21 +287,27 @@ shadow_utils_rhel7:
  - parameter: ENCRYPT_METHOD
    value: "{{ security_password_encrypt_method | default('') }}"
    stig_id: RHEL-07-010180
+    ansible_os_family: all
  - parameter: PASS_MIN_DAYS
    value: "{{ security_password_min_lifetime_days | default('') }}"
    stig_id: RHEL-07-010200
+    ansible_os_family: all
  - parameter: PASS_MAX_DAYS
    value: "{{ security_password_max_lifetime_days | default('') }}"
    stig_id: RHEL-07-010220
+    ansible_os_family: all
  - parameter: FAIL_DELAY
    value: "{{ security_shadow_utils_fail_delay | default('') }}"
    stig_id: RHEL-07-010420
+    ansible_os_family: all
  - parameter: UMASK
    value: "{{ security_shadow_utils_umask | default('') }}"
    stig_id: RHEL-07-020230
+    ansible_os_family: all
  - parameter: CREATE_HOME
    value: "{{ security_shadow_utils_create_home | default('') }}"
    stig_id: RHEL-07-020630
+    ansible_os_family: all

 ## sysctl settings
 # This variable is used in main/rhel7stig/kernel.yml to set sysctl