openstack/ansible-hardening
Code Issues Proposed changes

Merge "Disable accounts w/expired passwords [+Docs]"

Browse Source
This commit is contained in:
Jenkins
2016-12-08 15:37:31 +00:00
committed by Gerrit Code Review
parent eac30953e8 2a17cd18cd
commit 1a2dd1a12b
4 changed files with 27 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
defaults/main.yml
View File

@@ -483,7 +483,9 @@ security_shadow_utils_umask: 077 # RHEL-07-020230
# Create home directories for new users by default. # Create home directories for new users by default.
security_shadow_utils_create_home: yes # RHEL-07-020630 security_shadow_utils_create_home: yes # RHEL-07-020630
# How many old user password to remember to prevent password re-use. # How many old user password to remember to prevent password re-use.
#security_password_remember_password: 5 # RHEL-07-010240 #security_password_remember_password: 5 # RHEL-07-010240
# Disable user accounts if the password expires.
security_disable_account_if_password_expires: no # RHEL-07-010280
# Lock user accounts with excessive login failures. See documentation. # Lock user accounts with excessive login failures. See documentation.
security_pam_faillock_enable: no # RHEL-07-010371 / RHEL-07-010372 / RHEL-07-010373 security_pam_faillock_enable: no # RHEL-07-010371 / RHEL-07-010372 / RHEL-07-010373
security_pam_faillock_interval: 900 security_pam_faillock_interval: 900

14
doc/metadata/rhel7/RHEL-07-010280.rst
View File

@@ -1,7 +1,15 @@
--- ---
id: RHEL-07-010280 id: RHEL-07-010280
status: not implemented status: opt-in
tag: misc tag: auth
--- ---
This STIG requirement is not yet implemented. The STIG requires that user accounts are disabled when their password expires.
This might be disruptive for some users or for automated processes. Therefore,
the tasks in the security role do not apply this change by default.
Deployers can opt in for this change by setting the following Ansible variable:
.. code-block:: yaml
security_disable_account_if_password_expires: yes

12
tasks/rhel7stig/auth.yml
View File

@@ -178,6 +178,18 @@
- high - high
- RHEL-07-010260 - RHEL-07-010260
- name: RHEL-07-010280 - The operating system must disable account identifiers if the password expires.
lineinfile:
dest: /etc/default/useradd
regexp: '^[#\s]*INACTIVE'
line: 'INACTIVE=0'
when:
- security_disable_account_if_password_expires | bool
tags:
- auth
- medium
- RHEL-07-010280
- name: RHEL-07-010371 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked. - name: RHEL-07-010371 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked.
blockinfile: blockinfile:
dest: pam_password_file dest: pam_password_file

1
tests/test.yml
View File

@@ -85,3 +85,4 @@
security_search_for_invalid_group_owner: yes security_search_for_invalid_group_owner: yes
security_enable_firewalld: yes security_enable_firewalld: yes
security_password_remember_password: 5 security_password_remember_password: 5
security_disable_account_if_password_expires: yes