openstack/ansible-hardening
Code Issues Proposed changes
Files
f422da8599c6d8f64ebfefbf0a0aa711ea1f9569
ansible-hardening/doc/metadata/rhel7/V-71945.rst
Markos Chandras f422da8599 Add support for the openSUSE Leap distributions 
Add support for the openSUSE Leap distributions. The security rules
are similar to the RedHat and Ubuntu ones. We also replace
ansible_os_family with ansible_pkg_mgr since the former does not
return consistent results across different SUSE distributions especially
on older Ansible versions.

Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba
2017-06-27 15:43:53 +01:00

45 lines
1.6 KiB
ReStructuredText
Raw Blame History

---
id: V-71945
status: opt-in - Red Hat Only
tag: auth
---
The STIG requires that accounts with excessive failed login attempts are
locked. It sets a limit of three failed attempts in a 15 minute interval and
these restrictions are applied to all users (including root). Accounts cannot
be automatically unlocked for seven days.
This change might cause disruptions in production environments without proper
communication to users. Therefore, this change is not applied by default.
Deployers can opt in for the change by setting the following variable:
.. code-block:: yaml
security_pam_faillock_enable: yes
There are also three configuration options that can be adjusted by setting
Ansible variables:
* ``security_pam_faillock_attempts``: This many failed login attempts within
the specified time interval with trigger the account to lock.
(STIG requirement: ``3`` attempts)
* ``security_pam_faillock_interval``: This is the time interval (in seconds)
to use when measuring excessive failed login attempts.
(STIG requirement: ``900`` seconds)
* ``security_pam_faillock_deny_root``: Set to ``yes`` to apply the restriction
to the root user or set to ``no`` to exempt the root user from the account
locking restrictions.
(STIG requirement: ``yes``)
* ``security_pam_faillock_unlock_time``: This sets the time delay (in seconds)
before a locked account is automatically unlocked.
(STIG requirement: ``604800`` seconds)
.. note::
Ubuntu, openSUSE Leap and SUSE Linux Enterprise 12 do not provide ``pam_faillock``.
This change is only applied to CentOS 7 or Red Hat Enterprise Linux 7 systems.
View Git Blame Copy Permalink