Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

accounts_passwords_pam_tally2: Move to bash_ensure_pam_module_option #10058

Merged
merged 2 commits into from
Jan 23, 2023

Conversation

dodys
Copy link
Contributor

@dodys dodys commented Jan 13, 2023

Description:

  • As discussed in Gitter, this change removes the degree character and move remediation to new macro bash_ensure_pam_module_option.

bash_ensure_pam_module_option
@dodys dodys changed the title accounts_passwords_pam_tally2: bash: Move to bash_ensure_pam_module_option accounts_passwords_pam_tally2: Move to bash_ensure_pam_module_option Jan 13, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

sle12 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented Jan 13, 2023

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2
@@ -2,102 +2,51 @@
 var_password_pam_tally2=''
 
 # Use a non-number regexp to force update of the value of the deny option
-if [ -e "/etc/pam.d/common-auth" ] ; then
- valueRegex="°" defaultValue="${var_password_pam_tally2}"
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix 'type' if it's wrong
- if grep -q -P "^\\s*(?"'!'"auth\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_tally2.so)/\\1auth\\2/" "/etc/pam.d/common-auth"
+if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-auth"; then
+ # Line matching group + control + module was not found. Check group + module.
+ if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-auth")" -eq 1 ]; then
+ # The control is updated only if one single line matches.
+ sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/common-auth"
+ else
+ echo 'auth '"required"' pam_tally2.so' >> "/etc/pam.d/common-auth"
 fi
-
- # fix 'control' if it's wrong
- if grep -q -P "^\\s*auth\\s+(?"'!'"required)[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+)[[:alnum:]]+(\\s+pam_tally2.so)/\\1required\\2/" "/etc/pam.d/common-auth"
+fi
+# Check the option
+if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*\sdeny\b' "/etc/pam.d/common-auth"; then
+ sed -i -E --follow-symlinks '/\s*auth\s+'"required"'\s+pam_tally2.so.*/ s/$/ deny='"${var_password_pam_tally2}"'/' "/etc/pam.d/common-auth"
+else
+ sed -i -E --follow-symlinks 's/(\s*auth\s+'"required"'\s+pam_tally2.so\s+.*)('"deny"'=)[[:alnum:]]+\s*(.*)/\1\2'"${var_password_pam_tally2}"' \3/' "/etc/pam.d/common-auth"
+fi
+if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-auth"; then
+ # Line matching group + control + module was not found. Check group + module.
+ if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-auth")" -eq 1 ]; then
+ # The control is updated only if one single line matches.
+ sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/common-auth"
+ else
+ LAST_MATCH_LINE=$(grep -nP "(fail)" "/etc/pam.d/common-auth" | tail -n 1 | cut -d: -f 1)
+ if [ ! -z $LAST_MATCH_LINE ]; then
+ sed -i --follow-symlinks $LAST_MATCH_LINE' a auth '"required"' pam_tally2.so' "/etc/pam.d/common-auth"
+ else
+ echo 'auth '"required"' pam_tally2.so' >> "/etc/pam.d/common-auth"
+ fi
 fi
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s+deny(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s)deny=[^[:space:]]*/\\1deny${defaultValue}/" "/etc/pam.d/common-auth"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*auth\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-auth" &&
- grep -E "^\\s*auth\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-auth" | grep -q -E -v "\\sdeny(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_tally2.so[^\\n]*)/\\1 deny${defaultValue}/" "/etc/pam.d/common-auth"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s+deny${valueRegex}(\\s|\$)" < "/etc/pam.d/common-auth" ; then
- echo "auth required pam_tally2.so deny${defaultValue}" >> "/etc/pam.d/common-auth"
+fi
+# Check the option
+if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*\sonerr\b' "/etc/pam.d/common-auth"; then
+ sed -i -E --follow-symlinks '/\s*auth\s+'"required"'\s+pam_tally2.so.*/ s/$/ onerr='"fail"'/' "/etc/pam.d/common-auth"
+else
+ sed -i -E --follow-symlinks 's/(\s*auth\s+'"required"'\s+pam_tally2.so\s+.*)('"onerr"'=)[[:alnum:]]+\s*(.*)/\1\2'"fail"' \3/' "/etc/pam.d/common-auth"
+fi
+if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-account"; then
+ # Line matching group + control + module was not found. Check group + module.
+ if [ "$(grep -cP '^\s*account\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-account")" -eq 1 ]; then
+ # The control is updated only if one single line matches.
+ sed -i -E --follow-symlinks 's/^(\s*account\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/common-account"
+ else
+ echo 'account '"required"' pam_tally2.so' >> "/etc/pam.d/common-account"
 fi
-else
- echo "/etc/pam.d/common-auth doesn't exist" >&2
 fi
-if [ -e "/etc/pam.d/common-auth" ] ; then
- valueRegex="(fail)" defaultValue="fail"
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix 'type' if it's wrong
- if grep -q -P "^\\s*(?"'!'"auth\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_tally2.so)/\\1auth\\2/" "/etc/pam.d/common-auth"
- fi
-
- # fix 'control' if it's wrong
- if grep -q -P "^\\s*auth\\s+(?"'!'"required)[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+)[[:alnum:]]+(\\s+pam_tally2.so)/\\1required\\2/" "/etc/pam.d/common-auth"
- fi
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s+onerr(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-auth" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s)onerr=[^[:space:]]*/\\1onerr${defaultValue}/" "/etc/pam.d/common-auth"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*auth\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-auth" &&
- grep -E "^\\s*auth\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-auth" | grep -q -E -v "\\sonerr(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_tally2.so[^\\n]*)/\\1 onerr${defaultValue}/" "/etc/pam.d/common-auth"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s+onerr${valueRegex}(\\s|\$)" < "/etc/pam.d/common-auth" ; then
- echo "auth required pam_tally2.so onerr${defaultValue}" >> "/etc/pam.d/common-auth"
- fi
-else
- echo "/etc/pam.d/common-auth doesn't exist" >&2
+# Check the option
+if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*\s\b' "/etc/pam.d/common-account"; then
+ sed -i -E --follow-symlinks '/\s*account\s+'"required"'\s+pam_tally2.so.*/ s/$/ /' "/etc/pam.d/common-account"
 fi
-if [ -e "/etc/pam.d/common-account" ] ; then
- valueRegex="" defaultValue=""
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix 'type' if it's wrong
- if grep -q -P "^\\s*(?"'!'"account\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-account" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+pam_tally2.so)/\\1account\\2/" "/etc/pam.d/common-account"
- fi
-
- # fix 'control' if it's wrong
- if grep -q -P "^\\s*account\\s+(?"'!'"required)[[:alnum:]]+\\s+pam_tally2.so" < "/etc/pam.d/common-account" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*account\\s+)[[:alnum:]]+(\\s+pam_tally2.so)/\\1required\\2/" "/etc/pam.d/common-account"
- fi
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*account\\s+required\\s+pam_tally2.so(\\s.+)?\\s+(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/common-account" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*account\\s+required\\s+pam_tally2.so(\\s.+)?\\s)=[^[:space:]]*/\\1${defaultValue}/" "/etc/pam.d/common-account"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*account\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-account" &&
- grep -E "^\\s*account\\s+required\\s+pam_tally2.so" < "/etc/pam.d/common-account" | grep -q -E -v "\\s(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*account\\s+required\\s+pam_tally2.so[^\\n]*)/\\1 ${defaultValue}/" "/etc/pam.d/common-account"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*account\\s+required\\s+pam_tally2.so(\\s.+)?\\s+${valueRegex}(\\s|\$)" < "/etc/pam.d/common-account" ; then
- echo "account required pam_tally2.so ${defaultValue}" >> "/etc/pam.d/common-account"
- fi
-else
- echo "/etc/pam.d/common-account doesn't exist" >&2
-fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2
@@ -1,176 +1,402 @@
-- name: Check to see if pam_tally2.so is configured in /etc/pam.d/common-auth
- shell: grep -e '^\s*auth\s\+required\s\+pam_tally2\.so' /etc/pam.d/common-auth ||
- true
- register: check_pam_tally2_result
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Configure pam_tally2.so module in /etc/pam.d/common-auth
- lineinfile:
- path: /etc/pam.d/common-auth
- line: auth required pam_tally2.so
+- name: XCCDF Value var_password_pam_tally2 # promote to variable
+ set_fact:
+ var_password_pam_tally2: !!str 
+ tags:
+ - always
+
+- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
+ is present in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+required\s+pam_tally2.so\s*.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
+ in /etc/pam.d/common-auth
+ block:
+
+ - name: Set Deny For Failed Password Attempts - Check if required PAM module line
+ is present in /etc/pam.d/common-auth with different control
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_other_control_present
+
+ - name: Set Deny For Failed Password Attempts - Ensure the correct control for the
+ required PAM module line in /etc/pam.d/common-auth
+ ansible.builtin.replace:
+ dest: /etc/pam.d/common-auth
+ regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
+ replace: \1required \2
+ register: result_pam_module_edit
+ when:
+ - result_pam_line_other_control_present.found == 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
+ is included in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ dest: /etc/pam.d/common-auth
+ line: auth required pam_tally2.so
+ register: result_pam_module_add
+ when:
+ - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
+ > 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when: |
+ result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_pam_line_present.found is defined
+ - result_pam_line_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
+ is present in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+required\s+pam_tally2.so\s*.*\sdeny\b
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_module_deny_option_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Ensure the "deny" PAM option for "pam_tally2.so"
+ is included in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ backrefs: true
+ regexp: ^(\s*auth\s+required\s+pam_tally2.so.*)
+ line: \1 deny={{ var_password_pam_tally2 }}
 state: present
- when: '"pam_tally2" not in check_pam_tally2_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Check to see if 'onerr' parameter is present
- shell: grep -e '^\s*auth\s\+required\s\+pam_tally2\.so.*\sonerr=.*' /etc/pam.d/common-auth
- || true
- register: check_onerr_result
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Make sure pam_tally2.so has 'onerr' parameter set 'fail'
- replace:
- path: /etc/pam.d/common-auth
- regexp: ^(\s*auth\s+required\s+pam_tally2\.so\s+[^\n]*)(onerr=[A-Za-z]+)([^A-Za-z]?.*)
- replace: \1onerr=fail\3
- register: onerr_update_result
- when: '"onerr=" in check_onerr_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Add 'onerr' parameter for pam_tally2.so module in /etc/pam.d/common-auth
- lineinfile:
- path: /etc/pam.d/common-auth
- regexp: ^(\s*auth\s+required\s+pam_tally2\.so)((\s+\S+)*\s*(\\)*$)
- line: \1 onerr=fail\2
+ register: result_pam_deny_add
+ when: result_pam_module_deny_option_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Ensure the required value for "deny"
+ PAM option from "pam_tally2.so" in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
 backrefs: true
+ regexp: ^(\s*auth\s+required\s+pam_tally2.so\s+.*)(deny)=[0-9a-zA-Z]+\s*(.*)
+ line: \1\2={{ var_password_pam_tally2 }} \3
+ register: result_pam_deny_edit
+ when: result_pam_module_deny_option_present.found > 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
+ is present in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+required\s+pam_tally2.so\s*.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
+ in /etc/pam.d/common-auth
+ block:
+
+ - name: Set Deny For Failed Password Attempts - Check if required PAM module line
+ is present in /etc/pam.d/common-auth with different control
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_other_control_present
+
+ - name: Set Deny For Failed Password Attempts - Ensure the correct control for the
+ required PAM module line in /etc/pam.d/common-auth
+ ansible.builtin.replace:
+ dest: /etc/pam.d/common-auth
+ regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
+ replace: \1required \2
+ register: result_pam_module_edit
+ when:
+ - result_pam_line_other_control_present.found == 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
+ is included in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ dest: /etc/pam.d/common-auth
+ insertafter: (fail)
+ line: auth required pam_tally2.so
+ register: result_pam_module_add
+ when:
+ - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
+ > 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when: |
+ result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_pam_line_present.found is defined
+ - result_pam_line_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
+ is present in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ regexp: ^\s*auth\s+required\s+pam_tally2.so\s*.*\sonerr\b
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_module_onerr_option_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Ensure the "onerr" PAM option for
+ "pam_tally2.so" is included in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
+ backrefs: true
+ regexp: ^(\s*auth\s+required\s+pam_tally2.so.*)
+ line: \1 onerr=fail
 state: present
- when: '"onerr=" not in check_onerr_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Check to see if 'deny' parameter is present
- shell: grep -e '^\s*auth\s\+required\s\+pam_tally2\.so.*\sdeny=.*' /etc/pam.d/common-auth
- || true
- register: check_deny_result
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Make sure pam_tally2.so has 'deny' parameter set to less than 4
- replace:
- path: /etc/pam.d/common-auth
- regexp: ^(\s*auth\s+required\s+pam_tally2\.so\s+[^\n]*)deny=([4-9]|[1-9][0-9]+)(\s*.*)
- replace: \1deny=3\3
- when: '"deny=" in check_deny_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Add 'deny' parameter for pam_tally2.so module in /etc/pam.d/common-auth
- lineinfile:
- path: /etc/pam.d/common-auth
- regexp: ^(\s*auth\s+required\s+pam_tally2\.so)((\s+\S+)*\s*(\\)*$)
- line: \1 deny=3\2
+ register: result_pam_onerr_add
+ when: result_pam_module_onerr_option_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Ensure the required value for "onerr"
+ PAM option from "pam_tally2.so" in /etc/pam.d/common-auth
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-auth
 backrefs: true
+ regexp: ^(\s*auth\s+required\s+pam_tally2.so\s+.*)(onerr)=[0-9a-zA-Z]+\s*(.*)
+ line: \1\2=fail \3
+ register: result_pam_onerr_edit
+ when: result_pam_module_onerr_option_present.found > 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Check if expected PAM module line
+ is present in /etc/pam.d/common-account
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-account
+ regexp: ^\s*account\s+required\s+pam_tally2.so\s*.*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Include or update the PAM module line
+ in /etc/pam.d/common-account
+ block:
+
+ - name: Set Deny For Failed Password Attempts - Check if required PAM module line
+ is present in /etc/pam.d/common-account with different control
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-account
+ regexp: ^\s*account\s+.*\s+pam_tally2.so\s*
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_line_other_control_present
+
+ - name: Set Deny For Failed Password Attempts - Ensure the correct control for the
+ required PAM module line in /etc/pam.d/common-account
+ ansible.builtin.replace:
+ dest: /etc/pam.d/common-account
+ regexp: ^(\s*account\s+).*(\bpam_tally2.so.*)
+ replace: \1required \2
+ register: result_pam_module_edit
+ when:
+ - result_pam_line_other_control_present.found == 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure the required PAM module line
+ is included in /etc/pam.d/common-account
+ ansible.builtin.lineinfile:
+ dest: /etc/pam.d/common-account
+ line: account required pam_tally2.so
+ register: result_pam_module_add
+ when:
+ - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
+ > 1
+
+ - name: Set Deny For Failed Password Attempts - Ensure authselect changes are applied
+ ansible.builtin.command:
+ cmd: authselect apply-changes -b
+ when: |
+ result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
+ when:
+ - result_pam_line_present.found is defined
+ - result_pam_line_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Check if the required PAM module option
+ is present in /etc/pam.d/common-account
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-account
+ regexp: ^\s*account\s+required\s+pam_tally2.so\s*.*\s\b
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: result_pam_module__option_present
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set Deny For Failed Password Attempts - Ensure the "" PAM option for "pam_tally2.so"
+ is included in /etc/pam.d/common-account
+ ansible.builtin.lineinfile:
+ path: /etc/pam.d/common-account
+ backrefs: true
+ regexp: ^(\s*account\s+required\s+pam_tally2.so.*)
+ line: \1
 state: present
- when: '"deny=" not in check_deny_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Check to see if pam_tally2.so is configured in /etc/pam.d/common-account
- shell: grep -e '^\s*account\s\+required\s\+pam_tally2\.so' /etc/pam.d/common-account
- || true
- register: check_account_pam_tally2_result
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Configure pam_tally2.so module in /etc/pam.d/common-account
- lineinfile:
- path: /etc/pam.d/common-account
- line: account required pam_tally2.so
- state: present
- when: '"pam_tally2" not in check_account_pam_tally2_result.stdout'
- tags:
- - CCE-83055-4
- - DISA-STIG-SLES-12-010130
- - NIST-800-53-AC-7(a)
- - PCI-DSS-Req-8.1.6
- - accounts_passwords_pam_tally2
- - configure_strategy
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
+ register: result_pam__add
+ when: result_pam_module__option_present.found == 0
+ tags:
+ - CCE-83055-4
+ - DISA-STIG-SLES-12-010130
+ - NIST-800-53-AC-7(a)
+ - PCI-DSS-Req-8.1.6
+ - accounts_passwords_pam_tally2
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed

@marcusburghardt marcusburghardt self-assigned this Jan 14, 2023
@marcusburghardt marcusburghardt added this to the 0.1.66 milestone Jan 14, 2023
@marcusburghardt marcusburghardt added SLES SUSE Linux Enterprise Server product related. Ubuntu Ubuntu product related. labels Jan 14, 2023
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dodys , there is also a equivalent macro for Ansible. Do you plan to also update the Ansible remediation?

@dodys
Copy link
Contributor Author

dodys commented Jan 20, 2023

@dodys , there is also a equivalent macro for Ansible. Do you plan to also update the Ansible remediation?

Pushed a new commit for that, hopefully got it right as I don't have a way to test it right now.

Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is just a small syntax issue in the Ansible remediation and it should be fine to be merged.

ansible_ensure_pam_module_option macro
@codeclimate
Copy link

codeclimate bot commented Jan 23, 2023

Code Climate has analyzed commit abb519d and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 49.7% (0.0% change).

View more on Code Climate.

@openshift-ci
Copy link

openshift-ci bot commented Jan 23, 2023

@dodys: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-rhcos4-moderate abb519d link true /test e2e-aws-rhcos4-moderate
ci/prow/e2e-aws-rhcos4-high abb519d link true /test e2e-aws-rhcos4-high

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@marcusburghardt marcusburghardt added the Update Rule Issues or pull requests related to Rules updates. label Jan 23, 2023
@marcusburghardt marcusburghardt merged commit c75e1d0 into ComplianceAsCode:master Jan 23, 2023
@vojtapolasek vojtapolasek modified the milestones: 0.1.66, 0.1.67 Jan 24, 2023
@dodys dodys deleted the tally2 branch April 17, 2023 09:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
SLES SUSE Linux Enterprise Server product related. Ubuntu Ubuntu product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants