add guard for tally debian unstable

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2024-11-10 09:14:18 +00:00 · 2021-02-08 11:18:50 +01:00 · 2021-02-08 11:18:50 +01:00 · 3ad4fbab0e
commit 3ad4fbab0e
parent ebbf6855e8
1 changed files with 43 additions and 31 deletions
--- a/roles/os_hardening/tasks/pam.yml
+++ b/roles/os_hardening/tasks/pam.yml
@ -1,10 +1,10 @@
 ---
- name: update pam on Debian systems
-  command: 'pam-auth-update --package'
-  when: ansible_facts.distribution in ['Debian', 'Ubuntu']
-  changed_when: false
-  environment:
-    DEBIAN_FRONTEND: noninteractive
+- name: Gather package facts
+  package_facts:
+    manager: auto
+  when:
+    - ansible_facts.os_family != 'Suse'
+    - ansible_facts.os_family != 'Archlinux'

 # the reason for this is so a user cannot connect to a server,
 # that isn't connected to an LDAP server anymore.
@ -59,29 +59,48 @@
    state: 'present'
  when:
    - ansible_facts.distribution in ['Debian', 'Ubuntu']
-    - not os_auth_pam_passwdqc_enable
    - os_auth_retries > 0

- name: configure tally2
-  template:
-    src: 'usr/share/pam-configs/pam_tally2.j2'
-    dest: '{{ tally2_path }}'
-    mode: '0644'
-    owner: 'root'
-    group: 'root'
-  when:
-    - ansible_facts.distribution in ['Debian', 'Ubuntu']
-    - not os_auth_pam_passwdqc_enable
-    - os_auth_retries > 0
+- name: manage tally on Debian stable
+  block:
+    - name: configure tally2
+      template:
+        src: 'usr/share/pam-configs/pam_tally2.j2'
+        dest: '{{ tally2_path }}'
+        mode: '0644'
+        owner: 'root'
+        group: 'root'
+      when:
+        - os_auth_retries > 0

- name: delete tally2 when retries is 0
-  file:
-    path: '{{ tally2_path }}'
-    state: 'absent'
+    - name: delete tally2 when retries is 0
+      file:
+        path: '{{ tally2_path }}'
+        state: 'absent'
+      when:
+        - os_auth_retries == 0
  when:
    - ansible_facts.distribution in ['Debian', 'Ubuntu']
-    - not os_auth_pam_passwdqc_enable
-    - os_auth_retries == 0
+    - "'libpam-modules' in ansible_facts.packages"
+    - "ansible_facts.packages['libpam-modules'][0].version is version('1.4.0', '<')"
+
+- name: manage tally/faillock on Debian unstable
+  block:
+    - name: delete tally2
+      file:
+        path: '{{ tally2_path }}'
+        state: 'absent'
+  when:
+    - ansible_facts.distribution in ['Debian', 'Ubuntu']
+    - "'libpam-modules' in ansible_facts.packages"
+    - "ansible_facts.packages['libpam-modules'][0].version is version('1.4.0', '>=')"
+
+- name: update pam on Debian systems
+  command: 'pam-auth-update --package'
+  environment:
+    DEBIAN_FRONTEND: noninteractive
+  changed_when: false
+  when: ansible_facts.distribution in ['Debian', 'Ubuntu']

 - name: remove pam_cracklib, because it does not play nice with passwdqc
  yum:
@ -120,13 +139,6 @@
    group: 'root'
  when: ansible_facts.os_family == 'RedHat'

- name: Gather package facts
-  package_facts:
-    manager: auto
-  when:
-    - ansible_facts.os_family != 'Suse'
-    - ansible_facts.os_family != 'Archlinux'
-
 - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
  template:
    src: 'etc/libuser.conf.j2'