cleanup and typos

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2024-11-10 09:14:18 +00:00 · 2021-03-15 23:39:12 +01:00 · 2021-03-15 23:39:12 +01:00 · ec9d7d2cb8
commit ec9d7d2cb8
parent 5f97dffddf
11 changed files with 19 additions and 19 deletions
--- a/molecule/os_hardening/verify_pam.yml
+++ b/molecule/os_hardening/verify_pam.yml
@ -38,7 +38,7 @@
    LANG: "{{ locale | default('C.UTF-8') }}"
  with_sequence: count=6

- name: check ussuccessfull login, with orrect password (lockout)
+- name: check unsuccessfull login, with correct password (lockout)
  shell:
    cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
  environment:
--- a/roles/os_hardening/README.md
+++ b/roles/os_hardening/README.md
@ -125,7 +125,7 @@ We know that this is the case on Raspberry Pi.
  - Default: `min=disabled,disabled,16,12,8`
  - Description: set to any option line (as a string) that you want to pass to passwdqc.
 - `os_auth_pam_sssd_enable`
-  - Default: `false` (on RHEL/CentOS8/Amazon/Fedora `true`)
+  - Default: `false` (on RHEL8/CentOS8/Fedora `true`)
  - Description: activate PAM auth support for sssd
 - `os_security_users_allow`
  - Default: `[]`
--- a/roles/os_hardening/tasks/pam_debian.yml
+++ b/roles/os_hardening/tasks/pam_debian.yml
@ -1,7 +1,7 @@
 ---
 - name: install the package for strong password checking
  apt:
-    name: '{{ os_packages_pam_passwdqc }}'
+    name: 'libpam-passwdqc'
    state: 'present'
    update_cache: 'yes'
  when:
@ -17,13 +17,6 @@
  when:
    - os_auth_pam_passwdqc_enable

- name: remove passwdqc
-  apt:
-    name: '{{ os_packages_pam_passwdqc }}'
-    state: 'absent'
-  when:
-    - not os_auth_pam_passwdqc_enable
-
 - name: install tally2
  apt:
    name: 'libpam-modules'
@ -118,3 +111,10 @@
  environment:
    DEBIAN_FRONTEND: noninteractive
  changed_when: false
+
+- name: remove passwdqc
+  apt:
+    name: 'libpam-passwdqc'
+    state: 'absent'
+  when:
+    - not os_auth_pam_passwdqc_enable
--- a/roles/os_hardening/tasks/pam_rhel.yml
+++ b/roles/os_hardening/tasks/pam_rhel.yml
@ -6,6 +6,13 @@
  when:
    - os_auth_pam_sssd_enable | bool

+- name: install the package for strong password checking
+  yum:
+    name: 'pam_passwdqc'
+    state: 'present'
+  when:
+    - os_auth_pam_passwdqc_enable
+
 - name: configure passwdqc and faillock via central system-auth config
  template:
    src: 'etc/pam.d/rhel_auth.j2'
@ -32,7 +39,7 @@
    owner: 'root'
    group: 'root'

- name: enable our config for passwordauth
+- name: enable our config for password-auth
  file:
    src: /etc/pam.d/password-auth-local
    dest: /etc/pam.d/password-auth
@ -44,7 +51,7 @@

 - name: remove passwdqc
  yum:
-    name: '{{ os_packages_pam_passwdqc }}'
+    name: 'pam_passwdqc'
    state: 'absent'
  when:
    - not os_auth_pam_passwdqc_enable
--- a/roles/os_hardening/vars/Amazon.yml
+++ b/roles/os_hardening/vars/Amazon.yml
@ -1,7 +1,6 @@
 ---

 os_packages_pam_ccreds: 'pam_ccreds'
-os_packages_pam_passwdqc: 'pam_passwdqc'
 os_nologin_shell_path: '/sbin/nologin'

 # Different distros use different standards for /etc/shadow perms, e.g.
--- a/roles/os_hardening/vars/Debian.yml
+++ b/roles/os_hardening/vars/Debian.yml
@ -1,7 +1,6 @@
 ---

 os_packages_pam_ccreds: 'libpam-ccreds'
-os_packages_pam_passwdqc: 'libpam-passwdqc'
 os_nologin_shell_path: '/usr/sbin/nologin'

 # Different distros use different standards for /etc/shadow perms, e.g.
--- a/roles/os_hardening/vars/Fedora.yml
+++ b/roles/os_hardening/vars/Fedora.yml
@ -1,7 +1,6 @@
 ---

 os_packages_pam_ccreds: 'pam_ccreds'
-os_packages_pam_passwdqc: 'pam_passwdqc'
 os_nologin_shell_path: '/sbin/nologin'

 # Different distros use different standards for /etc/shadow perms, e.g.
--- a/roles/os_hardening/vars/RedHat.yml
+++ b/roles/os_hardening/vars/RedHat.yml
@ -1,7 +1,6 @@
 ---

 os_packages_pam_ccreds: 'pam_ccreds'
-os_packages_pam_passwdqc: 'pam_passwdqc'
 os_nologin_shell_path: '/sbin/nologin'

 # Different distros use different standards for /etc/shadow perms, e.g.
--- a/roles/os_hardening/vars/RedHat_7.yml
+++ b/roles/os_hardening/vars/RedHat_7.yml
@ -1,7 +1,6 @@
 ---

 os_packages_pam_ccreds: 'pam_ccreds'
-os_packages_pam_passwdqc: 'pam_passwdqc'
 os_nologin_shell_path: '/sbin/nologin'

 # Different distros use different standards for /etc/shadow perms, e.g.
--- a/roles/os_hardening/vars/RedHat_8.yml
+++ b/roles/os_hardening/vars/RedHat_8.yml
@ -1,7 +1,6 @@
 ---

 os_packages_pam_ccreds: 'pam_ccreds'
-os_packages_pam_passwdqc: 'pam_passwdqc'
 os_nologin_shell_path: '/sbin/nologin'

 # Different distros use different standards for /etc/shadow perms, e.g.
--- a/roles/os_hardening/vars/Suse.yml
+++ b/roles/os_hardening/vars/Suse.yml
@ -1,7 +1,6 @@
 ---

 os_packages_pam_ccreds: 'pam_ccreds'
-os_packages_pam_passwdqc: 'pam_passwdqc'
 os_nologin_shell_path: '/sbin/nologin'

 # Different distros use different standards for /etc/shadow perms, e.g.