mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
fix(os_hardening): cast expected int types in pam tasks
Signed-off-by: Diego Louzán <diego.louzan@gmail.com>
This commit is contained in:
Diego Louzán
Diego Louzán
parent
a1f75f877b
commit
f8295d5248
2 changed files with 10 additions and 10 deletions
|
|
@ -22,7 +22,7 @@
|
|||
name: 'libpam-modules'
|
||||
state: 'present'
|
||||
when:
|
||||
- os_auth_retries > 0
|
||||
- os_auth_retries|int > 0
|
||||
|
||||
- name: Manage tally on Debian stable
|
||||
when:
|
||||
|
|
@ -37,14 +37,14 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
when:
|
||||
- os_auth_retries > 0
|
||||
- os_auth_retries|int > 0
|
||||
|
||||
- name: Delete tally2 when retries is 0
|
||||
file:
|
||||
path: '{{ tally2_path }}'
|
||||
state: 'absent'
|
||||
when:
|
||||
- os_auth_retries == 0
|
||||
- os_auth_retries|int == 0
|
||||
|
||||
- name: Manage tally/faillock on Debian unstable
|
||||
when:
|
||||
|
|
@ -80,7 +80,7 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
when:
|
||||
- os_auth_retries > 0
|
||||
- os_auth_retries|int > 0
|
||||
|
||||
- name: Configure faillock pam authfail
|
||||
template:
|
||||
|
|
@ -90,21 +90,21 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
when:
|
||||
- os_auth_retries > 0
|
||||
- os_auth_retries|int > 0
|
||||
|
||||
- name: Delete faillock when retries is 0
|
||||
file:
|
||||
path: '/usr/share/pam-configs/faillock'
|
||||
state: 'absent'
|
||||
when:
|
||||
- os_auth_retries == 0
|
||||
- os_auth_retries|int == 0
|
||||
|
||||
- name: Delete faillock authfail when retries is 0
|
||||
file:
|
||||
path: '/usr/share/pam-configs/faillock_authfail'
|
||||
state: 'absent'
|
||||
when:
|
||||
- os_auth_retries == 0
|
||||
- os_auth_retries|int == 0
|
||||
|
||||
- name: Update pam on Debian systems
|
||||
command: 'pam-auth-update --package'
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
#%PAM-1.0
|
||||
auth required pam_env.so
|
||||
auth required pam_faildelay.so delay=2000000
|
||||
{% if os_auth_retries > 0 %}
|
||||
{% if os_auth_retries|int > 0 %}
|
||||
auth required pam_faillock.so preauth silent audit even_deny_root deny={{ os_auth_retries }} unlock_time={{ os_auth_lockout_time }}
|
||||
{% endif %}
|
||||
{% if (os_auth_pam_sssd_enable | bool) %}
|
||||
|
|
@ -16,12 +16,12 @@ auth sufficient pam_unix.so nullok try_first_pass
|
|||
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
{% endif %}
|
||||
{% if os_auth_retries > 0 %}
|
||||
{% if os_auth_retries|int > 0 %}
|
||||
auth required pam_faillock.so authfail audit even_deny_root deny={{ os_auth_retries }} unlock_time={{ os_auth_lockout_time }}
|
||||
{% endif %}
|
||||
auth required pam_deny.so
|
||||
|
||||
{% if os_auth_retries > 0 %}
|
||||
{% if os_auth_retries|int > 0 %}
|
||||
account required pam_faillock.so
|
||||
{% endif %}
|
||||
account required pam_unix.so
|
||||
|
|
|
|||
Loading…
Reference in a new issue