Merge pull request #7929 from marcusburghardt/BZ1956972

Update pam_faillock.so rules

controls/stig_rhel8.yml

@@ -860,7 +860,9 @@ controls:
             - medium
         title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts
             occur.
-        status: pending
+        rules:
+            - accounts_passwords_pam_faillock_deny
+        status: automated
     -   id: RHEL-08-020012
         levels:
             - medium
@@ -874,7 +876,9 @@ controls:
             - medium
         title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts
             occur during a 15-minute time period.
-        status: pending
+        rules:
+            - accounts_passwords_pam_faillock_interval
+        status: automated
     -   id: RHEL-08-020014
         levels:
             - medium
@@ -895,24 +899,32 @@ controls:
         levels:
             - medium
         title: RHEL 8 must ensure account lockouts persist.
-        status: pending
+        rules:
+            - accounts_passwords_pam_faillock_unlock_time
+        status: automated
     -   id: RHEL-08-020017
         levels:
             - medium
         title: RHEL 8 must ensure account lockouts persist.
-        status: pending
+        rules:
+            - accounts_passwords_pam_faillock_unlock_time
+        status: automated
     -   id: RHEL-08-020018
         levels:
             - medium
         title: RHEL 8 must prevent system messages from being presented when three unsuccessful
             logon attempts occur.
-        status: pending
+        rules:
+            - accounts_passwords_pam_faillock_deny
+        status: automated
     -   id: RHEL-08-020019
         levels:
             - medium
         title: RHEL 8 must prevent system messages from being presented when three unsuccessful
             logon attempts occur.
-        status: pending
+        rules:
+            - accounts_passwords_pam_faillock_deny
+        status: automated
     -   id: RHEL-08-020020
         levels:
             - medium
@@ -938,7 +950,9 @@ controls:
         title: RHEL 8 must include root when automatically locking an account until the
             locked account is released by an administrator when three unsuccessful logon attempts
             occur during a 15-minute time period.
-        status: pending
+        rules:
+            - accounts_passwords_pam_faillock_deny_root
+        status: automated
     -   id: RHEL-08-020024
         levels:
             - low
@@ -2701,13 +2715,17 @@ controls:
             - medium
         title: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth
             file.
-        status: pending
+        rules:
+            - accounts_passwords_pam_faillock_deny
+        status: automated
     -   id: RHEL-08-020026
         levels:
             - medium
         title: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth
             file.
-        status: pending
+        rules:
+            - accounts_passwords_pam_faillock_deny
+        status: automated
     -   id: RHEL-08-020031
         levels:
             - medium

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml

@@ -5,77 +5,98 @@
 # disruption = low
 {{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}}
 
-- name: Add auth pam_faillock preauth deny before pam_unix.so
-  pamd:
-    name: "{{ item }}"
-    type: auth
-    control: sufficient
-    module_path: pam_unix.so
-    new_type: auth
-    new_control: required
-    new_module_path: pam_faillock.so
-    module_arguments: 'preauth
-        silent
-        deny={{ var_accounts_passwords_pam_faillock_deny }}'
-    state: before
-  loop:
-    - system-auth
-    - password-auth
+- name: Check if system relies on authconfig
+  ansible.builtin.stat:
+    path: /usr/sbin/authconfig
+  register: result_authconfig_check
+
+- name: Check the presence of /etc/security/faillock.conf file
+  ansible.builtin.stat:
+    path: /etc/security/faillock.conf
+  register: result_faillock_conf_check
+
+- name: Ensure the pam_faillock.so deny parameter in /etc/security/faillock.conf
+  ansible.builtin.lineinfile:
+    path: /etc/security/faillock.conf
+    regexp: ^\s*deny\s*=
+    line: deny = {{ var_accounts_passwords_pam_faillock_deny }}
+    state: present
+  when:
+    - result_faillock_conf_check.stat.exists
 
-- name: Add deny argument to auth pam_faillock preauth
-  pamd:
-    name: "{{ item }}"
-    type: auth
-    control: required
-    module_path: pam_faillock.so
-    module_arguments: 'preauth
-        silent
-        deny={{ var_accounts_passwords_pam_faillock_deny }}'
-    state: args_present
+- name: Check if pam_faillock.so is already enabled
+  ansible.builtin.lineinfile:
+    path: /etc/pam.d/system-auth
+    regexp: .*auth.*pam_faillock.so.*
+    state: absent
+  check_mode: yes
+  changed_when: false
+  register: result_pam_faillock_enabled
+
+- name: Ensure the pam_faillock.so preauth parameters are not present in the pam files
+  ansible.builtin.lineinfile:
+    path: '{{ item }}'
+    backrefs: true
+    regexp: (.*pam_faillock.so preauth).*$
+    line: \1 silent
+    state: present
   loop:
-    - system-auth
-    - password-auth
+    - /etc/pam.d/system-auth
+    - /etc/pam.d/password-auth
+  when:
+    - result_faillock_conf_check.stat.exists
+    - result_pam_faillock_enabled.found
 
-- name: Add auth pam_faillock authfail deny after pam_unix.so
-  pamd:
-    name: "{{ item }}"
-    type: auth
-    control: sufficient
-    module_path: pam_unix.so
-    new_type: auth
-    new_control: '[default=die]'
-    new_module_path: pam_faillock.so
-    module_arguments: 'authfail
-        deny={{ var_accounts_passwords_pam_faillock_deny }}'
-    state: after
+- name: Ensure the pam_faillock.so authfail parameters are not present in the pam files
+  ansible.builtin.lineinfile:
+    path: '{{ item }}'
+    backrefs: true
+    regexp: (.*pam_faillock.so authfail).*$
+    line: \1
+    state: present
   loop:
-    - system-auth
-    - password-auth
+    - /etc/pam.d/system-auth
+    - /etc/pam.d/password-auth
+  when:
+    - result_faillock_conf_check.stat.exists
+    - result_pam_faillock_enabled.found
+
+- name: Ensure pam_faillock.so is properly enabled using authconfig tool
+  ansible.builtin.command:
+    cmd: authconfig --enablefaillock --update
+  when:
+    - result_authconfig_check.stat.exists
+
+- name: Ensure pam_faillock.so is properly enabled using authselect
+  ansible.builtin.command:
+    cmd: authselect enable-feature with-faillock
+  register: result_pam_authselect_cmd
+  when:
+    - result_faillock_conf_check.stat.exists
+    - not result_pam_faillock_enabled.found
 
-- name: Add deny argument to auth pam_faillock authfail
-  pamd:
-    name: "{{ item }}"
-    type: auth
-    new_type: auth
-    control: '[default=die]'
-    module_path: pam_faillock.so
-    module_arguments: 'authfail
-        deny={{ var_accounts_passwords_pam_faillock_deny }}'
-    state: args_present
+- name: Ensure the pam_faillock.so preauth deny parameter in auth section
+  ansible.builtin.lineinfile:
+    path: "{{ item }}"
+    backrefs: true
+    regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(deny)=[0-5]+(.*)
+    line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
+    state: present
   loop:
-    - system-auth
-    - password-auth
+    - /etc/pam.d/system-auth
+    - /etc/pam.d/password-auth
+  when:
+    - not result_faillock_conf_check.stat.exists
 
-- name: Add account pam_faillock before pam_unix.so
-  pamd:
-    name: "{{ item }}"
-    type: account
-    control: required
-    module_path: pam_unix.so
-    new_type: account
-    new_control: required
-    new_module_path: pam_faillock.so
-    state: before
+- name: Ensure the pam_faillock.so authfail deny parameter in auth section
+  ansible.builtin.lineinfile:
+    path: "{{ item }}"
+    backrefs: true
+    regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(deny)=[0-5]+(.*)
+    line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
+    state: present
   loop:
-    - system-auth
-    - password-auth
+    - /etc/pam.d/system-auth
+    - /etc/pam.d/password-auth
+  when:
+    - not result_faillock_conf_check.stat.exists

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh

@@ -2,4 +2,33 @@
 
 {{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}}
 
-{{{ bash_set_faillock_option("deny", "$var_accounts_passwords_pam_faillock_deny") }}}
+SYSTEM_AUTH="/etc/pam.d/system-auth"
+PASSWORD_AUTH="/etc/pam.d/password-auth"
+FAILLOCK_CONF="/etc/security/faillock.conf"
+
+if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
+   [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
+   echo "Skipping remediation because there are more pam_unix.so entries than expected."
+   false
+fi
+
+if [ -f $FAILLOCK_CONF ]; then
+    if $(grep -q '^\s*deny\s*=' $FAILLOCK_CONF); then
+        sed -i --follow-symlinks "s/^\s*\(deny\s*\)=.*$/\1 = $var_accounts_passwords_pam_faillock_deny/g" $FAILLOCK_CONF
+    else
+        echo "deny = $var_accounts_passwords_pam_faillock_deny" >> $FAILLOCK_CONF
+    fi
+    # If the faillock.conf file is present, but for any reason, like an OS upgrade, the
+    # pam_faillock.so parameters are still defined in pam files, this makes them compatible with
+    # the newer versions of authselect tool and ensure the parameters are only in faillock.conf.
+    sed -i --follow-symlinks 's/\(pam_faillock.so preauth\).*$/\1 silent/g' $SYSTEM_AUTH $PASSWORD_AUTH
+    sed -i --follow-symlinks 's/\(pam_faillock.so authfail\).*$/\1/g' $SYSTEM_AUTH $PASSWORD_AUTH
+    authselect enable-feature with-faillock
+else
+    if [ -f /usr/sbin/authconfig ]; then
+        authconfig --enablefaillock --update
+    else
+        authselect enable-feature with-faillock
+    fi
+    {{{ bash_set_faillock_option("deny", "$var_accounts_passwords_pam_faillock_deny") }}}
+fi