Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace pam_tally2 with pam_faillock in Redhat #273

Closed
martinbydefault opened this issue May 14, 2020 · 2 comments
Closed

Replace pam_tally2 with pam_faillock in Redhat #273

martinbydefault opened this issue May 14, 2020 · 2 comments
Labels
enhancement os_hardening

Comments

@martinbydefault
Copy link
Contributor

martinbydefault commented May 14, 2020
edited

Redhat security guide recommends the use of pam_faillock to configure account lockout policy.

Currently the PAM module used in the role to configure account lockout is pam_tally2
https://github.com/dev-sec/ansible-os-hardening/blob/ac9fbb312a41fa91fa18da48e700bae6ae97328a/tasks/pam.yml#L112-L119
https://github.com/dev-sec/ansible-os-hardening/blob/ac9fbb312a41fa91fa18da48e700bae6ae97328a/templates/etc/pam.d/rhel_system_auth.j2#L5-L13

I would like to suggest to switch to use faillock for Redhat.
I can provide a PR with the needed changes, based in configuration examples from the redhat guide.

Also there there are 2 other open issues related to this: #194 #252 that I could try to solve in the changes.
@rndmh3ro
Copy link
Member

After reading some time about pam_faillock, it seems to be the successor to pam_tally and pam_tally2.

I can provide a PR with the needed changes, based in configuration examples from the redhat guide.

This sounds good!

Also there there are 2 other open issues related to this: #194 #252 that I could try to solve in the changes.

If you can separate these changes in different commits, I'm fine with this.

rndmh3ro added a commit that referenced this issue Jul 24, 2020
@rndmh3ro
Merge pull request #273 from ancoron/feature/ubuntu-dynamic-motd-banner
3de3975 
Disable also dynamic MOTD via PAM if enabled - refs #271
@schurzi schurzi mentioned this issue Feb 13, 2021
Merged
10 tasks
@schurzi
Copy link
Contributor

schurzi commented Mar 16, 2021

we have now switched to pam_faillock

@schurzi schurzi closed this as completed Mar 16, 2021
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
@rndmh3ro
Merge pull request dev-sec#273 from ancoron/feature/ubuntu-dynamic-mo…
b855bbe 
…td-banner

Disable also dynamic MOTD via PAM if enabled - refs dev-sec#271
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement os_hardening
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@schurzi @rndmh3ro @martinbydefault