Merge "Check for pam_lastlogin [+Docs]"

doc/metadata/rhel7/RHEL-07-040300.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040300
-status: not implemented
-tag: misc
+status: verification only
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+The PAM configuration is checked for the presence of ``pam_lastlogin`` and a
+warning message is printed if the directive is not found. The tasks in the
+security role do not adjust PAM configurations since these changes might be
+disruptive in some environments.
+
+Deployers should review their PAM configurations and add ``pam_lastlogin`` to
+``/etc/pam.d/postlogin`` on CentOS and Red Hat Enterprise Linux or to
+``/etc/pam.d/login`` on Ubuntu.

tasks/rhel7stig/auth.yml

@@ -444,3 +444,24 @@
     - medium
     - auth
     - RHEL-07-040040
+
+- name: Check for pam_lastlog in PAM configuration
+  command: "grep pam_lastlog {{ pam_postlogin_file }}"
+  register: pam_lastlog_check
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  tags:
+    - always
+
+- name: RHEL-07-040300 - Display date/time of last logon after logon
+  debug:
+    msg: >
+      The 'pam_lastlog' directive is missing in {{ pam_postlogin_file }}.
+      This is required by RHEL-07-040300.
+  when:
+    - pam_lastlog_check.rc != 0
+  tags:
+    - low
+    - auth
+    - RHEL-07-040300

vars/redhat.yml

@@ -22,6 +22,7 @@
 # Configuration file paths
 pam_auth_file: /etc/pam.d/system-auth
 pam_password_file: /etc/pam.d/password-auth
+pam_postlogin_file: /etc/pam.d/postlogin
 vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
 grub_conf_file: /boot/grub2/grub.cfg
 grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"

vars/ubuntu.yml

@@ -25,6 +25,7 @@ cache_timeout: 600
 # Configuration file paths
 pam_auth_file: /etc/pam.d/common-auth
 pam_password_file: /etc/pam.d/common-password
+pam_postlogin_file: /etc/pam.d/login
 vsftpd_conf_file: /etc/vsftpd.conf
 grub_conf_file: /boot/grub/grub.cfg
 grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg