Apply pam_faillock restrictions [+Docs]

This patch applies pam_faillock restrictions to Red Hat and CentOS servers. It's an optional change since it could cause issues with existing production deployments. Ubuntu doesn't have pam_faillock, but it may be possible to use fail2ban to achieve some of the same goals later. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: Ib2d22deff2d97786b84a550313f6ca08cf10cef8
2016-12-01 11:37:46 -06:00 · 2016-12-01 11:37:46 -06:00 · fa657903bc
commit fa657903bc
parent ec13a98854
6 changed files with 76 additions and 9 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -484,6 +484,12 @@ security_shadow_utils_umask: 077                             # RHEL-07-020230
 security_shadow_utils_create_home: yes                       # RHEL-07-020630
 # How many old user password to remember to prevent password re-use.
 #security_password_remember_password: 5                       # RHEL-07-010240
+# Lock user accounts with excessive login failures. See documentation.
+security_pam_faillock_enable: no                             # RHEL-07-010371 / RHEL-07-010372 / RHEL-07-010373
+security_pam_faillock_interval: 900
+security_pam_faillock_attempts: 3
+security_pam_faillock_deny_root: yes                         # RHEL-07-010373
+security_pam_faillock_unlock_time: 604800                    # RHEL-07-010372

 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
--- a/doc/metadata/rhel7/RHEL-07-010371.rst
+++ b/doc/metadata/rhel7/RHEL-07-010371.rst
@ -1,7 +1,44 @@
 ---
 id: RHEL-07-010371
-status: not implemented
-tag: misc
+status: opt-in - Red Hat Only
+tag: auth
 ---

-This STIG requirement is not yet implemented.
+The STIG requires that accounts with excessive failed login attempts are
+locked. It sets a limit of three failed attempts in a 15 minute interval and
+these restrictions are applied to all users (including root).  Accounts cannot
+be automatically unlocked for seven days.
+
+This change might cause disruptions in production environments without proper
+communication to users. Therefore, this change is not applied by default.
+
+Deployers can opt in for the change by setting the following variable:
+
+.. code-block:: yaml
+
+    security_pam_faillock_enable: yes
+
+There are also three configuration options that can be adjusted by setting
+Ansible variables:
+
+* ``security_pam_faillock_attempts``: This many failed login attempts within
+  the specified time interval with trigger the account to lock.
+  (STIG requirement: ``3`` attempts)
+
+* ``security_pam_faillock_interval``: This is the time interval (in seconds)
+  to use when measuring excessive failed login attempts.
+  (STIG requirement: ``900`` seconds)
+
+* ``security_pam_faillock_deny_root``: Set to ``yes`` to apply the restriction
+  to the root user or set to ``no`` to exempt the root user from the account
+  locking restrictions.
+  (STIG requirement: ``yes``)
+
+* ``security_pam_faillock_unlock_time``: This sets the time delay (in seconds)
+  before a locked account is automatically unlocked.
+  (STIG requirement: ``604800`` seconds)
+
+.. note::
+
+    Ubuntu does not provide ``pam_faillock``. This change is only applied to
+    CentOS 7 or Red Hat Enterprise Linux 7 systems.
--- a/doc/metadata/rhel7/RHEL-07-010372.rst
+++ b/doc/metadata/rhel7/RHEL-07-010372.rst
@ -1,7 +1,9 @@
 ---
 id: RHEL-07-010372
-status: not implemented
-tag: misc
+status: opt-in - Red Hat Only
+tag: auth
 ---

-This STIG requirement is not yet implemented.
+This STIG control is implemented by:
+
+* :ref:`stig-RHEL-07-010371`
--- a/doc/metadata/rhel7/RHEL-07-010373.rst
+++ b/doc/metadata/rhel7/RHEL-07-010373.rst
@ -1,7 +1,9 @@
 ---
 id: RHEL-07-010373
-status: not implemented
-tag: misc
+status: opt-in - Red Hat Only
+tag: auth
 ---

-This STIG requirement is not yet implemented.
+This STIG control is implemented by:
+
+* :ref:`stig-RHEL-07-010371`
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@ -178,6 +178,23 @@
    - high
    - RHEL-07-010260

+- name: RHEL-07-010371 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked.
+  blockinfile:
+    dest: pam_password_file
+    state: present
+    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
+    insertbefore: EOF
+    block: "{{ lookup('template', 'pam_faillock.j2') }}"
+  when:
+    - ansible_os_family | lower == 'redhat'
+    - security_pam_faillock_enable | bool
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010371
+    - RHEL-07-010372
+    - RHEL-07-010373
+
 - name: Check for 'nopasswd' in sudoers files
  shell: grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ || echo 'not found'
  register: sudoers_nopasswd_check
--- a/templates/pam_faillock.j2
+++ b/templates/pam_faillock.j2
@ -0,0 +1,3 @@
+# RHEL-07-010371 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked.
+auth required pam_faillock.so preauth silent audit deny="{{ security_pam_faillock_attempts }}" "{{ security_pam_faillock_deny_root | bool | ternary('even_deny_root','') }}" fail_interval="{{ security_pam_faillock_interval }}" unlock_time="{{ security_pam_faillock_unlock_time }}"
+auth [default=die] pam_faillock.so authfail audit deny="{{ security_pam_faillock_attempts }}" "{{ security_pam_faillock_deny_root | bool | ternary('even_deny_root','') }}" fail_interval="{{ security_pam_faillock_interval }}" unlock_time="{{ security_pam_faillock_unlock_time }}"