From fa657903bce0c89264e5e1e72bcad1f899b42ea4 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Thu, 1 Dec 2016 11:37:46 -0600 Subject: [PATCH] Apply pam_faillock restrictions [+Docs] This patch applies pam_faillock restrictions to Red Hat and CentOS servers. It's an optional change since it could cause issues with existing production deployments. Ubuntu doesn't have pam_faillock, but it may be possible to use fail2ban to achieve some of the same goals later. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: Ib2d22deff2d97786b84a550313f6ca08cf10cef8 --- defaults/main.yml | 6 ++++ doc/metadata/rhel7/RHEL-07-010371.rst | 43 +++++++++++++++++++++++++-- doc/metadata/rhel7/RHEL-07-010372.rst | 8 +++-- doc/metadata/rhel7/RHEL-07-010373.rst | 8 +++-- tasks/rhel7stig/auth.yml | 17 +++++++++++ templates/pam_faillock.j2 | 3 ++ 6 files changed, 76 insertions(+), 9 deletions(-) create mode 100644 templates/pam_faillock.j2 diff --git a/defaults/main.yml b/defaults/main.yml index d6c852d8..3fd78a83 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -484,6 +484,12 @@ security_shadow_utils_umask: 077 # RHEL-07-020230 security_shadow_utils_create_home: yes # RHEL-07-020630 # How many old user password to remember to prevent password re-use. #security_password_remember_password: 5 # RHEL-07-010240 +# Lock user accounts with excessive login failures. See documentation. +security_pam_faillock_enable: no # RHEL-07-010371 / RHEL-07-010372 / RHEL-07-010373 +security_pam_faillock_interval: 900 +security_pam_faillock_attempts: 3 +security_pam_faillock_deny_root: yes # RHEL-07-010373 +security_pam_faillock_unlock_time: 604800 # RHEL-07-010372 ## File permissions (file_perms) # Reset file permissions and ownership for files installed via RPM packages. diff --git a/doc/metadata/rhel7/RHEL-07-010371.rst b/doc/metadata/rhel7/RHEL-07-010371.rst index 4a24412e..2ca33a5e 100644 --- a/doc/metadata/rhel7/RHEL-07-010371.rst +++ b/doc/metadata/rhel7/RHEL-07-010371.rst @@ -1,7 +1,44 @@ --- id: RHEL-07-010371 -status: not implemented -tag: misc +status: opt-in - Red Hat Only +tag: auth --- -This STIG requirement is not yet implemented. +The STIG requires that accounts with excessive failed login attempts are +locked. It sets a limit of three failed attempts in a 15 minute interval and +these restrictions are applied to all users (including root). Accounts cannot +be automatically unlocked for seven days. + +This change might cause disruptions in production environments without proper +communication to users. Therefore, this change is not applied by default. + +Deployers can opt in for the change by setting the following variable: + +.. code-block:: yaml + + security_pam_faillock_enable: yes + +There are also three configuration options that can be adjusted by setting +Ansible variables: + +* ``security_pam_faillock_attempts``: This many failed login attempts within + the specified time interval with trigger the account to lock. + (STIG requirement: ``3`` attempts) + +* ``security_pam_faillock_interval``: This is the time interval (in seconds) + to use when measuring excessive failed login attempts. + (STIG requirement: ``900`` seconds) + +* ``security_pam_faillock_deny_root``: Set to ``yes`` to apply the restriction + to the root user or set to ``no`` to exempt the root user from the account + locking restrictions. + (STIG requirement: ``yes``) + +* ``security_pam_faillock_unlock_time``: This sets the time delay (in seconds) + before a locked account is automatically unlocked. + (STIG requirement: ``604800`` seconds) + +.. note:: + + Ubuntu does not provide ``pam_faillock``. This change is only applied to + CentOS 7 or Red Hat Enterprise Linux 7 systems. diff --git a/doc/metadata/rhel7/RHEL-07-010372.rst b/doc/metadata/rhel7/RHEL-07-010372.rst index 3f28566e..6b93c717 100644 --- a/doc/metadata/rhel7/RHEL-07-010372.rst +++ b/doc/metadata/rhel7/RHEL-07-010372.rst @@ -1,7 +1,9 @@ --- id: RHEL-07-010372 -status: not implemented -tag: misc +status: opt-in - Red Hat Only +tag: auth --- -This STIG requirement is not yet implemented. +This STIG control is implemented by: + +* :ref:`stig-RHEL-07-010371` diff --git a/doc/metadata/rhel7/RHEL-07-010373.rst b/doc/metadata/rhel7/RHEL-07-010373.rst index 273d1c6e..c4953da9 100644 --- a/doc/metadata/rhel7/RHEL-07-010373.rst +++ b/doc/metadata/rhel7/RHEL-07-010373.rst @@ -1,7 +1,9 @@ --- id: RHEL-07-010373 -status: not implemented -tag: misc +status: opt-in - Red Hat Only +tag: auth --- -This STIG requirement is not yet implemented. +This STIG control is implemented by: + +* :ref:`stig-RHEL-07-010371` diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 0fa4f6e1..c0f12a3d 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -178,6 +178,23 @@ - high - RHEL-07-010260 +- name: RHEL-07-010371 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked. + blockinfile: + dest: pam_password_file + state: present + marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY" + insertbefore: EOF + block: "{{ lookup('template', 'pam_faillock.j2') }}" + when: + - ansible_os_family | lower == 'redhat' + - security_pam_faillock_enable | bool + tags: + - auth + - medium + - RHEL-07-010371 + - RHEL-07-010372 + - RHEL-07-010373 + - name: Check for 'nopasswd' in sudoers files shell: grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ || echo 'not found' register: sudoers_nopasswd_check diff --git a/templates/pam_faillock.j2 b/templates/pam_faillock.j2 new file mode 100644 index 00000000..28c5ed8e --- /dev/null +++ b/templates/pam_faillock.j2 @@ -0,0 +1,3 @@ +# RHEL-07-010371 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked. +auth required pam_faillock.so preauth silent audit deny="{{ security_pam_faillock_attempts }}" "{{ security_pam_faillock_deny_root | bool | ternary('even_deny_root','') }}" fail_interval="{{ security_pam_faillock_interval }}" unlock_time="{{ security_pam_faillock_unlock_time }}" +auth [default=die] pam_faillock.so authfail audit deny="{{ security_pam_faillock_attempts }}" "{{ security_pam_faillock_deny_root | bool | ternary('even_deny_root','') }}" fail_interval="{{ security_pam_faillock_interval }}" unlock_time="{{ security_pam_faillock_unlock_time }}"