public-health-ch/ansible/roles/dev-sec.os-hardening/tasks/pam.yml

---
- name: update pam on Debian systems
  command: 'pam-auth-update --package'
  when: ansible_facts.distribution in ['Debian', 'Ubuntu']
  changed_when: False
  environment:
    DEBIAN_FRONTEND: noninteractive

# the reason for this is so a user cannot connect to a server,
# that isn't connected to an LDAP server anymore.
# normally caching credentials shouldn't be necessary for most machines.
# removing it provides some more security while not removing usability.
- name: remove pam ccreds to disable password caching
  package:
    name: '{{ os_packages_pam_ccreds }}'
    state: 'absent'

- name: remove pam_cracklib, because it does not play nice with passwdqc
  apt:
    name: '{{ os_packages_pam_cracklib }}'
    state: 'absent'
  when:
    - ansible_facts.distribution in ['Debian', 'Ubuntu']
    - os_auth_pam_passwdqc_enable

- name: install the package for strong password checking
  apt:
    name: '{{ os_packages_pam_passwdqc }}'
    state: 'present'
    update_cache: 'yes'
  when:
    - ansible_facts.distribution in ['Debian', 'Ubuntu']
    - os_auth_pam_passwdqc_enable

- name: configure passwdqc
  template:
    src: 'usr/share/pam-configs/pam_passwdqd.j2'
    dest: '{{ passwdqc_path }}'
    mode: '0644'
    owner: 'root'
    group: 'root'
  when:
    - ansible_facts.distribution in ['Debian', 'Ubuntu']
    - os_auth_pam_passwdqc_enable

- name: remove passwdqc
  apt:
    name: '{{ os_packages_pam_passwdqc }}'
    state: 'absent'
  when:
    - ansible_facts.distribution in ['Debian', 'Ubuntu']
    - not os_auth_pam_passwdqc_enable

- name: install tally2
  apt:
    name: 'libpam-modules'
    state: 'present'
  when:
    - ansible_facts.distribution in ['Debian', 'Ubuntu']
    - not os_auth_pam_passwdqc_enable
    - os_auth_retries > 0

- name: configure tally2
  template:
    src: 'usr/share/pam-configs/pam_tally2.j2'
    dest: '{{ tally2_path }}'
    mode: '0644'
    owner: 'root'
    group: 'root'
  when:
    - ansible_facts.distribution in ['Debian', 'Ubuntu']
    - not os_auth_pam_passwdqc_enable
    - os_auth_retries > 0

- name: delete tally2 when retries is 0
  file:
    path: '{{ tally2_path }}'
    state: 'absent'
  when:
    - ansible_facts.distribution in ['Debian', 'Ubuntu']
    - not os_auth_pam_passwdqc_enable
    - os_auth_retries == 0

- name: remove pam_cracklib, because it does not play nice with passwdqc
  yum:
    name: '{{ os_packages_pam_cracklib }}'
    state: 'absent'
  when:
    - ansible_facts.os_family == 'RedHat'
    - ansible_facts.distribution_major_version|int is version('7', '<')
    - ansible_facts.distribution != 'Amazon'
    - os_auth_pam_passwdqc_enable

- name: install the package for strong password checking
  yum:
    name: '{{ os_packages_pam_passwdqc }}'
    state: 'present'
  when:
    - ansible_facts.os_family == 'RedHat'
    - ansible_facts.distribution_major_version|int is version('7', '<')
    - ansible_facts.distribution != 'Amazon'
    - os_auth_pam_passwdqc_enable

- name: remove passwdqc
  yum:
    name: '{{ os_packages_pam_passwdqc }}'
    state: 'absent'
  when:
    - ansible_facts.os_family == 'RedHat'
    - not os_auth_pam_passwdqc_enable

- name: configure passwdqc and tally via central system-auth confic
  template:
    src: 'etc/pam.d/rhel_system_auth.j2'
    dest: '/etc/pam.d/system-auth-ac'
    mode: '0640'
    owner: 'root'
    group: 'root'
  when: ansible_facts.os_family == 'RedHat'

- name: Gather package facts
  package_facts:
    manager: auto

- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
  template:
    src: 'etc/libuser.conf.j2'
    dest: '/etc/libuser.conf'
    mode: '0640'
    owner: 'root'
    group: 'root'
  when: "'libuser' in ansible_facts.packages"
Ansible deployment 2017-04-24 12:22:51 +00:00			`---`
			`- name: update pam on Debian systems`
			`command: 'pam-auth-update --package'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when: ansible_facts.distribution in ['Debian', 'Ubuntu']`
Ansible deployment 2017-04-24 12:22:51 +00:00			`changed_when: False`
			`environment:`
			`DEBIAN_FRONTEND: noninteractive`

Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# the reason for this is so a user cannot connect to a server,`
			`# that isn't connected to an LDAP server anymore.`
			`# normally caching credentials shouldn't be necessary for most machines.`
			`# removing it provides some more security while not removing usability.`
			`- name: remove pam ccreds to disable password caching`
			`package:`
			`name: '{{ os_packages_pam_ccreds }}'`
			`state: 'absent'`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: remove pam_cracklib, because it does not play nice with passwdqc`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`apt:`
			`name: '{{ os_packages_pam_cracklib }}'`
			`state: 'absent'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when:`
			`- ansible_facts.distribution in ['Debian', 'Ubuntu']`
			`- os_auth_pam_passwdqc_enable`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: install the package for strong password checking`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`apt:`
			`name: '{{ os_packages_pam_passwdqc }}'`
			`state: 'present'`
			`update_cache: 'yes'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when:`
			`- ansible_facts.distribution in ['Debian', 'Ubuntu']`
			`- os_auth_pam_passwdqc_enable`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: configure passwdqc`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`template:`
			`src: 'usr/share/pam-configs/pam_passwdqd.j2'`
			`dest: '{{ passwdqc_path }}'`
			`mode: '0644'`
			`owner: 'root'`
			`group: 'root'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when:`
			`- ansible_facts.distribution in ['Debian', 'Ubuntu']`
			`- os_auth_pam_passwdqc_enable`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: remove passwdqc`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`apt:`
			`name: '{{ os_packages_pam_passwdqc }}'`
			`state: 'absent'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when:`
			`- ansible_facts.distribution in ['Debian', 'Ubuntu']`
			`- not os_auth_pam_passwdqc_enable`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: install tally2`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`apt:`
			`name: 'libpam-modules'`
			`state: 'present'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when:`
			`- ansible_facts.distribution in ['Debian', 'Ubuntu']`
			`- not os_auth_pam_passwdqc_enable`
			`- os_auth_retries > 0`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: configure tally2`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`template:`
			`src: 'usr/share/pam-configs/pam_tally2.j2'`
			`dest: '{{ tally2_path }}'`
			`mode: '0644'`
			`owner: 'root'`
			`group: 'root'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when:`
			`- ansible_facts.distribution in ['Debian', 'Ubuntu']`
			`- not os_auth_pam_passwdqc_enable`
			`- os_auth_retries > 0`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: delete tally2 when retries is 0`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`file:`
			`path: '{{ tally2_path }}'`
			`state: 'absent'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when:`
			`- ansible_facts.distribution in ['Debian', 'Ubuntu']`
			`- not os_auth_pam_passwdqc_enable`
			`- os_auth_retries == 0`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: remove pam_cracklib, because it does not play nice with passwdqc`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`yum:`
			`name: '{{ os_packages_pam_cracklib }}'`
			`state: 'absent'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when:`
			`- ansible_facts.os_family == 'RedHat'`
			`- ansible_facts.distribution_major_version\|int is version('7', '<')`
			`- ansible_facts.distribution != 'Amazon'`
			`- os_auth_pam_passwdqc_enable`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: install the package for strong password checking`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`yum:`
			`name: '{{ os_packages_pam_passwdqc }}'`
			`state: 'present'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when:`
			`- ansible_facts.os_family == 'RedHat'`
			`- ansible_facts.distribution_major_version\|int is version('7', '<')`
			`- ansible_facts.distribution != 'Amazon'`
			`- os_auth_pam_passwdqc_enable`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: remove passwdqc`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`yum:`
			`name: '{{ os_packages_pam_passwdqc }}'`
			`state: 'absent'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when:`
			`- ansible_facts.os_family == 'RedHat'`
			`- not os_auth_pam_passwdqc_enable`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: configure passwdqc and tally via central system-auth confic`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`template:`
			`src: 'etc/pam.d/rhel_system_auth.j2'`
			`dest: '/etc/pam.d/system-auth-ac'`
			`mode: '0640'`
			`owner: 'root'`
			`group: 'root'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when: ansible_facts.os_family == 'RedHat'`

			`- name: Gather package facts`
			`package_facts:`
			`manager: auto`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`template:`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`src: 'etc/libuser.conf.j2'`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`dest: '/etc/libuser.conf'`
			`mode: '0640'`
			`owner: 'root'`
			`group: 'root'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`when: "'libuser' in ansible_facts.packages"`