public-health-ch/ansible/roles/dev-sec.os-hardening/templates/rhel_system_auth.j2
2017-04-24 14:22:51 +02:00

40 lines
1.5 KiB
Django/Jinja

# {{ ansible_managed }}
#---
#%PAM-1.0
{% if os_auth_retries > 0 %}
auth required pam_tally2.so deny={{os_auth_retries}} onerr=fail unlock_time={{os_auth_lockout_time}}
{% endif %}
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
{% if os_auth_retries > 0 %}
account required pam_tally2.so
{% endif %}
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
{% if os_auth_pam_passwdqc_enable %}
{%- if ansible_os_family == 'RedHat' and ansible_distribution_version >= '7' %}
password required pam_pwquality.so {{os_auth_pam_pwquality_options}}
{%- else %}
password requisite pam_passwdqc.so {{os_auth_pam_passwdqc_options}}
{%- endif %}
{% else %}
password requisite pam_cracklib.so try_first_pass retry=3 type=
{% endif %}
# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
# NSA 2.3.3.6 Limit Password Reuse
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so