135 lines
3.7 KiB
YAML
135 lines
3.7 KiB
YAML
---
|
|
- name: update pam on Debian systems
|
|
command: 'pam-auth-update --package'
|
|
when: ansible_facts.distribution in ['Debian', 'Ubuntu']
|
|
changed_when: False
|
|
environment:
|
|
DEBIAN_FRONTEND: noninteractive
|
|
|
|
# the reason for this is so a user cannot connect to a server,
|
|
# that isn't connected to an LDAP server anymore.
|
|
# normally caching credentials shouldn't be necessary for most machines.
|
|
# removing it provides some more security while not removing usability.
|
|
- name: remove pam ccreds to disable password caching
|
|
package:
|
|
name: '{{ os_packages_pam_ccreds }}'
|
|
state: 'absent'
|
|
|
|
- name: remove pam_cracklib, because it does not play nice with passwdqc
|
|
apt:
|
|
name: '{{ os_packages_pam_cracklib }}'
|
|
state: 'absent'
|
|
when:
|
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
|
- os_auth_pam_passwdqc_enable
|
|
|
|
- name: install the package for strong password checking
|
|
apt:
|
|
name: '{{ os_packages_pam_passwdqc }}'
|
|
state: 'present'
|
|
update_cache: 'yes'
|
|
when:
|
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
|
- os_auth_pam_passwdqc_enable
|
|
|
|
- name: configure passwdqc
|
|
template:
|
|
src: 'usr/share/pam-configs/pam_passwdqd.j2'
|
|
dest: '{{ passwdqc_path }}'
|
|
mode: '0644'
|
|
owner: 'root'
|
|
group: 'root'
|
|
when:
|
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
|
- os_auth_pam_passwdqc_enable
|
|
|
|
- name: remove passwdqc
|
|
apt:
|
|
name: '{{ os_packages_pam_passwdqc }}'
|
|
state: 'absent'
|
|
when:
|
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
|
- not os_auth_pam_passwdqc_enable
|
|
|
|
- name: install tally2
|
|
apt:
|
|
name: 'libpam-modules'
|
|
state: 'present'
|
|
when:
|
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
|
- not os_auth_pam_passwdqc_enable
|
|
- os_auth_retries > 0
|
|
|
|
- name: configure tally2
|
|
template:
|
|
src: 'usr/share/pam-configs/pam_tally2.j2'
|
|
dest: '{{ tally2_path }}'
|
|
mode: '0644'
|
|
owner: 'root'
|
|
group: 'root'
|
|
when:
|
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
|
- not os_auth_pam_passwdqc_enable
|
|
- os_auth_retries > 0
|
|
|
|
- name: delete tally2 when retries is 0
|
|
file:
|
|
path: '{{ tally2_path }}'
|
|
state: 'absent'
|
|
when:
|
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
|
- not os_auth_pam_passwdqc_enable
|
|
- os_auth_retries == 0
|
|
|
|
- name: remove pam_cracklib, because it does not play nice with passwdqc
|
|
yum:
|
|
name: '{{ os_packages_pam_cracklib }}'
|
|
state: 'absent'
|
|
when:
|
|
- ansible_facts.os_family == 'RedHat'
|
|
- ansible_facts.distribution_major_version|int is version('7', '<')
|
|
- ansible_facts.distribution != 'Amazon'
|
|
- os_auth_pam_passwdqc_enable
|
|
|
|
- name: install the package for strong password checking
|
|
yum:
|
|
name: '{{ os_packages_pam_passwdqc }}'
|
|
state: 'present'
|
|
when:
|
|
- ansible_facts.os_family == 'RedHat'
|
|
- ansible_facts.distribution_major_version|int is version('7', '<')
|
|
- ansible_facts.distribution != 'Amazon'
|
|
- os_auth_pam_passwdqc_enable
|
|
|
|
- name: remove passwdqc
|
|
yum:
|
|
name: '{{ os_packages_pam_passwdqc }}'
|
|
state: 'absent'
|
|
when:
|
|
- ansible_facts.os_family == 'RedHat'
|
|
- not os_auth_pam_passwdqc_enable
|
|
|
|
- name: configure passwdqc and tally via central system-auth confic
|
|
template:
|
|
src: 'etc/pam.d/rhel_system_auth.j2'
|
|
dest: '/etc/pam.d/system-auth-ac'
|
|
mode: '0640'
|
|
owner: 'root'
|
|
group: 'root'
|
|
when: ansible_facts.os_family == 'RedHat'
|
|
|
|
- name: Gather package facts
|
|
package_facts:
|
|
manager: auto
|
|
when: ansible_facts.os_family != 'Suse'
|
|
|
|
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
|
|
template:
|
|
src: 'etc/libuser.conf.j2'
|
|
dest: '/etc/libuser.conf'
|
|
mode: '0640'
|
|
owner: 'root'
|
|
group: 'root'
|
|
when:
|
|
- ansible_facts.os_family != 'Suse'
|
|
- "'libuser' in ansible_facts.packages"
|