DLPX-86530 CIS: delphix user lockout after failed login attempts

delphix · Dec 26, 2024 · a88b431 · a88b431
1 parent 8aa7466
commit a88b431
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/...ar/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml b/...ar/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml
@@ -483,6 +483,41 @@
     - login
     - sshd
 
+#
+#
+# Lock out the user after an unsuccessful consecutive login attempts.
+#
+- lineinfile:
+    path: /etc/pam.d/common-auth
+    line: "{{ item }}"
+    insertbefore: '^auth\s+\[success=1\s+default=ignore\]\s+pam_unix\.so\s+nullok\s+try_first_pass'
+  with_items:
+    - 'auth    required    pam_tally2.so  audit silent deny=5 unlock_time=900'
+
+#
+#
+# Configuration to enforce account lockout policies.
+#
+- lineinfile:
+    path: /etc/pam.d/common-account
+    line: "{{ item }}"
+    insertafter: EOF
+  with_items:
+    - 'account    required    pam_tally2.so'
+
+
+#
+#
+# Configuration to remember user password history.
+#
+- lineinfile:
+    path: /etc/pam.d/common-password
+    line: "{{ item }}"
+    insertbefore: '^password\s+\[success=1 default=ignore\]\s+pam_unix\.so\s+obscure\s+sha512'
+  with_items:
+    - 'password    required    pam_pwhistory.so remember=5'
+
+
 #
 # On Xen, block devices, including cdroms, are named with the scheme /dev/xvdX.
 # Thus, the udev rules for cdroms are written to match devices with that naming