SLEM 5 must use the default pam_tally2 tally directory.

An XCCDF Rule

Description

This rule configures the system to use default pam_tally2 tally directory

Rationale

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.

ID: xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_file
Severity: Medium
References: CCI-000044

AC-7(a)

SRG-OS-000021-GPOS-00005

SLEM-05-412030

SV-261366r996837_rule

CCE-94089-0
Updated: 18 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-94089-0
  - DISA-STIG-SLEM-05-412030  - NIST-800-53-AC-7(a)
  - accounts_passwords_pam_tally2_file
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set control_flag fact
  set_fact:
    control_flag: required
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-94089-0
  - DISA-STIG-SLEM-05-412030
  - NIST-800-53-AC-7(a)
  - accounts_passwords_pam_tally2_file
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check to see if 'pam_tally2.so' module is configured in '/etc/pam.d/login'
  shell: |
    set -o pipefail
    grep -E '^\s*auth\s+\S+\s+pam_tally2.so' /etc/pam.d/login || true
  register: check_pam_module_result
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-94089-0
  - DISA-STIG-SLEM-05-412030
  - NIST-800-53-AC-7(a)
  - accounts_passwords_pam_tally2_file
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure 'pam_tally2.so' module in '/etc/pam.d/login'
  lineinfile:
    path: /etc/pam.d/login
    line: auth required pam_tally2.so
    state: present
  when:
  - '"pam" in ansible_facts.packages'
  - check_pam_module_result.stdout is defined and '"pam_tally2.so" not in check_pam_module_result.stdout'
  tags:
  - CCE-94089-0
  - DISA-STIG-SLEM-05-412030
  - NIST-800-53-AC-7(a)
  - accounts_passwords_pam_tally2_file
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure 'pam_tally2.so' module has conforming control flag
  lineinfile:
    path: /etc/pam.d/login
    regexp: ^(\s*auth\s+)\S+(\s+pam_tally2.so\s+.*)
    line: \g<1>required\g<2>
    backrefs: true
  when:
  - '"pam" in ansible_facts.packages'
  - control_flag|length
  tags:
  - CCE-94089-0
  - DISA-STIG-SLEM-05-412030
  - NIST-800-53-AC-7(a)
  - accounts_passwords_pam_tally2_file
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Remove argument 'file' from 'pam_tally2.so' module
  replace:
    path: /etc/pam.d/login
    regexp: ^(\s*auth\s+\S+\s+pam_tally2.so(?:\s+\S+)*)\s+file(?:=\S+)?((\s+\S+)*\s*\\*\s*)$
    replace: \1\2
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-94089-0
  - DISA-STIG-SLEM-05-412030
  - NIST-800-53-AC-7(a)
  - accounts_passwords_pam_tally2_file
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()declare -a NEW_ARGS=()
declare -a DEL_ARGS=()


VALUES+=("")
VALUE_NAMES+=("")
ARGS+=("file")
NEW_ARGS+=("")
DEL_ARGS+=("file=")

for idx in "${!VALUES[@]}"
do
    if [ -e "/etc/pam.d/login" ] ; then
        valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
        # non-empty values need to be preceded by an equals sign
        [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
        # add an equals sign to non-empty values
        [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"

        # fix the value for 'option' if one exists but does not match 'valueRegex'
        if grep -q -P "^\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/login" ; then
            sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/login"

        # add 'option=default' if option is not set
        elif grep -q -E "^\\s*auth\\s+required\\s+pam_tally2.so" < "/etc/pam.d/login" &&
                grep    -E "^\\s*auth\\s+required\\s+pam_tally2.so" < "/etc/pam.d/login" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then

            sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_tally2.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/login"
        # add a new entry if none exists
        elif ! grep -q -P "^\\s*auth\\s+required\\s+pam_tally2.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/login" ; then
            echo "auth required pam_tally2.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/login"
        fi
    else
        echo "/etc/pam.d/login doesn't exist" >&2
    fi
done

for idx in "${!ARGS[@]}"
do
    if ! grep -q -P "^\s*auth\s+required\s+pam_tally2.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/login ; then
        sed --follow-symlinks -i -E -e "s/^\\s*auth\\s+required\\s+pam_tally2.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/login
        if [ -n "${DEL_ARGS[$idx]}" ]; then
            sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/login
        fi
    fi
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

SLEM 5 must use the default pam_tally2 tally directory.

Description

Rationale

Remediation - Ansible

Remediation - Shell Script