Configure the root Account lock for Failed Password Attempts via pam_tally2

An XCCDF Rule

Description

This rule configures the system to lock out the root account after a number of incorrect login attempts using pam_tally2.so.

Rationale

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.

ID: xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2_deny_root
Severity: Medium
References: BP28(R18)

1 12 15 16

DSS05.04 DSS05.10 DSS06.10

CCI-000044 CCI-002238

4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9

SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9

0421 0422 0431 0974 1173 1401 1504 1505 1546 1557 1558 1559 1560 1561

A.18.1.4 A.9.2.1 A.9.2.4 A.9.3.1 A.9.4.2 A.9.4.3

AC-7(b) CM-6(a) IA-5(c)

PR.AC-7

FMT_MOF_EXT.1

SRG-OS-000021-GPOS-00005 SRG-OS-000329-GPOS-00128

5.3.2

CCE-91281-6
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

if grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s.*\bonerr=fail\b' "/etc/pam.d/login"; then
    sed -i -E --follow-symlinks 's/(.*auth.*'"required"'.*pam_tally2.so.*)\sonerr=fail=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/login"
fiif ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/login"; then
    # Line matching group + control + module was not found. Check group + module.
    if [ "$(grep -cP '^\s*auth\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/login")" -eq 1 ]; then
        # The control is updated only if one single line matches.
        sed -i -E --follow-symlinks 's/^(\s*auth\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/login"
    else
        echo 'auth    '"required"'    pam_tally2.so' >> "/etc/pam.d/login"
    fi
fi
# Check the option
if ! grep -qP '^\s*auth\s+'"required"'\s+pam_tally2.so\s*.*\seven_deny_root\b' "/etc/pam.d/login"; then
    sed -i -E --follow-symlinks '/\s*auth\s+'"required"'\s+pam_tally2.so.*/ s/$/ even_deny_root/' "/etc/pam.d/login"
fi
if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*' "/etc/pam.d/common-account"; then
    # Line matching group + control + module was not found. Check group + module.
    if [ "$(grep -cP '^\s*account\s+.*\s+pam_tally2.so\s*' "/etc/pam.d/common-account")" -eq 1 ]; then
        # The control is updated only if one single line matches.
        sed -i -E --follow-symlinks 's/^(\s*account\s+).*(\bpam_tally2.so.*)/\1'"required"' \2/' "/etc/pam.d/common-account"
    else
        echo 'account    '"required"'    pam_tally2.so' >> "/etc/pam.d/common-account"
    fi
fi
# Check the option
if ! grep -qP '^\s*account\s+'"required"'\s+pam_tally2.so\s*.*\s\b' "/etc/pam.d/common-account"; then
    sed -i -E --follow-symlinks '/\s*account\s+'"required"'\s+pam_tally2.so.*/ s/$/ /' "/etc/pam.d/common-account"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-91281-6
  - NIST-800-53-AC-7(b)  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_tally2_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
    - Ensure the "onerr=fail" option from "pam_tally2.so" is not present in /etc/pam.d/login
  ansible.builtin.replace:
    dest: /etc/pam.d/login
    regexp: (.*auth.*{{ 'required' | regex_escape() }}.*pam_tally2.so.*)\bonerr=fail\b=?[0-9a-zA-Z]*(.*)
    replace: \1\2
  register: result_pam_option_removal
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-91281-6
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_tally2_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
    - Check if expected PAM module line is present in /etc/pam.d/login
  ansible.builtin.lineinfile:
    path: /etc/pam.d/login
    regexp: ^\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*
    state: absent
  check_mode: true
  changed_when: false
  register: result_pam_line_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-91281-6
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_tally2_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
    - Include or update the PAM module line in /etc/pam.d/login
  block:

  - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
      - Check if required PAM module line is present in /etc/pam.d/login with different
      control
    ansible.builtin.lineinfile:
      path: /etc/pam.d/login
      regexp: ^\s*auth\s+.*\s+pam_tally2.so\s*
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_line_other_control_present

  - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
      - Ensure the correct control for the required PAM module line in /etc/pam.d/login
    ansible.builtin.replace:
      dest: /etc/pam.d/login
      regexp: ^(\s*auth\s+).*(\bpam_tally2.so.*)
      replace: \1required \2
    register: result_pam_module_edit
    when:
    - result_pam_line_other_control_present.found == 1

  - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
      - Ensure the required PAM module line is included in /etc/pam.d/login
    ansible.builtin.lineinfile:
      dest: /etc/pam.d/login
      line: auth    required    pam_tally2.so
    register: result_pam_module_add
    when:
    - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
      > 1

  - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
      - Ensure authselect changes are applied
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_present is defined
    - result_authselect_present.stat.exists
    - |-
      (result_pam_module_add is defined and result_pam_module_add.changed)
       or (result_pam_module_edit is defined and result_pam_module_edit.changed)
  when:
  - '"pam" in ansible_facts.packages'
  - result_pam_line_present.found is defined
  - result_pam_line_present.found == 0
  tags:
  - CCE-91281-6
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_tally2_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
    - Check if the required PAM module option is present in /etc/pam.d/login
  ansible.builtin.lineinfile:
    path: /etc/pam.d/login
    regexp: ^\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*\seven_deny_root\b
    state: absent
  check_mode: true
  changed_when: false
  register: result_pam_module_even_deny_root_option_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-91281-6
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_tally2_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
    - Ensure the "even_deny_root" PAM option for "pam_tally2.so" is included in /etc/pam.d/login
  ansible.builtin.lineinfile:
    path: /etc/pam.d/login
    backrefs: true
    regexp: ^(\s*auth\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so.*)
    line: \1 even_deny_root
    state: present
  register: result_pam_even_deny_root_add
  when:
  - '"pam" in ansible_facts.packages'
  - result_pam_module_even_deny_root_option_present.found == 0
  tags:
  - CCE-91281-6
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_tally2_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
    - Check if expected PAM module line is present in /etc/pam.d/common-account
  ansible.builtin.lineinfile:
    path: /etc/pam.d/common-account
    regexp: ^\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*
    state: absent
  check_mode: true
  changed_when: false
  register: result_pam_line_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-91281-6
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_tally2_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
    - Include or update the PAM module line in /etc/pam.d/common-account
  block:

  - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
      - Check if required PAM module line is present in /etc/pam.d/common-account
      with different control
    ansible.builtin.lineinfile:
      path: /etc/pam.d/common-account
      regexp: ^\s*account\s+.*\s+pam_tally2.so\s*
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_line_other_control_present

  - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
      - Ensure the correct control for the required PAM module line in /etc/pam.d/common-account
    ansible.builtin.replace:
      dest: /etc/pam.d/common-account
      regexp: ^(\s*account\s+).*(\bpam_tally2.so.*)
      replace: \1required \2
    register: result_pam_module_edit
    when:
    - result_pam_line_other_control_present.found == 1

  - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
      - Ensure the required PAM module line is included in /etc/pam.d/common-account
    ansible.builtin.lineinfile:
      dest: /etc/pam.d/common-account
      line: account    required    pam_tally2.so
    register: result_pam_module_add
    when:
    - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
      > 1

  - name: Configure the root Account lock for Failed Password Attempts via pam_tally2
      - Ensure authselect changes are applied
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_present is defined
    - result_authselect_present.stat.exists
    - |-
      (result_pam_module_add is defined and result_pam_module_add.changed)
       or (result_pam_module_edit is defined and result_pam_module_edit.changed)
  when:
  - '"pam" in ansible_facts.packages'
  - result_pam_line_present.found is defined
  - result_pam_line_present.found == 0
  tags:
  - CCE-91281-6
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_tally2_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
    - Check if the required PAM module option is present in /etc/pam.d/common-account
  ansible.builtin.lineinfile:
    path: /etc/pam.d/common-account
    regexp: ^\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so\s*.*\s\b
    state: absent
  check_mode: true
  changed_when: false
  register: result_pam_module__option_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-91281-6
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_tally2_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account lock for Failed Password Attempts via pam_tally2
    - Ensure the "" PAM option for "pam_tally2.so" is included in /etc/pam.d/common-account
  ansible.builtin.lineinfile:
    path: /etc/pam.d/common-account
    backrefs: true
    regexp: ^(\s*account\s+{{ 'required' | regex_escape() }}\s+pam_tally2.so.*)
    line: \1
    state: present
  register: result_pam__add
  when:
  - '"pam" in ansible_facts.packages'
  - result_pam_module__option_present.found == 0
  tags:
  - CCE-91281-6
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_tally2_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Configure the root Account lock for Failed Password Attempts via pam_tally2

Description

Rationale

Remediation - Shell Script

Remediation - Ansible