- name: An SELinux Context must be configured for the pam_faillock.so records directory
- Get directories from faillock
ansible.builtin.shell: grep -oP '^\s*(?:auth.*pam_faillock.so.*)?dir\s*=\s*(\S+)'
"{{ item }}" | sed -r 's/.*=\s*(\S+)/\1/'
register: faillock_output
with_items: - /etc/security/faillock.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-431020
- NIST-800-53-AC-7 (a)
- account_password_selinux_faillock_dir
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: An SELinux Context must be configured for the pam_faillock.so records directory
- Create a list directories from faillock
ansible.builtin.set_fact:
list_faillock_dir: '{{ faillock_output.results | map(attribute=''stdout_lines'')
| flatten }}'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- DISA-STIG-RHEL-09-431020
- NIST-800-53-AC-7 (a)
- account_password_selinux_faillock_dir
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: An SELinux Context must be configured for the pam_faillock.so records directory
- Create directories for faillock
ansible.builtin.file:
path: '{{ item }}'
state: directory
with_items: '{{ list_faillock_dir }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- item != ""
tags:
- DISA-STIG-RHEL-09-431020
- NIST-800-53-AC-7 (a)
- account_password_selinux_faillock_dir
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: An SELinux Context must be configured for the pam_faillock.so records directory
- Set up SELinux context for faillock
ansible.builtin.shell: |-
if ! semanage fcontext -a -t faillog_t "{{ item }}(/.*)?"; then
semanage fcontext -m -t faillog_t "{{ item }}(/.*)?"
fi
with_items: '{{ list_faillock_dir }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- item != ""
tags:
- DISA-STIG-RHEL-09-431020
- NIST-800-53-AC-7 (a)
- account_password_selinux_faillock_dir
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: An SELinux Context must be configured for the pam_faillock.so records directory
- Restore SELinux context
ansible.builtin.command: restorecon -R -v "{{ item }}"
with_items: '{{ list_faillock_dir }}'
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- item != ""
tags:
- DISA-STIG-RHEL-09-431020
- NIST-800-53-AC-7 (a)
- account_password_selinux_faillock_dir
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
- name: An SELinux Context must be configured for the pam_faillock.so records directory
- Verify pam_faillock.so configuration
ansible.builtin.debug:
msg: |-
"The pam_faillock.so dir option is not set in the system.
If this is not expected, make sure pam_faillock.so is properly configured."
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- list_faillock_dir | length == 0
tags:
- DISA-STIG-RHEL-09-431020
- NIST-800-53-AC-7 (a)
- account_password_selinux_faillock_dir
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy