rewrite accounts_passwords_pam_faillock_deny rule to use

pam_account_password_faillock template
a-skr · May 5, 2024 · 6ad26f8 · 6ad26f8
1 parent f525060
commit 6ad26f8
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 797 deletions.
diff --git a/...pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/...pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
diff --git a/...nts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/...nts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
diff --git a/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml b/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/debian.xml
diff --git a/...pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml b/...pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/openeuler.xml
diff --git a/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
diff --git a/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml b/...ts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/ubuntu.xml
diff --git a/.../accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/.../accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
@@ -129,3 +129,14 @@ warnings:
 
 srg_requirement: |-
     {{{ full_name }}} must automatically lock an account when three unsuccessful logon attempts occur.
+
+template:
+  name: pam_account_password_faillock
+  vars:
+    prm_name: deny
+    prm_regex_conf: ^[\s]*deny[\s]*=[\s]*([0-9]+)
+    prm_regex_pamd: ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)
+    ext_variable: var_accounts_passwords_pam_faillock_deny
+    description: Lockout account after failed login attempts.
+    variable_upper_bound: use_ext_variable
+    variable_lower_bound: 0