valleyforge/resist-vpn-infra
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
28db1d2104
resist-vpn-infra/roles/ssh_users/tasks/password_policy.yml
Sparticus 28db1d2104 CIS + inital
2026-01-26 21:22:41 -05:00

92 lines
3.2 KiB
YAML
Raw Blame History

---
# Password Policy Configuration (CIS 5.4.x, 5.5.x)
- name: Set default password expiration (CIS 5.4.1)
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{ password_max_days }}"
state: present
- name: Set minimum password change days (CIS 5.4.2)
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MIN_DAYS'
line: "PASS_MIN_DAYS {{ password_min_days }}"
state: present
- name: Set password expiration warning (CIS 5.4.3)
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_WARN_AGE'
line: "PASS_WARN_AGE {{ password_warn_age }}"
state: present
- name: Set default umask (CIS 5.4.4)
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^UMASK'
line: "UMASK {{ default_umask }}"
state: present
- name: Configure PAM password quality requirements (CIS 5.5.1)
ansible.builtin.apt:
name: libpam-pwquality
state: present
- name: Set password quality requirements
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
regexp: "^{{ item.key }}"
line: "{{ item.key }} = {{ item.value }}"
state: present
loop:
- { key: 'minlen', value: '14' }
- { key: 'dcredit', value: '-1' } # At least 1 digit
- { key: 'ucredit', value: '-1' } # At least 1 uppercase
- { key: 'lcredit', value: '-1' } # At least 1 lowercase
- { key: 'ocredit', value: '-1' } # At least 1 special char
- { key: 'minclass', value: '4' } # All 4 character classes
- name: Configure account lockout (CIS 5.5.2)
ansible.builtin.lineinfile:
path: /etc/pam.d/common-auth
line: "auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900"
insertbefore: '^auth\s+\[success=1 default=ignore\]\s+pam_unix.so'
state: present
- name: Configure account lockout (part 2)
ansible.builtin.lineinfile:
path: /etc/pam.d/common-auth
line: "auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900"
insertafter: '^auth\s+\[success=1 default=ignore\]\s+pam_unix.so'
state: present
- name: Configure account lockout (part 3)
ansible.builtin.lineinfile:
path: /etc/pam.d/common-auth
line: "auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900"
insertafter: '^auth\s+\[default=die\]\s+pam_faillock.so'
state: present
- name: Configure password reuse prevention (CIS 5.5.3)
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: '^password\s+\[success=1 default=ignore\]\s+pam_unix.so'
line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt remember=5"
state: present
- name: Ensure password hashing algorithm is yescrypt (CIS 5.5.4)
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: '^password\s+\[success=1 default=ignore\]\s+pam_unix.so'
line: "password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt"
state: present
- name: Set inactive password lock (CIS 5.4.4)
ansible.builtin.lineinfile:
path: /etc/default/useradd
regexp: '^INACTIVE='
line: "INACTIVE={{ password_inactive_days }}"
state: present
Reference in New Issue View Git Blame Copy Permalink