From 85afda6413165220eb719b9128ad663ab00a34c2 Mon Sep 17 00:00:00 2001 From: Adam Lewandowski Date: Thu, 5 May 2022 10:28:41 -0400 Subject: [PATCH 1/3] Add missing variable defaults for 'rhel9cis_pam_faillock' Signed-off-by: Adam Lewandowski --- defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index b5315a9..248b492 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -582,6 +582,9 @@ rhel9cis_pam_password: minclass: 4 rhel9cis_pam_faillock: + attempts: 5 + unlock_time: 900 + fail_for_root: no remember: 5 # UID settings for interactive users From 62649cb6c50fb19d1f22068cb8a64322122c1d1f Mon Sep 17 00:00:00 2001 From: Adam Lewandowski Date: Fri, 6 May 2022 08:36:15 -0400 Subject: [PATCH 2/3] Updated rhel9cis_pam_faillock defaults to only those needed for RHEL9 Signed-off-by: Adam Lewandowski --- defaults/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 248b492..608b3c7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -582,10 +582,8 @@ rhel9cis_pam_password: minclass: 4 rhel9cis_pam_faillock: - attempts: 5 unlock_time: 900 - fail_for_root: no - remember: 5 + deny: 5 # UID settings for interactive users # These are discovered via logins.def if set true From 581eb70b485e7b4cdca7cc36fedd0518d2e8810b Mon Sep 17 00:00:00 2001 From: Adam Lewandowski Date: Fri, 6 May 2022 10:59:53 -0400 Subject: [PATCH 3/3] Restore rhel9cis_pam_faillock.remember, as it is used by rules 5.5.3 and 5.5.4 Signed-off-by: Adam Lewandowski --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 608b3c7..6dfa404 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -584,6 +584,7 @@ rhel9cis_pam_password: rhel9cis_pam_faillock: unlock_time: 900 deny: 5 + remember: 5 # UID settings for interactive users # These are discovered via logins.def if set true