PAM changes should use pam-auth-update profiles instead of lineinfile

[kdebisschop]

Describe the bug Adding pam_tally2 to end of files pam.d fail if sufficient is present

To Reproduce Run playbook/role for 5.3.2 - Ensure lockout for failed password attempts is configured

If sufficient rule are present, they will precede pam_tally2 and counts may not get reset after a successful authentication. This can result in user lockouts.

In our case, this was caused by the fact that we're applying the CIS hardening to a server that has been joined to a FreeIPA domain. I expect servers the use LDAP authentication or kerberos would have similar problems.

Expected behavior After the change, a successful login should reset a failed login.

Software (please complete the following information):

• Ansible Version: 2.12.5
• Role/Repo Version 1.0.3

Additional context

I can try to put together a patch in the future. I wanted to make sure I registered the issue first, in case other folks ran into it.

The solution I have is to use run pam-auth-update instead of lineinfile. We can run pam-auth-update --enable tally --force if we provide a file /usr/share/pam-configs/tally with content like:

Name: PAM Tally
Default: yes
Priority: 512
Auth-Type: Primary
Auth:
    required            pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900
Auth-Initial:
    required            pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900
Account-Type: Primary
Account:
    required            pam_tally2.so
Account-Initial:
    required            pam_tally2.so

[ljluestc]

---
- name: Ensure PAM Tally configuration is set
  hosts: your_target_hosts
  tasks:
    - name: Copy tally file to /usr/share/pam-configs/
      copy:
        src: path/to/your/tally
        dest: /usr/share/pam-configs/tally
        owner: root
        group: root
        mode: '0644'

    - name: Enable PAM Tally profile
      command: pam-auth-update --enable tally --force
      become: yes