DLPX-86530 CIS: delphix user lockout after failed login attempts

PR URL: https://www.github.com/delphix/delphix-platform/pull/474
delphix · Mar 20, 2024 · eca353a · eca353a
1 parent 3c58815
commit eca353a
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/...ar/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml b/...ar/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml
@@ -336,6 +336,37 @@
     regexp: '^#?[\s]*(auth[\s]+required[\s]+pam_wheel\.so.*)$'
     replace: '\1'
 
+#
+#
+# Lock out the user after an unsuccessful consecutive login attempts.
+#
+- lineinfile:
+    path: /etc/pam.d/common-auth
+    line: "{{ item }}"
+  with_items:
+    - 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900'
+
+#
+#
+# Configuration to remember user password history.
+#
+- lineinfile:
+    path: /etc/pam.d/common-password
+    line: "{{ item }}"
+  with_items:
+    - 'password required pam_pwhistory.so remember=5'
+
+#
+#
+# Configuration to enforce account lockout policies.
+#
+- lineinfile:
+    path: /etc/pam.d/common-account
+    line: "{{ item }}"
+  with_items:
+    - 'auth required pam_tally2.so deny=5 unlock_time=900 audit'
+
+#
 #
 # Enable SNMP client tools to load MIBs by default.
 #