44 lines
993 B
YAML
44 lines
993 B
YAML
---
|
|
|
|
{{ if .Vars.ubtu24cis_level_1 }}
|
|
{{ if .Vars.ubtu24cis_rule_5_3_3_1_1 }}
|
|
file:
|
|
faillock_attempts_deny:
|
|
title: 5.3.3.1.1 | Ensure password failed attempts lockout is configured
|
|
path: /etc/security/faillock.conf
|
|
exists: true
|
|
contents:
|
|
- '/^deny\s*=\s*[1-5]$/'
|
|
- '!/^deny\s*=\s*([5-9]|[0-9]{2,})/'
|
|
meta:
|
|
server: 1
|
|
workstation: 1
|
|
CIS_ID:
|
|
- 5.3.3.1.1
|
|
CISv8:
|
|
- 6.2
|
|
CISv8_IG1: true
|
|
CISv8_IG2: true
|
|
CISv8_IG3: true
|
|
NIST800-53R5: NA
|
|
command:
|
|
faillock_attempts_deny_removed:
|
|
title: 5.3.3.1.1 | Ensure password failed attempts lockout is configured
|
|
exec: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/*
|
|
exit-status: 1
|
|
stdout:
|
|
- '!/.*/'
|
|
meta:
|
|
server: 1
|
|
workstation: 1
|
|
CIS_ID:
|
|
- 5.3.3.1.1
|
|
CISv8:
|
|
- 6.2
|
|
CISv8_IG1: true
|
|
CISv8_IG2: true
|
|
CISv8_IG3: true
|
|
NIST800-53R5: NA
|
|
{{ end }}
|
|
{{ end }}
|