This task:
- name: Lock accounts after 3 unsuccessful logon attempts
lineinfile: dest=/etc/pam.d/{{ item[0] }}-auth-ac
regexp='^auth.*pam_faillock\.so\ auth.*\ deny=3\
unlock_time=604800\ fail_interval=900'
insertafter='^auth.*pam_unix\.so.*'
line={{ item[1] }}
with_nested:
- [ 'system', 'password' ]
- [ 'auth [default=die] pam_faillock.so authfail deny=3
unlock_time=604800 fail_interval=900', 'auth required pam_faillock.so
authsucc deny=3 unlock_time=604800 fail_interval=900' ]
gives me:
TASK: [Lock accounts after 3 unsuccessful logon attempts]
*********************
failed: [jedisbuild] => (item=['system', 'auth [default=die]
pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900']) =>
{"failed": true, "item": ["system", "auth [default=die] pam_faillock.so
authfail deny=3 unlock_time=604800 fail_interval=900"]}
msg: this module requires key=value arguments
(['dest=/etc/pam.d/system-auth-ac', 'regexp=^auth.*pam_faillock\\.so\\
auth.*\\ deny=3\\ unlock_time=604800\\ fail_interval=900',
'insertafter=^auth.*pam_unix\\.so.*', 'line=auth', '[default=die]',
'pam_faillock.so', 'authfail', 'deny=3', 'unlock_time=604800',
'fail_interval=900'])
failed: [jedisbuild] => (item=['system', 'auth required pam_faillock.so
authsucc deny=3 unlock_time=604800 fail_interval=900']) => {"failed": true,
"item": ["system", "auth required pam_faillock.so authsucc deny=3
unlock_time=604800 fail_interval=900"]}
msg: this module requires key=value arguments
(['dest=/etc/pam.d/system-auth-ac', 'regexp=^auth.*pam_faillock\\.so\\
auth.*\\ deny=3\\ unlock_time=604800\\ fail_interval=900',
'insertafter=^auth.*pam_unix\\.so.*', 'line=auth', 'required',
'pam_faillock.so', 'authsucc', 'deny=3', 'unlock_time=604800',
'fail_interval=900'])
failed: [jedisbuild] => (item=['password', 'auth [default=die]
pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900']) =>
{"failed": true, "item": ["password", "auth [default=die] pam_faillock.so
authfail deny=3 unlock_time=604800 fail_interval=900"]}
msg: this module requires key=value arguments
(['dest=/etc/pam.d/password-auth-ac', 'regexp=^auth.*pam_faillock\\.so\\
auth.*\\ deny=3\\ unlock_time=604800\\ fail_interval=900',
'insertafter=^auth.*pam_unix\\.so.*', 'line=auth', '[default=die]',
'pam_faillock.so', 'authfail', 'deny=3', 'unlock_time=604800',
'fail_interval=900'])
failed: [jedisbuild] => (item=['password', 'auth required pam_faillock.so
authsucc deny=3 unlock_time=604800 fail_interval=900']) => {"failed": true,
"item": ["password", "auth required pam_faillock.so authsucc deny=3
unlock_time=604800 fail_interval=900"]}
msg: this module requires key=value arguments
(['dest=/etc/pam.d/password-auth-ac', 'regexp=^auth.*pam_faillock\\.so\\
auth.*\\ deny=3\\ unlock_time=604800\\ fail_interval=900',
'insertafter=^auth.*pam_unix\\.so.*', 'line=auth', 'required',
'pam_faillock.so', 'authsucc', 'deny=3', 'unlock_time=604800',
'fail_interval=900'])
Target files:
[joliver@build ~]$ sudo cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
[joliver@build ~]$ sudo cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/7f51976d-43f7-4df7-8ea5-d5ccb1d17ccb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
