Produced by Araxis Merge on 5/14/2018 1:18:38 PM Eastern Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
| # | Location | File | Last Modified |
|---|---|---|---|
| 1 | MCCF_EDI_TAS_Infrastructure.zip\MCCF_EDI_TAS_Infrastructure\mag_sys_build\playbooks | passwd_setting.yml | Tue Mar 27 23:51:06 2018 UTC |
| 2 | MCCF_EDI_TAS_Infrastructure.zip\MCCF_EDI_TAS_Infrastructure\mag_sys_build\playbooks | passwd_setting.yml | Tue May 8 03:19:03 2018 UTC |
| Description | Between Files 1 and 2 |
|
|---|---|---|
| Text Blocks | Lines | |
| Unchanged | 2 | 428 |
| Changed | 1 | 2 |
| Inserted | 0 | 0 |
| Removed | 0 | 0 |
| Whitespace | |
|---|---|
| Character case | Differences in character case are significant |
| Line endings | Differences in line endings (CR and LF characters) are ignored |
| CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
| 1 | # Ansible Playbook | |
| 2 | # Erik van Oudheusde n PII - 28 Sep 2 017 | |
| 3 | # | |
| 4 | # Set Pass word Quali ty Require ments with pam_pwqua lity | |
| 5 | ||
| 6 | --- | |
| 7 | - name: Se t Password Quality R equirement s with pam _pwquality . 38 Steps | |
| 8 | hosts: r hel7 | |
| 9 | become: yes | |
| 10 | tasks: | |
| 11 | - name: Run Authco nfig to se t password algorythm to 512. S tep 1 of 3 8. | |
| 12 | shell: /usr/sbin /authconfi g --passal go=sha512 --update | |
| 13 | - name: Copy the p wquality f ile to /et c/security . Step 2 o f 38 | |
| 14 | copy: | |
| 15 | src: ../files/ pwquality. conf | |
| 16 | dest : /etc/sec urity/pwqu ality.conf | |
| 17 | owne r: root | |
| 18 | grou p: root | |
| 19 | mode : 0644 | |
| 20 | back up: yes | |
| 21 | - name: Set Passwo rd to Maxi mum of Thr ee Consecu tive Repea ting Chara cters. Ste p 3 of 38 | |
| 22 | linein file: | |
| 23 | path : /etc/sec urity/pwqu ality.conf | |
| 24 | back refs: yes | |
| 25 | rege xp: '^# ma xrepeat = 0' | |
| 26 | line : 'maxrepe at = 4' | |
| 27 | - name: Set Maximu m Sequence of Charac ters to 3. Step 4 of 38 | |
| 28 | linein file: | |
| 29 | path : /etc/sec urity/pwqu ality.conf | |
| 30 | back refs: yes | |
| 31 | rege xp: '^# ma xsequence = 0' | |
| 32 | line : 'maxsequ ence = 3' | |
| 33 | - name: Set Passwo rd Strengt h Minimum Digit Char acters. St ep 5 of 38 | |
| 34 | linein file: | |
| 35 | path : /etc/sec urity/pwqu ality.conf | |
| 36 | back refs: yes | |
| 37 | rege xp: '^# dc redit = 1' | |
| 38 | line : 'dcredit = -1' | |
| 39 | - name: Set Passwo rd Minimum Length. S tep 6 of 3 8 | |
| 40 | linein file: | |
| 41 | path : /etc/sec urity/pwqu ality.conf | |
| 42 | back refs: yes | |
| 43 | rege xp: '^# mi nlen = 9' | |
| 44 | line : 'minlen = 12' | |
| 45 | - name: Set Passwo rd Strengt h Minimum Special Ch aracters. Step 7 of 38 | |
| 46 | linein file: | |
| 47 | path : /etc/sec urity/pwqu ality.conf | |
| 48 | back refs: yes | |
| 49 | rege xp: '^# oc redit = 1' | |
| 50 | line : 'ocredit = -1' | |
| 51 | - name: Set Passwo rd Strengt h Minimum Lowercase Characters . Step 8 o f 38 | |
| 52 | linein file: | |
| 53 | path : /etc/sec urity/pwqu ality.conf | |
| 54 | back refs: yes | |
| 55 | rege xp: '^# lc redit = 1' | |
| 56 | line : 'lcredit = -1' | |
| 57 | - name: Set Passwo rd Strengt h Minimum Different Characters . Step 9 o f 38 | |
| 58 | linein file: | |
| 59 | path : /etc/sec urity/pwqu ality.conf | |
| 60 | back refs: yes | |
| 61 | rege xp: '^# di fok = 5' | |
| 62 | line : 'difok = 5' | |
| 63 | - name: Set Passwo rd Strengt h Minimum Different Categories . Step 10 of 38 | |
| 64 | linein file: | |
| 65 | path : /etc/sec urity/pwqu ality.conf | |
| 66 | back refs: yes | |
| 67 | rege xp: '^# mi nclass = 0 ' | |
| 68 | line : 'minclas s = 4' | |
| 69 | - name: Set Passwo rd to Maxi mum of Con secutive R epeating C haracters from Same Character Class. Ste p 11 of 38 | |
| 70 | linein file: | |
| 71 | path : /etc/sec urity/pwqu ality.conf | |
| 72 | back refs: yes | |
| 73 | rege xp: '^# ma xclassrepe at = 0' | |
| 74 | line : 'maxclas srepeat = 4' | |
| 75 | - name: Set Passwo rd Strengt h Minimum Uppercase Characters . Step 12 of 38 | |
| 76 | linein file: | |
| 77 | path : /etc/sec urity/pwqu ality.conf | |
| 78 | back refs: yes | |
| 79 | rege xp: '^# uc redit = 1' | |
| 80 | line : 'ucredit = -1' | |
| 81 | - name: accounts_m inimum_age _login_def s. Step 13 of 38 | |
| 82 | linein file: | |
| 83 | path : /etc/log in.defs | |
| 84 | rege xp: '^PASS _MIN_DAYS' | |
| 85 | line : 'PASS_MI N_DAYS 2' | |
| 86 | - name: accounts_m aximum_age _login_def s. Step 14 of 38 | |
| 87 | linein file: | |
| 88 | path : /etc/log in.defs | |
| 89 | rege xp: 'PASS_ MAX_DAYS' | |
| 90 | line : 'PASS_MA X_DAYS 90 ' | |
| 91 | - name: Set Passwo rd Minimum Length in login.def s. Step 15 of 38 | |
| 92 | linein file: | |
| 93 | path : /etc/log in.defs | |
| 94 | rege xp: '^PASS _MIN_LEN' | |
| 95 | line : 'PASS_MI N_LEN 1 2' | |
| 96 | - name: Set Passwo rd Warning Age in lo gin.defs. Step 16 of 38 | |
| 97 | linein file: | |
| 98 | path : /etc/log in.defs | |
| 99 | rege xp: '^PASS _WARN_AGE' | |
| 100 | line : 'PASS_WA RN_AGE 14' | |
| 101 | - name: Set UMASK in login.d efs. Step 17 of 38 | |
| 102 | linein file: | |
| 103 | path : /etc/log in.defs | |
| 104 | rege xp: '^UMAS K' | |
| 105 | line : 'UMASK 077' | |
| 106 | - name: Ensure the Logon Fai lure Delay is Set Co rrectly in login.def s Comment. Step 18 o f 338 | |
| 107 | linein file: | |
| 108 | path : /etc/log in.defs | |
| 109 | line : '#added by CRISP' | |
| 110 | - name: Ensure the Logon Fai lure Delay is Set Co rrectly in login.def s. Step 19 of 38 | |
| 111 | linein file: | |
| 112 | path : /etc/log in.defs | |
| 113 | inse rtafter: ' #added by CRISP' | |
| 114 | line : 'FAIL_DE LAY 15' | |
| 115 | - name: Set Encryp tion metho d to SHA51 2. Step 20 of 38 | |
| 116 | linein file: | |
| 117 | path : /etc/log in.defs | |
| 118 | rege xp: '^ENCR YPT_METHOD ' | |
| 119 | line : 'ENCRYPT _METHOD SH A512' | |
| 120 | - name: Set Encryp tion style to SHA512 . Step 21 of 38 | |
| 121 | linein file: | |
| 122 | path : /etc/lib user.conf | |
| 123 | rege xp: '^cryp t_style' | |
| 124 | line : 'crypt_s tyle = sha 512' | |
| 125 | ||
| 126 | - name: Copy Sys A uth AC to VA. Step 2 2 of 38 | |
| 127 | copy: | |
| 128 | src: /etc/pam. d/system-a uth-ac | |
| 129 | dest : /etc/pam .d/system- auth-va | |
| 130 | owne r: root | |
| 131 | grou p: root | |
| 132 | mode : 0644 | |
| 133 | - name: Copy Pass Auth AC to VA. Step 23 of 38 | |
| 134 | copy: | |
| 135 | src: /etc/pam. d/password -auth-ac | |
| 136 | dest : /etc/pam .d/passwor d-auth-va | |
| 137 | owne r: root | |
| 138 | grou p: root | |
| 139 | mode : 0644 | |
| 140 | - name: Link Sys A uth VA. St ep 24 of 3 8 | |
| 141 | file: | |
| 142 | src: /etc/pam. d/system-a uth-va | |
| 143 | dest : /etc/pam .d/system- auth | |
| 144 | stat e: link | |
| 145 | - name: Link Pass Auth VA. S tep 25 of 38 | |
| 146 | file: | |
| 147 | src: /etc/pam. d/password -auth-va | |
| 148 | dest : /etc/pam .d/passwor d-auth | |
| 149 | stat e: link | |
| 150 | - name: Setting au th require d pam_fail lock. Step 26 of 38 | |
| 151 | linein file: | |
| 152 | path : /etc/pam .d/system- auth-va | |
| 153 | inse rtbefore: 'auth suffici ent pam _unix.so n ullok try_ first_pass ' | |
| 154 | line : 'auth requi red p am_failloc k.so preau th silent audit deny =5 unlock_ time=900 f ail_interv al=900' | |
| 155 | - name: Setting au th default pam_faill ock. Step 27 of 38 | |
| 156 | linein file: | |
| 157 | path : /etc/pam .d/system- auth-va | |
| 158 | inse rtafter: ' auth sufficie nt pam_ unix.so nu llok try_f irst_pass' | |
| 159 | line : 'auth [defa ult=die] p am_failloc k.so authf ail audit deny=5 unl ock_time=9 00 fail_in terval=900 ' | |
| 160 | - name: Setting ac cunt requi red pam_fa illock. St ep 28 of 3 8 | |
| 161 | linein file: | |
| 162 | path : /etc/pam .d/system- auth-va | |
| 163 | inse rtbefore: 'account require d pam _unix.so' | |
| 164 | line : 'account requi red p am_failloc k.so' | |
| 165 | - name: Setting pa ssword req uisite pam _pwhistory . Step 29 of 38 | |
| 166 | linein file: | |
| 167 | path : /etc/pam .d/system- auth-va | |
| 168 | inse rtafter: ' password requisit e pam_ pwquality. so try_fir st_pass lo cal_users_ only retry =3 authtok _type=' | |
| 169 | line : 'passwor d requi site p am_pwhisto ry.so exis ting_optio ns remembe r=5' | |
| 170 | - name: Setting au th suffici ent pam_un ix. Step 3 0 of 38 | |
| 171 | linein file: | |
| 172 | path : /etc/pam .d/system- auth-va | |
| 173 | rege xp: 'auth suf ficient pam_unix. so nullok try_first_ pass' | |
| 174 | line : 'auth suffi cient p am_unix.so try_first _pass' | |
| 175 | - name: Setting pa ssword suf ficient pa m_unix. St ep 31 of 3 8 | |
| 176 | linein file: | |
| 177 | path : /etc/pam .d/system- auth-va | |
| 178 | #ins ertafter: 'password requisi te pam _pwhistory .so existi ng_options remember= 5' | |
| 179 | rege xp: 'passw ord suf ficient pam_unix. so sha512 shadow nul lok try_fi rst_pass u se_authtok ' | |
| 180 | line : 'passwor d suffi cient p am_unix.so sha512 sh adow try_f irst_pass use_authto k remember =5' | |
| 181 | - name: Setting se ssion requ ired pam_l astlog. St ep 32 of 3 8 | |
| 182 | linein file: | |
| 183 | path : /etc/pam .d/system- auth-va | |
| 184 | inse rtafter: ' session required pam_ limits.so' | |
| 185 | line : 'session requi red p am_lastlog .so showfa iled' | |
| 186 | - name: Setting au th require d pam_fail lock. Step 33 of 38 | |
| 187 | linein file: | |
| 188 | path : /etc/pam .d/passwor d-auth-va | |
| 189 | inse rtbefore: 'auth suffici ent pam _unix.so n ullok try_ first_pass ' | |
| 190 | line : 'auth requi red p am_failloc k.so preau th silent audit deny =5 unlock_ time=900 f ail_interv al=900' | |
| 191 | - name: auth defau lt pam_fai lllock. St ep 34 of 3 8 | |
| 192 | linein file: | |
| 193 | path : /etc/pam .d/passwor d-auth-va | |
| 194 | inse rtafter: ' auth sufficie nt pam_ unix.so nu llok try_f irst_pass' | |
| 195 | line : 'auth [defa ult=die] p am_failloc k.so authf ail audit deny=5 unl ock_time=9 00 fail_in terval=900 ' | |
| 196 | - name: Setting ac count requ ired pam_f aillock. S tep 35 of 38 | |
| 197 | linein file: | |
| 198 | path : /etc/pam .d/passwor d-auth-va | |
| 199 | inse rtbefore: 'account require d pam _unix.so' | |
| 200 | line : 'account requi red p am_failloc k.so' | |
| 201 | - name: auth suffi cient pam_ unix. Step 36 of 38 | |
| 202 | linein file: | |
| 203 | path : /etc/pam .d/passwor d-auth-va | |
| 204 | rege xp: 'auth suf ficient pam_unix. so nullok try_first _pass' | |
| 205 | line : 'auth suffi cient p am_unix.so try_first _pass' | |
| 206 | ||
| 207 | ||
| 208 | - name: Checking P assword Fi le Integri ty with PW CK. Step 3 7 of 38 | |
| 209 | shell: "/usr/sbi n/pwck -qr " | |
| 210 | regist er: PassWr dIntegrity | |
| 211 | change d_when: fa lse | |
| 212 | - name: Fail IF th ere was AN Y output f rom the PW CK command .. Step 38 of 38 | |
| 213 | fail: | |
| 214 | msg: "ERROR ME SSAGE: The re is a MA JOR proble m with the password file integ rity\n{{ P assWrdInte grity.stdo ut_lines } }" | |
| 215 | when: PassWrdInt egrity.std out != "" |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.