Clean Code

2023-12-19 13:03:29 +09:00
parent 947561ce1d
commit 0273450ff6
4237 changed files with 0 additions and 7447 deletions
--- a/01-old/ansible/roles/security-settings/tasks/pam.yml
+++ b/01-old/ansible/roles/security-settings/tasks/pam.yml
@@ -0,0 +1,82 @@
+---
+- name: Add pam_tally2.so 
+  template:
+    src: common-auth.j2
+    dest: /etc/pam.d/common-auth
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Create pwquality.conf password complexity configuration
+  block:
+    - apt:
+        name: libpam-pwquality
+        state: present
+        install_recommends: false
+    - template:
+        src: pwquality.conf.j2
+        dest: /etc/security/pwquality.conf
+        owner: root
+        group: root
+        mode: 0644
+
+- name: Add pam_tally2.so
+  block:
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequisite'
+        line: "account requisite pam_deny.so"
+
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequired'
+        line: "account required pam_tally2.so"
+
+- name: password reuse is limited
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    line: "password required pam_pwhistory.so remember=5"
+
+- name: password hashing algorithm is SHA-512
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"
+
+- name: Shadow Password Suite Parameters
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"
+
+#- name: configure system settings, file descriptors and number of threads
+#  pam_limits:
+#    domain: '*'
+#    limit_type: "{{item.limit_type}}"
+#    limit_item: "{{item.limit_item}}"
+#    value: "{{item.value}}"
+#  with_items:
+#    - { limit_type: '-', limit_item: 'nofile', value: 65536 }
+#    - { limit_type: '-', limit_item: 'nproc', value: 65536 }
+##    - { limit_type: 'soft', limit_item: 'memlock', value: unlimited }
+##    - { limit_type: 'hard', limit_item: 'memlock', value: unlimited }
+
+#- name: reload settings from all system configuration files
+#  shell: sysctl --system
+
+#- name: Creates directory systemd config
+#  file:
+#    path: /etc/systemd/system.conf.d
+#    state: directory
+#    owner: root
+#    group: root
+#    mode: 0775
+ 
+#- name: Create systemd limits
+#  copy:
+#    src: systemd_limit.conf
+#    dest: /etc/systemd/system.conf.d/limits.conf
+#    owner: root
+#    group: root
+#    mode: 644
+