dsk-iac/ansible/roles/security-settings/tasks/pam.yml

---
- name: Add pam_tally2.so 
  template:
    src: common-auth.j2
    dest: /etc/pam.d/common-auth
    owner: root
    group: root
    mode: 0644

- name: Create pwquality.conf password complexity configuration
  block:
    - apt:
        name: libpam-pwquality
        state: present
        install_recommends: false
    - template:
        src: pwquality.conf.j2
        dest: /etc/security/pwquality.conf
        owner: root
        group: root
        mode: 0644

- name: Add pam_tally2.so
  block:
    - lineinfile:
        dest: /etc/pam.d/common-account
        regexp: '^account\srequisite'
        line: "account requisite pam_deny.so"

    - lineinfile:
        dest: /etc/pam.d/common-account
        regexp: '^account\srequired'
        line: "account required pam_tally2.so"

- name: password reuse is limited
  lineinfile:
    dest: /etc/pam.d/common-password
    line: "password required pam_pwhistory.so remember=5"

- name: password hashing algorithm is SHA-512
  lineinfile:
    dest: /etc/pam.d/common-password
    regexp: '^password\s+\[success'
    line: "password [success=1 default=ignore] pam_unix.so sha512"

- name: Shadow Password Suite Parameters
  lineinfile:
    dest: /etc/pam.d/common-password
    regexp: '^password\s+\[success'
    line: "password [success=1 default=ignore] pam_unix.so sha512"

#- name: configure system settings, file descriptors and number of threads
#  pam_limits:
#    domain: '*'
#    limit_type: "{{item.limit_type}}"
#    limit_item: "{{item.limit_item}}"
#    value: "{{item.value}}"
#  with_items:
#    - { limit_type: '-', limit_item: 'nofile', value: 65536 }
#    - { limit_type: '-', limit_item: 'nproc', value: 65536 }
##    - { limit_type: 'soft', limit_item: 'memlock', value: unlimited }
##    - { limit_type: 'hard', limit_item: 'memlock', value: unlimited }

#- name: reload settings from all system configuration files
#  shell: sysctl --system

#- name: Creates directory systemd config
#  file:
#    path: /etc/systemd/system.conf.d
#    state: directory
#    owner: root
#    group: root
#    mode: 0775
 
#- name: Create systemd limits
#  copy:
#    src: systemd_limit.conf
#    dest: /etc/systemd/system.conf.d/limits.conf
#    owner: root
#    group: root
#    mode: 644