From 5c095dc862c5e0b25ed6d2a5201941e96210773d Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Mon, 5 Jun 2023 10:27:22 +0200 Subject: [PATCH] policy_pam : Enforce password min days to prevent circumvention of pwhistory --- policy_pam/defaults/main.yml | 7 ++++++- policy_pam/tasks/main.yml | 13 ++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/policy_pam/defaults/main.yml b/policy_pam/defaults/main.yml index 5a2f79d2..867a3fa5 100644 --- a/policy_pam/defaults/main.yml +++ b/policy_pam/defaults/main.yml @@ -29,4 +29,9 @@ policy_pam_pwquality_ocredit: 0 policy_pam_pwhistory: true # How many old passwords to retain -policy_pam_pwhistory_length: 5 \ No newline at end of file +policy_pam_pwhistory_length: 5 + +# How (days) old the password should be before allowing user to change it's password +# It is to prevent circumvention of pam_pwhistory +# Set to 0 to disable +policy_pam_password_min_days: 0 \ No newline at end of file diff --git a/policy_pam/tasks/main.yml b/policy_pam/tasks/main.yml index e5c7bb9a..e238e22e 100644 --- a/policy_pam/tasks/main.yml +++ b/policy_pam/tasks/main.yml @@ -56,13 +56,6 @@ insertbefore: 'pam_unix.so' when: policy_pam_pwhistory -# LATER : Enforce a password min age -# - name: Change PASS_MIN_DAYS -# replace: -# dest: /etc/login.defs -# replace: "PASS_MIN_DAYS 7" -# regexp: '^PASS_MIN_DAYS.*' - - name: Disable pam_pwhistory ansible.builtin.lineinfile: dest: /etc/pam.d/common-password @@ -70,6 +63,12 @@ state: absent when: policy_pam_pwhistory is false +# Enforce password minimal age to prevent pam_pwhistory to be circumvented by multiples password changes +- name: Change PASS_MIN_DAYS + replace: + dest: /etc/login.defs + replace: 'PASS_MIN_DAYS\g<1>{{ policy_pam_password_min_days }}' + regexp: '^PASS_MIN_DAYS(\s+).*' # PAM -- pam_unix