From 8e7f586ff2c52a7a30cf55973ba8a15303dcdff1 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 8 Sep 2020 19:17:27 +0200
Subject: [PATCH 1/2] Fix ansible remediation of
accounts_max_concurrent_login_sessions.
Add test scenarios.
---
.../ansible/shared.yml | 27 +++++++++++++++++--
.../tests/correct_value.pass.sh | 2 ++
.../tests/correct_value_2.pass.sh | 2 ++
.../tests/line_not_there.fail.sh | 2 ++
.../tests/wrong_value_1000.fail.sh | 2 ++
.../tests/wrong_value_1000_limits_d.fail.sh | 3 +++
6 files changed, 36 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
index ed3d15331a..f901edee4d 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
@@ -3,7 +3,29 @@
# strategy = restrict
# complexity = low
# disruption = low
-- (xccdf-var var_accounts_max_concurrent_login_sessions)
+
+{{{ ansible_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}}
+
+- name: Find /etc/security/limits.d files contains maxlogins configuration
+ shell: "grep -q '^[^#]*\\<maxlogins\\>' /etc/security/limits.d/*.conf"
+ register: maxlogins
+ failed_when: False
+
+- name: Find /etc/security/limits.d files contains maxlogins configuration 2
+ find:
+ paths:
+ - /etc/security/limits.d
+ register: configuration_files
+ when: maxlogins.rc == 0
+
+- name: "Limit the Number of Concurrent Login Sessions Allowed Per User limits.d"
+ replace:
+ dest: "{{ item.path }}"
+ regexp: "^#?\\*.*maxlogins.*"
+ replace: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}"
+ with_items:
+ - "{{ configuration_files.files }}"
+ when: maxlogins.rc == 0
- name: "Limit the Number of Concurrent Login Sessions Allowed Per User"
lineinfile:
@@ -11,5 +33,6 @@
dest: /etc/security/limits.conf
insertbefore: "^# End of file"
regexp: "^#?\\*.*maxlogins"
- line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}"
+ line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}"
create: yes
+ when: maxlogins.rc != 0 # no files found on /etc/security/limits.d
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..0edb1e2873
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "* hard maxlogins 1" >> /etc/security/limits.conf
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh
new file mode 100644
index 0000000000..a58f18abf1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "* hard maxlogins 1" >> /etc/security/limits.d/limits.conf
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh
new file mode 100644
index 0000000000..05a7907cf5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh
new file mode 100644
index 0000000000..bbf7622d87
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "* hard maxlogins 1000" >> /etc/security/limits.conf
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh
new file mode 100644
index 0000000000..49ed331a3e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+mkdir -p /etc/security/limits.d/
+echo "* hard maxlogins 1000" >> /etc/security/limits.d/limits.conf
From c84d31d789675ac2373bc1dec5cb218f15a06ec0 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 9 Sep 2020 14:05:53 +0200
Subject: [PATCH 2/2] Use ansible find module in
accounts_max_concurrent_login_sessions.
---
.../ansible/shared.yml | 22 +++++++------------
1 file changed, 8 insertions(+), 14 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
index f901edee4d..9d50a9d20c 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
@@ -6,26 +6,20 @@
{{{ ansible_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}}
-- name: Find /etc/security/limits.d files contains maxlogins configuration
- shell: "grep -q '^[^#]*\\<maxlogins\\>' /etc/security/limits.d/*.conf"
- register: maxlogins
- failed_when: False
-
-- name: Find /etc/security/limits.d files contains maxlogins configuration 2
+- name: Find /etc/security/limits.d files containing maxlogins configuration
find:
- paths:
- - /etc/security/limits.d
- register: configuration_files
- when: maxlogins.rc == 0
+ paths: "/etc/security/limits.d"
+ contains: '^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins'
+ patterns: "*.conf"
+ register: maxlogins
-- name: "Limit the Number of Concurrent Login Sessions Allowed Per User limits.d"
+- name: "Limit the Number of Concurrent Login Sessions Allowed Per User in files from limits.d"
replace:
dest: "{{ item.path }}"
regexp: "^#?\\*.*maxlogins.*"
replace: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}"
with_items:
- - "{{ configuration_files.files }}"
- when: maxlogins.rc == 0
+ - "{{ maxlogins.files }}"
- name: "Limit the Number of Concurrent Login Sessions Allowed Per User"
lineinfile:
@@ -35,4 +29,4 @@
regexp: "^#?\\*.*maxlogins"
line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}"
create: yes
- when: maxlogins.rc != 0 # no files found on /etc/security/limits.d
+ when: maxlogins.matched == 0 # no files found on /etc/security/limits.d matching maxlogins