diff --git a/defaults/main.yml b/defaults/main.yml index 74e3ebd..197f1ec 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,6 +17,10 @@ users_global_umask: "022" users_pass_min_day: 1 users_default_inactive: -1 +users_password_pam_retry: 3 +users_password_pam_minlen: 14 +users_password_pam_minclass: 4 + users_global_bash_aliases: - alias: "ll" command: "ls -lh" diff --git a/tasks/security.yml b/tasks/security.yml index fc0b242..e0af215 100644 --- a/tasks/security.yml +++ b/tasks/security.yml @@ -9,6 +9,11 @@ - /etc/profile register: __users_umask_files + - name: Stat pwquality files + stat: + path: "/etc/security/pwquality.conf" + register: __users_pwquality_file + - name: Set global umask replace: path: "{{ item }}" @@ -39,5 +44,14 @@ line: \g{{ users_default_inactive }} backrefs: yes state: present + + - name: Set pwquality if available + template: + src: etc/security/pwquality.conf.j2 + dest: /etc/security/pwquality.conf + owner: root + group: root + mode: 0644 + when: __users_pwquality_file.stat.exists | bool become: True become_user: root diff --git a/templates/etc/profile.d/custom.sh.j2 b/templates/etc/profile.d/custom.sh.j2 index 93e5228..6178f8f 100644 --- a/templates/etc/profile.d/custom.sh.j2 +++ b/templates/etc/profile.d/custom.sh.j2 @@ -1,6 +1,5 @@ #jinja2:lstrip_blocks: True {{ ansible_managed | comment }} - # are we an interactive shell? if [ "$PS1" ]; then if [[ ${EUID} == 0 ]] ; then diff --git a/templates/etc/security/pwquality.conf.j2 b/templates/etc/security/pwquality.conf.j2 new file mode 100644 index 0000000..316dd6b --- /dev/null +++ b/templates/etc/security/pwquality.conf.j2 @@ -0,0 +1,5 @@ +#jinja2:lstrip_blocks: True +{{ ansible_managed | comment }} +retry = {{ users_password_pam_retry }} +minlen = {{ users_password_pam_minlen }} +minclass = {{ users_password_pam_minclass }}