[Breaking] Drop support for PAM related config.

The code for handling PAM stuff was not very robust. Since a small misconfiguration can lock the user out of their system, I've decided to drop support for PAM related configuration, other than disabling core dumps.
chzerv · Jan 10, 2022 · dac0430 · dac0430
1 parent 3bc6593
commit dac0430
Show file tree

Hide file tree

Showing 8 changed files with 5 additions and 285 deletions.
diff --git a/README.md b/README.md
@@ -4,6 +4,9 @@
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Ansible Role](https://img.shields.io/ansible/role/50034?color=dodgerblue)](https://galaxy.ansible.com/chzerv/security)
 
+> **Important Changes**:
+> As of v0.7, the role no longer supports the `security_enforce_strong_passwords`, `security_log_after_failed_logins` and `security_nproc_limit` options. Bad PAM configuration can lock you out of the system, so I'll have to find a better way to implement these.
+
 **Remember, securing YOUR PC/server is YOUR OWN responsibility.** This is a very basic template and it should be used as a _template_, not a complete solution.
 
 This role performs some basic security configuration on RedHat/Debian/Archlinux based Linux systems, like:
@@ -19,16 +22,13 @@ This role performs some basic security configuration on RedHat/Debian/Archlinux
 - Basic kernel-hardening.
 - Basic TCP/IP stack hardening.
 - Remove packages of your choice.
-- Setup/configure PAM modules like `pam_tally2` and `pwquality`.
 - Disable core dumps, using `limits`.
-- Set an `nproc` limit for protection against fork bombs, using `limits` (does not apply for the root user).
 
 ## Requirements
 
 -  After running this role, SSH access will only be possible using public keys, therefore,
 your SSH keys must be already copied to the remote host. See [this ArchWiki entry](https://wiki.archlinux.org/title/SSH_keys#Copying_the_public_key_to_the_remote_server) on how to easily copy your SSH keys to the remote host.
 - Basic understanding of what each setting does.
-- Not strictly a requirement, but if you decide to let the role configure PAM related stuff, make sure you have a root shell open on the remote host(s) before running the role.
 
 ## Role Variables
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -60,10 +60,4 @@ security_autoupdates_blacklist:
 
 security_autoupdates_apply_updates: "yes"
 
-security_secure_pam: true
-security_enforce_strong_passwords: true
-security_lock_after_failed_logins: true
-security_lock_after_num_of_failed_logins: 4
 security_disable_core_dumps: true
-security_nproc_limit: true
-security_nproc_limit_value: "2048"
diff --git a/docs/pam-limits.md b/docs/pam-limits.md
@@ -1,29 +1,7 @@
-# PAM and limits configuration
-
-**NOTE:** Messing with PAM can be dangerous. Please, at least make sure you have a root shell open before running the role.
-
-```yaml
-security_enforce_strong_passwords: true
-security_lock_after_failed_logins: true
-security_lock_after_num_of_failed_logins: 4
-```
-
-> - Enforce users to use strong passwords (at least 12 characters, with digits, lowercase, uppercase and symbols).
-> - Lock user accounts after number of consecutive failed login attempts.
-> - How many consecutive login attempts are allowed.
+# Set up limits using PAM
 
 ```yaml
 security_disable_core_dumps: true
 ```
 
 > Whether to disable core dumps or not.
-
-```yaml
-security_nproc_limit: true
-security_nproc_limit_value: "2048"
-```
-
-> - Set a nproc limit to help against fork-bombs.
-> - The value of the nproc limit. _This does NOT affect the root user!_
->
-> **Please note that having a very low limit can make your system unusable!**
diff --git a/tasks/limits.yml b/tasks/limits.yml
@@ -15,23 +15,3 @@
     limit_item: core
     value: "0"
     comment: Disable core dumps for all users since they can contain sensitive information.
-  when: security_disable_core_dumps | bool
-
-- name: Enforce an 'nproc' limit.
-  block:
-    - name: Set the global nproc hardlimit.
-      pam_limits:
-        dest: /etc/security/limits.d/10-custom-limits.conf
-        domain: "*"
-        limit_type: hard
-        limit_item: nproc
-        value: "{{ security_nproc_limit_value }}"
-
-    - name: Set the nproc hardlimit for the root user.
-      pam_limits:
-        dest: /etc/security/limits.d/10-custom-limits.conf
-        domain: root
-        limit_type: hard
-        limit_item: nproc
-        value: "65536"
-  when: security_nproc_limit | bool
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -25,9 +25,5 @@
     - security_autoupdates_enabled | bool
     - not ansible_os_family == "Archlinux"
 
-- include_tasks: pam-{{ ansible_os_family }}.yml
-  when: security_secure_pam | bool
-
 - include_tasks: limits.yml
-  when:
-    - security_secure_pam | bool
+  when: security_disable_core_dumps | bool
diff --git a/tasks/pam-Archlinux.yml b/tasks/pam-Archlinux.yml
diff --git a/tasks/pam-Debian.yml b/tasks/pam-Debian.yml
diff --git a/tasks/pam-RedHat.yml b/tasks/pam-RedHat.yml