Merge pull request #594 from dlouzan/fix/type-cast-variables

fix(os_hardening): cast expected int types in pam tasks
dev-sec · Oct 27, 2022 · 99fe8b6 · 99fe8b6
2 parents a1f75f8 + f8295d5
commit 99fe8b6
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 10 deletions.
diff --git a/roles/os_hardening/tasks/pam_debian.yml b/roles/os_hardening/tasks/pam_debian.yml
@@ -22,7 +22,7 @@
  name: 'libpam-modules'
  state: 'present'
  when:
- - os_auth_retries > 0
+ - os_auth_retries|int > 0
 
 - name: Manage tally on Debian stable
  when:
@@ -37,14 +37,14 @@
  owner: 'root'
  group: 'root'
  when:
- - os_auth_retries > 0
+ - os_auth_retries|int > 0
 
  - name: Delete tally2 when retries is 0
  file:
  path: '{{ tally2_path }}'
  state: 'absent'
  when:
- - os_auth_retries == 0
+ - os_auth_retries|int == 0
 
 - name: Manage tally/faillock on Debian unstable
  when:
@@ -80,7 +80,7 @@
  owner: 'root'
  group: 'root'
  when:
- - os_auth_retries > 0
+ - os_auth_retries|int > 0
 
  - name: Configure faillock pam authfail
  template:
@@ -90,21 +90,21 @@
  owner: 'root'
  group: 'root'
  when:
- - os_auth_retries > 0
+ - os_auth_retries|int > 0
 
  - name: Delete faillock when retries is 0
  file:
  path: '/usr/share/pam-configs/faillock'
  state: 'absent'
  when:
- - os_auth_retries == 0
+ - os_auth_retries|int == 0
 
  - name: Delete faillock authfail when retries is 0
  file:
  path: '/usr/share/pam-configs/faillock_authfail'
  state: 'absent'
  when:
- - os_auth_retries == 0
+ - os_auth_retries|int == 0
 
 - name: Update pam on Debian systems
  command: 'pam-auth-update --package'

diff --git a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
@@ -4,7 +4,7 @@
 #%PAM-1.0
 auth required pam_env.so
 auth required pam_faildelay.so delay=2000000
-{% if os_auth_retries > 0 %}
+{% if os_auth_retries|int > 0 %}
 auth required pam_faillock.so preauth silent audit even_deny_root deny={{ os_auth_retries }} unlock_time={{ os_auth_lockout_time }}
 {% endif %}
 {% if (os_auth_pam_sssd_enable | bool) %}
@@ -16,12 +16,12 @@ auth sufficient pam_unix.so nullok try_first_pass
 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
 auth sufficient pam_sss.so forward_pass
 {% endif %}
-{% if os_auth_retries > 0 %}
+{% if os_auth_retries|int > 0 %}
 auth required pam_faillock.so authfail audit even_deny_root deny={{ os_auth_retries }} unlock_time={{ os_auth_lockout_time }}
 {% endif %}
 auth required pam_deny.so
 
-{% if os_auth_retries > 0 %}
+{% if os_auth_retries|int > 0 %}
 account required pam_faillock.so
 {% endif %}
 account required pam_unix.so