From 8e7f586ff2c52a7a30cf55973ba8a15303dcdff1 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Tue, 8 Sep 2020 19:17:27 +0200

Subject: [PATCH 1/2] Fix ansible remediation of

 accounts_max_concurrent_login_sessions.

Add test scenarios.

---

 .../ansible/shared.yml                        | 27 +++++++++++++++++--

 .../tests/correct_value.pass.sh               |  2 ++

 .../tests/correct_value_2.pass.sh             |  2 ++

 .../tests/line_not_there.fail.sh              |  2 ++

 .../tests/wrong_value_1000.fail.sh            |  2 ++

 .../tests/wrong_value_1000_limits_d.fail.sh   |  3 +++

 6 files changed, 36 insertions(+), 2 deletions(-)

 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh

 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh

 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh

 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh

 create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml

index ed3d15331a..f901edee4d 100644

--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml

@@ -3,7 +3,29 @@

 # strategy = restrict

 # complexity = low

 # disruption = low

-- (xccdf-var var_accounts_max_concurrent_login_sessions)

+

+{{{ ansible_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}}

+

+- name: Find /etc/security/limits.d files contains maxlogins configuration

+  shell: "grep -q '^[^#]*\\<maxlogins\\>' /etc/security/limits.d/*.conf"

+  register: maxlogins

+  failed_when: False

+

+- name: Find /etc/security/limits.d files contains maxlogins configuration 2

+  find:

+    paths:

+      - /etc/security/limits.d

+  register: configuration_files

+  when: maxlogins.rc == 0

+

+- name: "Limit the Number of Concurrent Login Sessions Allowed Per User limits.d"

+  replace:

+    dest: "{{ item.path }}"

+    regexp: "^#?\\*.*maxlogins.*"

+    replace: "*          hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions }}"

+  with_items:

+    - "{{ configuration_files.files }}"

+  when: maxlogins.rc == 0

 - name: "Limit the Number of Concurrent Login Sessions Allowed Per User"

   lineinfile:

@@ -11,5 +33,6 @@

     dest: /etc/security/limits.conf

     insertbefore: "^# End of file"

     regexp: "^#?\\*.*maxlogins"

-    line: "*           hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions }}"

+    line: "*          hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions }}"

     create: yes

+  when: maxlogins.rc != 0 # no files found on /etc/security/limits.d

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh

new file mode 100644

index 0000000000..0edb1e2873

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh

@@ -0,0 +1,2 @@

+#!/bin/bash

+echo "* hard maxlogins 1" >> /etc/security/limits.conf

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh

new file mode 100644

index 0000000000..a58f18abf1

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh

@@ -0,0 +1,2 @@

+#!/bin/bash

+echo "* hard maxlogins 1" >> /etc/security/limits.d/limits.conf

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh

new file mode 100644

index 0000000000..05a7907cf5

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh

@@ -0,0 +1,2 @@

+#!/bin/bash

+

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh

new file mode 100644

index 0000000000..bbf7622d87

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh

@@ -0,0 +1,2 @@

+#!/bin/bash

+echo "* hard maxlogins 1000" >> /etc/security/limits.conf

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh

new file mode 100644

index 0000000000..49ed331a3e

--- /dev/null

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh

@@ -0,0 +1,3 @@

+#!/bin/bash

+mkdir -p /etc/security/limits.d/

+echo "* hard maxlogins 1000" >> /etc/security/limits.d/limits.conf

From c84d31d789675ac2373bc1dec5cb218f15a06ec0 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Wed, 9 Sep 2020 14:05:53 +0200

Subject: [PATCH 2/2] Use ansible find module in

 accounts_max_concurrent_login_sessions.

---

 .../ansible/shared.yml                        | 22 +++++++------------

 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml

index f901edee4d..9d50a9d20c 100644

--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml

+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml

@@ -6,26 +6,20 @@

 {{{ ansible_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}}

-- name: Find /etc/security/limits.d files contains maxlogins configuration

-  shell: "grep -q '^[^#]*\\<maxlogins\\>' /etc/security/limits.d/*.conf"

-  register: maxlogins

-  failed_when: False

-

-- name: Find /etc/security/limits.d files contains maxlogins configuration 2

+- name: Find /etc/security/limits.d files containing maxlogins configuration

   find:

-    paths:

-      - /etc/security/limits.d

-  register: configuration_files

-  when: maxlogins.rc == 0

+    paths: "/etc/security/limits.d"

+    contains: '^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins'

+    patterns: "*.conf"

+  register: maxlogins

-- name: "Limit the Number of Concurrent Login Sessions Allowed Per User limits.d"

+- name: "Limit the Number of Concurrent Login Sessions Allowed Per User in files from limits.d"

   replace:

     dest: "{{ item.path }}"

     regexp: "^#?\\*.*maxlogins.*"

     replace: "*          hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions }}"

   with_items:

-    - "{{ configuration_files.files }}"

-  when: maxlogins.rc == 0

+    - "{{ maxlogins.files }}"

 - name: "Limit the Number of Concurrent Login Sessions Allowed Per User"

   lineinfile:

@@ -35,4 +29,4 @@

     regexp: "^#?\\*.*maxlogins"

     line: "*          hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions }}"

     create: yes

-  when: maxlogins.rc != 0 # no files found on /etc/security/limits.d

+  when: maxlogins.matched == 0 # no files found on /etc/security/limits.d matching maxlogins