Lock user for 10 minutes after 10 attempts
All checks were successful
/ lint (push) Successful in 1m17s
All checks were successful
/ lint (push) Successful in 1m17s
This commit is contained in:
parent
fee4066e8f
commit
f15191ddf8
GPG key ID:
57AFB45680EDD477
2 changed files with 68 additions and 0 deletions
62
files/faillock.conf
Normal file
62
files/faillock.conf
Normal file
|
|
@ -0,0 +1,62 @@
|
|||
# Configuration for locking the user after multiple failed
|
||||
# authentication attempts.
|
||||
#
|
||||
# The directory where the user files with the failure records are kept.
|
||||
# The default is /var/run/faillock.
|
||||
# dir = /var/run/faillock
|
||||
#
|
||||
# Will log the user name into the system log if the user is not found.
|
||||
# Enabled if option is present.
|
||||
# audit
|
||||
#
|
||||
# Don't print informative messages.
|
||||
# Enabled if option is present.
|
||||
# silent
|
||||
#
|
||||
# Don't log informative messages via syslog.
|
||||
# Enabled if option is present.
|
||||
# no_log_info
|
||||
#
|
||||
# Only track failed user authentications attempts for local users
|
||||
# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
|
||||
# The `faillock` command will also no longer track user failed
|
||||
# authentication attempts. Enabling this option will prevent a
|
||||
# double-lockout scenario where a user is locked out locally and
|
||||
# in the centralized mechanism.
|
||||
# Enabled if option is present.
|
||||
# local_users_only
|
||||
#
|
||||
# Deny access if the number of consecutive authentication failures
|
||||
# for this user during the recent interval exceeds n tries.
|
||||
# The default is 3.
|
||||
deny = 10
|
||||
#
|
||||
# The length of the interval during which the consecutive
|
||||
# authentication failures must happen for the user account
|
||||
# lock out is <replaceable>n</replaceable> seconds.
|
||||
# The default is 900 (15 minutes).
|
||||
# fail_interval = 900
|
||||
#
|
||||
# The access will be re-enabled after n seconds after the lock out.
|
||||
# The value 0 has the same meaning as value `never` - the access
|
||||
# will not be re-enabled without resetting the faillock
|
||||
# entries by the `faillock` command.
|
||||
# The default is 600 (10 minutes).
|
||||
unlock_time = 300
|
||||
#
|
||||
# Root account can become locked as well as regular accounts.
|
||||
# Enabled if option is present.
|
||||
# even_deny_root
|
||||
#
|
||||
# This option implies the `even_deny_root` option.
|
||||
# Allow access after n seconds to root account after the
|
||||
# account is locked. In case the option is not specified
|
||||
# the value is the same as of the `unlock_time` option.
|
||||
# root_unlock_time = 900
|
||||
#
|
||||
# If a group name is specified with this option, members
|
||||
# of the group will be handled by this module the same as
|
||||
# the root account (the options `even_deny_root>` and
|
||||
# `root_unlock_time` will apply to them.
|
||||
# By default, the option is not set.
|
||||
# admin_group = <admin_group_name>
|
||||
|
|
@ -34,3 +34,9 @@
|
|||
path: "{{ home }}/Private"
|
||||
owner: "{{ user }}"
|
||||
mode: 0700
|
||||
|
||||
- name: Install faillock config
|
||||
copy:
|
||||
src: ./files/faillock.conf
|
||||
dest: /etc/security/faillock.conf
|
||||
mode: 0644
|
||||
|
|
|
|||
Loading…
Reference in a new issue