ec50013f55
This patch takes two commonly failing tasks and configures them to be fixed if a variable is toggled on. This is needed for gate checks to pass for ansible-functional runs. Closes-bug: 1521233 Change-Id: I4f54ef7af30d530f781d60ce232cc6aacda81ce4
768 B
768 B
Ubuntu 14.04 allows accounts with null passwords to authenticate via PAM by default. This STIG requires that those login attempts are blocked.
In Ubuntu, this functionality is controlled by the
nullok_secure parameter found in
/etc/pam.d/common-auth. The Ansible task for this STIG will
remove the nullok_secure from the PAM configuration file.
The effects of the change are immediate and no service restarts are
required.
However, deployers can opt-out of this change by adjusting an Ansible variable:
pam_remove_nullok: yesSetting the variable to yes (the default) will cause the
Ansible tasks to remove the nullok_secure parameter while
setting the variable to no will leave the PAM configuration
unchanged.