From c89db394840db9523e69d9034753ad2cbf7d9d47 Mon Sep 17 00:00:00 2001
From: "rupali.matkar" <rupali.matkar@delphix.com>
Date: Sat, 12 Apr 2025 20:31:33 +0530
Subject: [PATCH] DLPX-86530 CIS: delphix user lockout after failed login
 attempts

PR URL: https://www.github.com/delphix/delphix-platform/pull/522
---
 .github/workflows/main.yml                    |  6 ++--
 .../roles/delphix-platform/tasks/main.yml     | 35 +++++++++++++++++++
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index d19c63236..cbef0d43a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -23,7 +23,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v1
         with:
-          python-version: '3.8'
+          python-version: '3.9.21'
       - run: python3 -m pip install pylint
       - run: python3 -m pip install netifaces
       - run: pylint -d invalid-name,E0611 files/common/usr/bin/delphix-startup-screen
@@ -33,7 +33,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v1
         with:
-          python-version: '3.8'
+          python-version: '3.9.21'
       - run: python3 -m pip install yapf
       - run: yapf --diff --style google files/common/usr/bin/delphix-startup-screen
   check-mypy:
@@ -42,6 +42,6 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v1
         with:
-          python-version: '3.8'
+          python-version: '3.9.21'
       - run: python3 -m pip install mypy
       - run: mypy --ignore-missing-imports files/common/usr/bin/delphix-startup-screen
diff --git a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml
index 36f1956af..e3f9eb485 100644
--- a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml
+++ b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml
@@ -336,6 +336,41 @@
     regexp: '^#?[\s]*(auth[\s]+required[\s]+pam_wheel\.so.*)$'
     replace: '\1'
 
+#
+#
+# Lock out the user after an unsuccessful consecutive login attempts.
+#
+- lineinfile:
+    path: /etc/pam.d/common-auth
+    line: "{{ item }}"
+    insertbefore: '^auth\s+\[success=1\s+default=ignore\]\s+pam_unix\.so\s+nullok\s+try_first_pass'
+  with_items:
+    - 'auth    required    pam_tally2.so  audit deny=5 unlock_time=60'
+
+#
+#
+# Configuration to enforce account lockout policies.
+#
+- lineinfile:
+    path: /etc/pam.d/common-account
+    line: "{{ item }}"
+    insertafter: EOF
+  with_items:
+    - 'account    required    pam_tally2.so'
+
+
+#
+#
+# Configuration to remember user password history.
+#
+- lineinfile:
+    path: /etc/pam.d/common-password
+    line: "{{ item }}"
+    insertbefore: '^password\s+\[success=1 default=ignore\]\s+pam_unix\.so\s+obscure\s+sha512'
+  with_items:
+    - 'password    required    pam_pwhistory.so remember=5'
+
+
 #
 # Enable SNMP client tools to load MIBs by default.
 #