OpenStack-Ansible

unknown item 'FAIL_DELAY'

Bug #1659120 reported by Kyle L. Henderson
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Undecided
Major Hayden

Bug Description

After running the security hardening on Ubuntu 16.04 I get a nag message every time I use sudo:

ubuntu@kyleclust3-controller1-d3fykirnrm4x:~$ sudo su -
configuration error - unknown item 'FAIL_DELAY' (notify administrator)

It appears the following is added to the /etc/login.defs:

FAIL_DELAY 4

But greping /etc/ I see this in /etc/pam.d/login:

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000

So it appears that Ubuntu handles this delay function differently than RHEL / CentOS.

Major Hayden (rackerhacker)
Changed in openstack-ansible:
assignee: nobody → Major Hayden (rackerhacker)
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-security (master)

Fix proposed to branch: master
Review: https://review.openstack.org/426892

Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-security (master)

Reviewed: https://review.openstack.org/426892
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=c15d75ecf43efc5d61bbb0199aed3aee08c685a9
Submitter: Jenkins
Branch: master

commit c15d75ecf43efc5d61bbb0199aed3aee08c685a9
Author: Major Hayden <email address hidden>
Date: Mon Jan 30 13:14:39 2017 -0600

    Configure pam_faildelay on Ubuntu

    As noted in the bug, Ubuntu 16.04 doesn't use FAIL_DELAY in
    `/etc/login.defs` as CentOS 7 does. This patch ensures that
    `pam_faildelay` is properly configured on Xenial.

    Closes-Bug: 1659120
    Change-Id: I9ff9f45c0c5bdd749c9491431e2dcb8836587e78

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-security 16.0.0.0b1

This issue was fixed in the openstack/openstack-ansible-security 16.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/500924

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (stable/ocata)

Reviewed: https://review.openstack.org/500924
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=d0ec2e8dd002ddb5cb02f8188971e8ab0e91322a
Submitter: Jenkins
Branch: stable/ocata

commit d0ec2e8dd002ddb5cb02f8188971e8ab0e91322a
Author: Major Hayden <email address hidden>
Date: Mon Jan 30 13:14:39 2017 -0600

    Configure pam_faildelay on Ubuntu

    As noted in the bug, Ubuntu 16.04 doesn't use FAIL_DELAY in
    `/etc/login.defs` as CentOS 7 does. This patch ensures that
    `pam_faildelay` is properly configured on Xenial.

    A direct backport wasn't possible due to the
    vars/main.yml -> vars/common.yml migration done in pike.

    Closes-Bug: 1659120
    Closes-Bug: 1714462
    Change-Id: I9ff9f45c0c5bdd749c9491431e2dcb8836587e78
    (cherry picked from commit c15d75ecf43efc5d61bbb0199aed3aee08c685a9)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 15.1.10

This issue was fixed in the openstack/ansible-hardening 15.1.10 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.