diff --git a/roles/pam_shield/files/shield.conf b/roles/pam_shield/files/shield.conf deleted file mode 100644 index 9847147557..0000000000 --- a/roles/pam_shield/files/shield.conf +++ /dev/null @@ -1,103 +0,0 @@ -# -# /etc/security/shield.conf -# - -# -# log debugging info to syslog -# -debug off - -# -# block all-users blocks only unknown users -# block all-users blocks everyone -# -block all-users - -# -# is it OK for the remote host to have no DNS entry? -# -allow_missing_dns yes - -# -# is it OK for the remote host to have no reverse DNS entry? -# -allow_missing_reverse yes - -# -# allow these hosts or networks by name -# -allow localhost -# allow .localdomain - -#bastion -allow 10.5.126.11 -allow 10.5.126.12 -allow 192.168.0.1 -#lockbox -allow 10.5.126.23 -# don't block lockbox's remote addr, either -allow 209.132.181.6 - -#noc1 -allow noc1.phx2.fedoraproject.org -allow 10.5.126.41 -allow 192.168.1.10 -allow 209.132.181.35 - -# RDU NAT -allow 66.187.233.202 -allow 66.187.233.206 -# RH NAT -allow 66.187.230.200 -# PHX2 NAT -allow 209.132.181.102 -# tlv RHT NAT -allow 66.187.237.10 -# brno RHT NAT -allow 209.132.186.34 -# IUD RHT NAT -allow 66.187.233.203 - -# -# never lock out this network -# You should list all your local networks here to make sure no local user can -# lock you out from the inside -# -allow 127.0.0.1/255.0.0.0 - -# this syntax is also supported: -#allow 127.0.0.1/8 - - -# -# location of the database file -# -db /var/lib/pam_shield/db - -# -# external command that is run when a site should be blocked/unblocked -# -trigger_cmd /usr/sbin/shield-trigger - -# -# number of connections per interval from one site that triggers us -# -max_conns 15 - -# -# the interval and retention period may be specified in seconds, or -# with a postfix: -# -# 1s seconds 1w weeks -# 1m minutes 1M months (30 days) -# 1h hours 1y years -# 1d days -# -interval 5m - -# -# period until the entry expires from the database again -# -retention 5d - -# EOB diff --git a/roles/pam_shield/files/sshd b/roles/pam_shield/files/sshd deleted file mode 100644 index 1e7e64504d..0000000000 --- a/roles/pam_shield/files/sshd +++ /dev/null @@ -1,16 +0,0 @@ -#%PAM-1.0 -auth required pam_shield.so -auth required pam_sepermit.so -auth substack password-auth -auth include postlogin -account required pam_nologin.so -account include password-auth -password include password-auth -# pam_selinux.so close should be the first session rule -session required pam_selinux.so close -session required pam_loginuid.so -# pam_selinux.so open should only be followed by sessions to be executed in the user context -session required pam_selinux.so open env_params -session optional pam_keyinit.so force revoke -session include password-auth -session include postlogin diff --git a/roles/pam_shield/tasks/main.yml b/roles/pam_shield/tasks/main.yml deleted file mode 100644 index 65b0a54858..0000000000 --- a/roles/pam_shield/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -#install pam_shield -- name: install pam_shield - yum: name=pam_shield state=present - tags: - - packages - -- name: /etc/security/shield.conf - copy: src=shield.conf dest=/etc/security/shield.conf - tags: - - config - -- name: Put new sshd pam file in place - copy: src=sshd dest=/etc/pam.d/sshd - tags: - - config