From c59daafac7d954b13c474f5200ac14518dddf354 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 9 Oct 2015 15:31:04 -0500
Subject: [PATCH] V-38684: Max concurrent sessions

Implements: blueprint security-hardening

Change-Id: I0fe3d2cbfdbb9063595f5041f0c5f2729180e65f
---
 defaults/main.yml                      |  3 +++
 doc/source/developer-notes/V-38684.rst | 11 +++++++++++
 tasks/misc.yml                         | 10 ++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38684.rst

diff --git a/defaults/main.yml b/defaults/main.yml
index 9d71a1ce..18efc244 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -164,6 +164,9 @@ num_logs: 5                                       # V-38636
 # V-38480 - To warn users before their password expires, uncomment the line
 # below and they will be warned 7 days prior (following the STIG).
 #password_warn_age: 7                             # V-38480
+# V-38684 - Setting the maximum number of simultaneous logins per user. The
+# STIG sets a limit of 10.
+#max_simultaneous_logins: 10                      # V-38684
 
 ## Kernel modules
 # Set these booleans to 'yes' to disable the kernel module (following the
diff --git a/doc/source/developer-notes/V-38684.rst b/doc/source/developer-notes/V-38684.rst
new file mode 100644
index 00000000..7dda867c
--- /dev/null
+++ b/doc/source/developer-notes/V-38684.rst
@@ -0,0 +1,11 @@
+**Opt-in required**
+
+Ubuntu does not set a limit on the maximum number of active sessions that
+a single user can have at one time. The STIG requires setting a limit of
+``10``.
+
+To opt-in for this change, set the following Ansible variable:
+
+.. code-block:: yaml
+
+    max_simultaneous_logins: 10
diff --git a/tasks/misc.yml b/tasks/misc.yml
index 49cdb771..517c823a 100644
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@@ -109,6 +109,16 @@
    - cat3
    - V-38624
 
+- name: V-38684 - Maximum simultaneous logins per user
+  lineinfile:
+    dest: /etc/security/limits.d/V-38684-maxlogins.conf
+    line: "* hard maxlogins {{ max_simultaneous_logins }}"
+    create: yes
+  when: max_simultaneous_logins is defined
+  tags:
+    - cat3
+    - V-38684
+
 - name: Check if vsftpd is installed (for V-38702)
   stat:
     path: /etc/vsftpd.conf