V-38684: Max concurrent sessions

Implements: blueprint security-hardening

Change-Id: I0fe3d2cbfdbb9063595f5041f0c5f2729180e65f

defaults/main.yml

@@ -164,6 +164,9 @@ num_logs: 5                                       # V-38636
 # V-38480 - To warn users before their password expires, uncomment the line
 # below and they will be warned 7 days prior (following the STIG).
 #password_warn_age: 7                             # V-38480
+# V-38684 - Setting the maximum number of simultaneous logins per user. The
+# STIG sets a limit of 10.
+#max_simultaneous_logins: 10                      # V-38684
 
 ## Kernel modules
 # Set these booleans to 'yes' to disable the kernel module (following the

doc/source/developer-notes/V-38684.rst

@@ -0,0 +1,11 @@
+**Opt-in required**
+
+Ubuntu does not set a limit on the maximum number of active sessions that
+a single user can have at one time. The STIG requires setting a limit of
+``10``.
+
+To opt-in for this change, set the following Ansible variable:
+
+.. code-block:: yaml
+
+    max_simultaneous_logins: 10

tasks/misc.yml

@@ -109,6 +109,16 @@
    - cat3
    - V-38624
 
+- name: V-38684 - Maximum simultaneous logins per user
+  lineinfile:
+    dest: /etc/security/limits.d/V-38684-maxlogins.conf
+    line: "* hard maxlogins {{ max_simultaneous_logins }}"
+    create: yes
+  when: max_simultaneous_logins is defined
+  tags:
+    - cat3
+    - V-38684
+
 - name: Check if vsftpd is installed (for V-38702)
   stat:
     path: /etc/vsftpd.conf