Skip to content

Commit

Permalink
add support for winbind on rhel systems
Browse files Browse the repository at this point in the history 
Signed-off-by: Andre Lehmann <aisberg@posteo.de>
  • Loading branch information
@aisbergg
aisbergg committed Mar 17, 2022
1 parent 1d3ea50 commit 5337db7
Show file tree
Hide file tree
Showing 9 changed files with 29 additions and 0 deletions.
3 changes: 3 additions & 0 deletions roles/os_hardening/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,9 @@ We know that this is the case on Raspberry Pi.
- `os_auth_pam_sssd_enable`
- Default: `false` (on RHEL8/CentOS8/Fedora `true`)
- Description: activate PAM auth support for sssd
- `os_auth_pam_winbind_enable`
- Default: `false`
- Description: activate PAM auth support for winbind
- `os_security_users_allow`
- Default: `[]`
- Description: list of things, that a user is allowed to do. May contain `change_user`.
Expand Down
7 changes: 7 additions & 0 deletions roles/os_hardening/tasks/pam_rhel.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@
when:
- os_auth_pam_sssd_enable | bool

- name: Install samba-winbind-modules
yum:
name: samba-winbind-modules
state: 'present'
when:
- os_auth_pam_winbind_enable | bool

- name: Configure passwdqc and faillock via central system-auth config
template:
src: 'etc/pam.d/rhel_auth.j2'
Expand Down
13 changes: 13 additions & 0 deletions roles/os_hardening/templates/etc/pam.d/rhel_auth.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ auth sufficient pam_unix.so nullok try_first_pass
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_sss.so forward_pass
{% endif %}
{% if (os_auth_pam_winbind_enable | bool) %}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_winbind.so use_first_pass
{% endif %}
{% if os_auth_retries > 0 %}
auth required pam_faillock.so authfail audit even_deny_root deny={{ os_auth_retries }} unlock_time={{ os_auth_lockout_time }}
{% endif %}
Expand All @@ -30,6 +34,9 @@ account sufficient pam_succeed_if.so uid < 1000 quiet
{% if (os_auth_pam_sssd_enable | bool) %}
account [default=bad success=ok user_unknown=ignore] pam_sss.so
{% endif %}
{% if (os_auth_pam_winbind_enable | bool) %}
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
{% endif %}
account required pam_permit.so

{% if (os_auth_pam_passwdqc_enable | bool) %}
Expand All @@ -42,6 +49,9 @@ password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_au
{% if (os_auth_pam_sssd_enable | bool) %}
password sufficient pam_sss.so use_authtok
{% endif %}
{% if (os_auth_pam_winbind_enable | bool) %}
password sufficient pam_winbind.so use_authtok
{% endif %}
password required pam_deny.so

session optional pam_keyinit.so revoke
Expand All @@ -52,3 +62,6 @@ session required pam_unix.so
{% if (os_auth_pam_sssd_enable | bool) %}
session optional pam_sss.so
{% endif %}
{% if (os_auth_pam_winbind_enable | bool) %}
session optional pam_winbind.so
{% endif %}
1 change: 1 addition & 0 deletions roles/os_hardening/vars/Amazon.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
os_auth_sub_gid_count: 65536

os_auth_pam_sssd_enable: false
os_auth_pam_winbind_enable: false

# defaults for useradd
os_useradd_mail_dir: /var/spool/mail
Expand Down
1 change: 1 addition & 0 deletions roles/os_hardening/vars/Fedora.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
os_auth_sub_gid_count: 65536

os_auth_pam_sssd_enable: true
os_auth_pam_winbind_enable: false

# defaults for useradd
os_useradd_mail_dir: /var/spool/mail
Expand Down
1 change: 1 addition & 0 deletions roles/os_hardening/vars/RedHat.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
os_auth_sub_gid_count: 65536

os_auth_pam_sssd_enable: false
os_auth_pam_winbind_enable: false

# defaults for useradd
os_useradd_mail_dir: /var/spool/mail
Expand Down
1 change: 1 addition & 0 deletions roles/os_hardening/vars/RedHat_7.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
os_auth_sub_gid_count: 65536

os_auth_pam_sssd_enable: false
os_auth_pam_winbind_enable: false

# defaults for useradd
os_useradd_mail_dir: /var/spool/mail
Expand Down
1 change: 1 addition & 0 deletions roles/os_hardening/vars/RedHat_8.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
os_auth_sub_gid_count: 65536

os_auth_pam_sssd_enable: true
os_auth_pam_winbind_enable: false

# defaults for useradd
os_useradd_mail_dir: /var/spool/mail
Expand Down
1 change: 1 addition & 0 deletions roles/os_hardening/vars/Rocky_8.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000
os_auth_sub_gid_count: 65536

os_auth_pam_sssd_enable: true
os_auth_pam_winbind_enable: false

# defaults for useradd
os_useradd_mail_dir: /var/spool/mail
Expand Down

0 comments on commit 5337db7

Please sign in to comment.