CHANGELOG.md

@@ -2,18 +2,25 @@
 
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).
 
-## [v4.2.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v4.2.0) (2023-07-17)
+## [v4.3.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v4.3.0) (2023-07-18)
 
-[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v4.1.0...v4.2.0)
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v4.2.0...v4.3.0)
 
 ### Added
 
+- Add examples for pwquality and faillock [\#267](https://github.com/ghoneycutt/puppet-module-pam/pull/267) ([treydock](https://github.com/treydock))
+- Make EOL OS Hiera data accessible via examples directory [\#265](https://github.com/ghoneycutt/puppet-module-pam/pull/265) ([treydock](https://github.com/treydock))
 - Ensure limits\_fragments\_hiera\_merge is using proper lookup function [\#263](https://github.com/ghoneycutt/puppet-module-pam/pull/263) ([treydock](https://github.com/treydock))
 
 ### Merged pull requests:
 
+- Add pam::limits::purge\_limits\_d\_dir\_ignore parameter [\#266](https://github.com/ghoneycutt/puppet-module-pam/pull/266) ([treydock](https://github.com/treydock))
 - Remove support for Vagrant [\#264](https://github.com/ghoneycutt/puppet-module-pam/pull/264) ([ghoneycutt](https://github.com/ghoneycutt))
 
+## [v4.2.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v4.2.0) (2023-07-17)
+
+[Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v4.1.0...v4.2.0)
+
 ## [v4.1.0](https://github.com/ghoneycutt/puppet-module-pam/tree/v4.1.0) (2023-07-17)
 
 [Full Changelog](https://github.com/ghoneycutt/puppet-module-pam/compare/v4.0.0...v4.1.0)

README.md

@@ -53,6 +53,11 @@ This module has been deployed in production along with
 `examples/hiera/sssd/RedHat-6.yaml` file for an example with the
 additional SSSD entries added via hiera.
 
+##### pwquality
+
+An example of using [pam_pwquality](https://linux.die.net/man/8/pam_pwquality) can be found
+in the `examples/hiera/pwquality.yaml`.
+
 ### Beginning with pam
 
 Include the main `pam` class.
@@ -165,6 +170,26 @@ pam::limits_fragments:
       - '* hard as 4194304'
 ```
 
+The contents of `/etc/security/limits.d` can optionally be purged of unmanaged files.
+
+```yaml
+pam::limits::purge_limits_d_dir: true
+```
+
+Below is an example of ignoring certain files from the limits.d purge:
+
+```yaml
+pam::limits::purge_limits_d_dir_ignore: 'ignore*.conf'
+```
+
+The ignore can also be an Array of file names
+
+```yaml
+pam::limits::purge_limits_d_dir_ignore:
+  - custom.conf
+  - foo.conf
+```
+
 #### Specifying the content of a service
 Manage PAM file for specific service.
 
@@ -188,21 +213,16 @@ include pam
 ## Limitations
 
 This module has been tested to work on the following systems with Puppet
-versions 5 and 6 with the Ruby version associated with those releases.
-Please see `.travis.yml` for a full matrix of supported versions. This
+versions 7 with the Ruby version associated with those releases.
+Please see `.github/workflows/ci.yaml` for a full matrix of supported versions. This
 module aims to support the current and previous major Puppet versions.
 
- * EL 6
  * EL 7
  * EL 8
  * EL 9
  * Amazon Linux 2
- * Debian 9
  * Debian 10
  * Debian 11
- * Ubuntu 14.04 LTS
- * Ubuntu 16.04 LTS
- * Ubuntu 18.04 LTS
  * Ubuntu 20.04 LTS
  * Ubuntu 22.04 LTS
 
@@ -211,7 +231,10 @@ module aims to support the current and previous major Puppet versions.
 These platforms have spec tests and have been verified in the past,
 though are not functionally tested and formally supported.
 
+The Hiera data for some of these platforms can be found in `examples/hiera/eol`.
+
  * EL 5
+ * EL 6
  * Solaris 9
  * Solaris 10
  * Solaris 11
@@ -223,7 +246,11 @@ though are not functionally tested and formally supported.
  * OpenSuSE 13.1
  * Debian 7
  * Debian 8
+ * Debian 9
  * Ubuntu 12.04 LTS
+ * Ubuntu 14.04 LTS
+ * Ubuntu 16.04 LTS
+ * Ubuntu 18.04 LTS
 
 ## Development
 

REFERENCE.md

@@ -621,6 +621,7 @@ The following parameters are available in the `pam::limits` class:
 * [`limits_d_dir`](#-pam--limits--limits_d_dir)
 * [`limits_d_dir_mode`](#-pam--limits--limits_d_dir_mode)
 * [`purge_limits_d_dir`](#-pam--limits--purge_limits_d_dir)
+* [`purge_limits_d_dir_ignore`](#-pam--limits--purge_limits_d_dir_ignore)
 
 ##### <a name="-pam--limits--config_file"></a>`config_file`
 
@@ -679,6 +680,14 @@ Boolean to purge the limits.d directory.
 
 Default value: `false`
 
+##### <a name="-pam--limits--purge_limits_d_dir_ignore"></a>`purge_limits_d_dir_ignore`
+
+Data type: `Optional[Variant[String[1], Array[String[1]]]]`
+
+A glob or array of file names to ignore when purging limits.d
+
+Default value: `undef`
+
 ## Defined types
 
 ### <a name="pam--limits--fragment"></a>`pam::limits::fragment`

examples/hiera/eol/Debian/7.yaml

@@ -0,0 +1,30 @@
+---
+pam::common_files_create_links: false
+pam::common_files_suffix:       ~
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+  - common_session_noninteractive
+
+pam::pam_d_login_template: pam/login.debian7.erb
+pam::pam_d_sshd_template: pam/sshd.debian7.erb
+pam::package_name: libpam0g
+pam::pam_auth_lines:
+  - 'auth  [success=1 default=ignore]  pam_unix.so nullok_secure'
+  - 'auth  requisite     pam_deny.so'
+  - 'auth  required      pam_permit.so'
+pam::pam_account_lines:
+  - 'account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so'
+  - 'account requisite     pam_deny.so'
+  - 'account required      pam_permit.so'
+pam::pam_password_lines:
+  - 'password  [success=1 default=ignore]  pam_unix.so obscure sha512'
+  - 'password  requisite     pam_deny.so'
+  - 'password  required      pam_permit.so'
+pam::pam_session_lines:
+  - 'session [default=1]   pam_permit.so'
+  - 'session requisite     pam_deny.so'
+  - 'session required      pam_permit.so'
+  - 'session required      pam_unix.so'

examples/hiera/eol/Debian/8.yaml

@@ -0,0 +1,30 @@
+---
+pam::common_files_create_links: false
+pam::common_files_suffix:       ~
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+  - common_session_noninteractive
+
+pam::pam_d_login_template: pam/login.debian8.erb
+pam::pam_d_sshd_template: pam/sshd.debian8.erb
+pam::package_name: libpam0g
+pam::pam_auth_lines:
+  - 'auth  [success=1 default=ignore]  pam_unix.so nullok_secure'
+  - 'auth  requisite     pam_deny.so'
+  - 'auth  required      pam_permit.so'
+pam::pam_account_lines:
+  - 'account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so'
+  - 'account requisite     pam_deny.so'
+  - 'account required      pam_permit.so'
+pam::pam_password_lines:
+  - 'password  [success=1 default=ignore]  pam_unix.so obscure sha512'
+  - 'password  requisite     pam_deny.so'
+  - 'password  required      pam_permit.so'
+pam::pam_session_lines:
+  - 'session [default=1]   pam_permit.so'
+  - 'session requisite     pam_deny.so'
+  - 'session required      pam_permit.so'
+  - 'session required      pam_unix.so'

examples/hiera/eol/Debian/9.yaml

@@ -0,0 +1,33 @@
+---
+pam::common_files_create_links: false
+pam::common_files_suffix:       ~
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+  - common_session_noninteractive
+
+pam::pam_d_login_template: pam/login.debian9.erb
+pam::pam_d_sshd_template: pam/sshd.debian9.erb
+pam::package_name: libpam0g
+pam::pam_auth_lines:
+  - 'auth  [success=1 default=ignore]  pam_unix.so nullok_secure'
+  - 'auth  requisite     pam_deny.so'
+  - 'auth  required      pam_permit.so'
+  - 'auth  optional      pam_cap.so'
+pam::pam_account_lines:
+  - 'account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so'
+  - 'account requisite     pam_deny.so'
+  - 'account required      pam_permit.so'
+pam::pam_password_lines:
+  - 'password  [success=1 default=ignore]  pam_unix.so obscure sha512'
+  - 'password  requisite     pam_deny.so'
+  - 'password  required      pam_permit.so'
+pam::pam_session_lines:
+  - 'session [default=1]   pam_permit.so'
+  - 'session requisite     pam_deny.so'
+  - 'session required      pam_permit.so'
+  - 'session required      pam_unix.so'
+  - 'session required      pam_unix.so'
+  - 'session optional      pam_systemd.so'

examples/hiera/eol/RedHat/5.yaml

@@ -0,0 +1,29 @@
+---
+pam::common_files_create_links: true
+pam::common_files_suffix:       '_ac'
+pam::common_files:
+  - system_auth
+
+pam::pam_d_login_template: pam/login.el5.erb
+pam::pam_d_sshd_template: pam/sshd.el5.erb
+pam::package_name:
+  - pam
+  - util-linux
+pam::pam_auth_lines:
+  - 'auth        required      pam_env.so'
+  - 'auth        sufficient    pam_unix.so nullok try_first_pass'
+  - 'auth        requisite     pam_succeed_if.so uid >= 500 quiet'
+  - 'auth        required      pam_deny.so'
+pam::pam_account_lines:
+  - 'account     required      pam_unix.so'
+  - 'account     sufficient    pam_succeed_if.so uid < 500 quiet'
+  - 'account     required      pam_permit.so'
+pam::pam_password_lines:
+  - 'password    requisite     pam_cracklib.so try_first_pass retry=3'
+  - 'password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok'
+  - 'password    required      pam_deny.so'
+pam::pam_session_lines:
+  - 'session     optional      pam_keyinit.so revoke'
+  - 'session     required      pam_limits.so'
+  - 'session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid'
+  - 'session     required      pam_unix.so'

examples/hiera/eol/RedHat/6.yaml

@@ -0,0 +1,49 @@
+---
+pam::common_files_create_links: true
+pam::common_files_suffix:       '_ac'
+pam::common_files:
+  - password_auth
+  - system_auth
+
+pam::pam_d_login_template: pam/login.el6.erb
+pam::pam_d_sshd_template: pam/sshd.el6.erb
+pam::package_name: pam
+pam::pam_auth_lines:
+  - 'auth        required      pam_env.so'
+  - 'auth        sufficient    pam_fprintd.so'
+  - 'auth        sufficient    pam_unix.so nullok try_first_pass'
+  - 'auth        requisite     pam_succeed_if.so uid >= 500 quiet'
+  - 'auth        required      pam_deny.so'
+pam::pam_password_auth_lines:
+  - 'auth        required      pam_env.so'
+  - 'auth        sufficient    pam_unix.so nullok try_first_pass'
+  - 'auth        requisite     pam_succeed_if.so uid >= 500 quiet'
+  - 'auth        required      pam_deny.so'
+pam::pam_account_lines:
+  - 'account     required      pam_unix.so'
+  - 'account     sufficient    pam_localuser.so'
+  - 'account     sufficient    pam_succeed_if.so uid < 500 quiet'
+  - 'account     required      pam_permit.so'
+pam::pam_password_lines:
+  - 'password    requisite     pam_cracklib.so try_first_pass retry=3 type='
+  - 'password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
+  - 'password    required      pam_deny.so'
+pam::pam_session_lines:
+  - 'session     optional      pam_keyinit.so revoke'
+  - 'session     required      pam_limits.so'
+  - 'session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid'
+  - 'session     required      pam_unix.so'
+pam::pam_password_account_lines:
+  - 'account     required      pam_unix.so'
+  - 'account     sufficient    pam_localuser.so'
+  - 'account     sufficient    pam_succeed_if.so uid < 500 quiet'
+  - 'account     required      pam_permit.so'
+pam::pam_password_password_lines:
+  - 'password    requisite     pam_cracklib.so try_first_pass retry=3 type='
+  - 'password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
+  - 'password    required      pam_deny.so'
+pam::pam_password_session_lines:
+  - 'session     optional      pam_keyinit.so revoke'
+  - 'session     required      pam_limits.so'
+  - 'session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid'
+  - 'session     required      pam_unix.so'

examples/hiera/eol/Suse/10.yaml

@@ -0,0 +1,23 @@
+---
+pam::common_files_create_links: false
+pam::common_files_suffix:       ~
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+
+pam::pam_d_login_template: pam/login.suse10.erb
+pam::pam_d_sshd_template: pam/sshd.suse10.erb
+pam::package_name: pam
+pam::pam_auth_lines:
+  - 'auth  required  pam_env.so'
+  - 'auth  required  pam_unix2.so'
+pam::pam_account_lines:
+  - 'account  required  pam_unix2.so'
+pam::pam_password_lines:
+  - 'password  required  pam_pwcheck.so nullok'
+  - 'password  required  pam_unix2.so nullok use_authtok'
+pam::pam_session_lines:
+  - 'session  required  pam_limits.so'
+  - 'session  required  pam_unix2.so'

examples/hiera/eol/Suse/11.yaml

@@ -0,0 +1,24 @@
+---
+pam::common_files_create_links: true
+pam::common_files_suffix:       '_pc'
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+
+pam::pam_d_login_template: pam/login.suse11.erb
+pam::pam_d_sshd_template: pam/sshd.suse11.erb
+pam::package_name: pam
+pam::pam_auth_lines:
+  - 'auth  required  pam_env.so'
+  - 'auth  required  pam_unix2.so'
+pam::pam_account_lines:
+  - 'account  required  pam_unix2.so'
+pam::pam_password_lines:
+  - 'password  required  pam_pwcheck.so nullok cracklib'
+  - 'password  required  pam_unix2.so nullok use_authtok'
+pam::pam_session_lines:
+  - 'session  required  pam_limits.so'
+  - 'session  required  pam_unix2.so'
+  - 'session  optional  pam_umask.so'

examples/hiera/eol/Suse/13.yaml

@@ -0,0 +1,29 @@
+---
+pam::common_files_create_links: true
+pam::common_files_suffix:       '_pc'
+pam::common_files:
+  - common_account
+  - common_auth
+  - common_password
+  - common_session
+
+pam::pam_d_login_template: pam/login.suse13.erb
+pam::pam_d_sshd_template: pam/sshd.suse13.erb
+pam::package_name: pam
+pam::pam_auth_lines:
+  - 'auth  required  pam_env.so'
+  - 'auth  optional  pam_gnome_keyring.so'
+  - 'auth  required  pam_unix.so try_first_pass'
+pam::pam_account_lines:
+  - 'account  required  pam_unix.so try_first_pass'
+pam::pam_password_lines:
+  - 'password  requisite  pam_cracklib.so'
+  - 'password  optional   pam_gnome_keyring.so use_authtok'
+  - 'password  required   pam_unix.so use_authtok nullok shadow try_first_pass'
+pam::pam_session_lines:
+  - 'session  required pam_limits.so'
+  - 'session  required pam_unix.so try_first_pass'
+  - 'session  optional pam_umask.so'
+  - 'session  optional pam_systemd.so'
+  - 'session  optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm'
+  - 'session  optional pam_env.so'