(#140) Added parameters to control /etc/security/faillock.conf (#141)

* (#140) Added parameters to control /etc/security/faillock.conf Fixes #140 * Updated the REFERENCE.md * Removed support for faillock.conf in el7 since it is not supported by that major release * Updated how the auth files are handled when managing faillock.conf and updated user documentation explaining how to use the new feature * Fixed missing variable declaration in auth template and fixed spec tests for the new feature * Updated the REFERENCE.md * Refactored changes so that existing variables can be re-used and new ones can be used inline in the auth files * Added a test for pam faillock parameters when they're not in the faillock.conf file * Made the test for whether faillock should be implemented or not also look at os family
simp · Jan 29, 2024 · 1a420f3 · 1a420f3
1 parent f1de0b8
commit 1a420f3
Show file tree

Hide file tree

Showing 11 changed files with 487 additions and 53 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,7 @@
+
+* Mon Jan 29 2024 Mike Riddle <mike@sicura.us> - 6.16.0
+- Added functionality to control /etc/security/faillock.conf
+
 * Wed Jan 17 2024 Richard Gardner <rick@sicura.us> - 6.15.1
 - Updated hiera.yaml facts to support puppet 8
 

diff --git a/README.md b/README.md
@@ -20,6 +20,8 @@
     * [Managing System Access](#managing-system-access)
   * [Restricting Resource Usage (pam_limits)](#restricting-resource-usage-pam_limits)
   * [Restricting ``su`` to the ``wheel`` Group](#restricting-su-to-the-wheel-group)
+  * [Managing /etc/security/faillock.conf](#managing-etcsecurityfaillockconf)
+    * [/etc/security_faillock.conf Example With All Parameters](#etcsecurityfaillockconf-hieradata-example-with-all-parameters)
 * [Development](#development)
   * [Acceptance tests](#acceptance-tests)
 
@@ -201,6 +203,51 @@ include 'pam::wheel'
 You can change the target group by updating the value of
 ``pam::wheel::wheel_group`` via Hiera.
 
+### Managing /etc/security/faillock.conf
+
+To manage faillock with ``/etc/security/faillock.conf`` instead of inline parameters in the auth files set the following in hieradata:
+
+```yaml
+pam::manage_faillock_conf: true
+```
+
+A couple of things to note here are:
+
+- ``pam::faillock`` must still be true for faillock to work appropriately
+- By default, /etc/security/faillock.conf will be empty except for a comment saying the file is managed by puppet. To set content in the file, the following parameters are available:
+
+  - ``pam::faillock_dir``
+  - ``pam::faillock_audit``
+  - ``pam::faillock_silent``
+  - ``pam::faillock_no_log_info``
+  - ``pam::faillock_local_users_only``
+  - ``pam::faillock_nodelay``
+  - ``pam::faillock_deny``
+  - ``pam::faillock_fail_interval``
+  - ``pam::faillock_unlock_time``
+  - ``pam::faillock_even_deny_root``
+  - ``pam::faillock_root_unlock_time``
+  - ``pam::faillock_admin_group``
+
+#### /etc/security/faillock.conf Hieradata Example With All Parameters
+
+```yaml
+pam::faillock: true
+pam::manage_faillock_conf: true
+pam::faillock_dir: '/var/log/faillock'
+pam::faillock_audit: true
+pam::faillock_silent: true
+pam::faillock_no_log_info: false
+pam::faillock_local_users_only: false
+pam::faillock_nodelay: false
+pam::faillock_deny: 5
+pam::faillock_fail_interval: 900
+pam::faillock_unlock_time: 900
+pam::faillock_even_deny_root: true
+pam::faillock_root_unlock_time: 60
+pam::faillock_admin_group: 'wheel'
+```
+
 ## Development
 
 Please read our [Contribution Guide](https://simp.readthedocs.io/en/stable/contributors_guide/Contribution_Procedure.html)

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -65,7 +65,6 @@ The following parameters are available in the `pam` class:
 * [`rm_pwquality_conf_d`](#-pam--rm_pwquality_conf_d)
 * [`deny`](#-pam--deny)
 * [`faillock`](#-pam--faillock)
-* [`faillock_log_dir`](#-pam--faillock_log_dir)
 * [`display_account_lock`](#-pam--display_account_lock)
 * [`fail_interval`](#-pam--fail_interval)
 * [`homedir_umask`](#-pam--homedir_umask)
@@ -104,6 +103,13 @@ The following parameters are available in the `pam` class:
 * [`use_authselect`](#-pam--use_authselect)
 * [`auth_basedir`](#-pam--auth_basedir)
 * [`package_ensure`](#-pam--package_ensure)
+* [`manage_faillock_conf`](#-pam--manage_faillock_conf)
+* [`faillock_log_dir`](#-pam--faillock_log_dir)
+* [`faillock_audit`](#-pam--faillock_audit)
+* [`faillock_no_log_info`](#-pam--faillock_no_log_info)
+* [`faillock_local_users_only`](#-pam--faillock_local_users_only)
+* [`faillock_nodelay`](#-pam--faillock_nodelay)
+* [`faillock_admin_group`](#-pam--faillock_admin_group)
 
 ##### <a name="-pam--password_check_backend"></a>`password_check_backend`
 
@@ -328,7 +334,7 @@ Default value: `true`
 
 Data type: `Integer[0]`
 
-The number of failed attempts before PAM denies a user from logging in
+The number of failed attempts before PAM denies a user from logging in.
 
 Default value: `5`
 
@@ -340,27 +346,19 @@ Enable or disable the use of ``faillock``
 
 Default value: `true`
 
-##### <a name="-pam--faillock_log_dir"></a>`faillock_log_dir`
-
-Data type: `Optional[Stdlib::Absolutepath]`
-
-The location in which to log failed login attempts and account lockouts
-
-Default value: `undef`
-
 ##### <a name="-pam--display_account_lock"></a>`display_account_lock`
 
 Data type: `Boolean`
 
-Display to the remote user that their account has been locked
+Display to the remote user that their account has been locked.
 
 Default value: `false`
 
 ##### <a name="-pam--fail_interval"></a>`fail_interval`
 
 Data type: `Integer[0]`
 
-Sets the time until the check fails
+Sets the time until the check fails.
 
 Default value: `900`
 
@@ -402,15 +400,15 @@ Default value: `true`
 
 Data type: `Boolean`
 
-Enforce an account lockout for the ``root`` account
+Enforce an account lockout for the ``root`` account.
 
 Default value: `true`
 
 ##### <a name="-pam--root_unlock_time"></a>`root_unlock_time`
 
 Data type: `Integer[0]`
 
-Allow access after N seconds to root account after failed attempt
+Allow access after N seconds to root account after failed attempt.
 
 * Has no effect if ``even_deny_root`` is not set
 
@@ -445,7 +443,7 @@ Default value: `simplib::lookup('simp_options::uid::min', { 'default_value' => p
 
 Data type: `Pam::AccountUnlockTime`
 
-Allow acesss after N seconds to user account after failed attempt
+Allow acesss after N seconds to user account after failed attempt.
 
 Default value: `900`
 
@@ -686,6 +684,65 @@ Ensure setting for all packages installed by this module
 
 Default value: `simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' })`
 
+##### <a name="-pam--manage_faillock_conf"></a>`manage_faillock_conf`
+
+Data type: `Boolean`
+
+If true, the faillock parameters will be managed within /etc/security/faillock.conf
+instead of inline in the auth files. This parameter will be ignored on el7 and earlier systems.
+
+Default value: `false`
+
+##### <a name="-pam--faillock_log_dir"></a>`faillock_log_dir`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+The directory where the user files with the failure records are kept.
+
+Default value: `undef`
+
+##### <a name="-pam--faillock_audit"></a>`faillock_audit`
+
+Data type: `Boolean`
+
+If true, log the user name into the system log if the user is not found.
+
+Default value: `true`
+
+##### <a name="-pam--faillock_no_log_info"></a>`faillock_no_log_info`
+
+Data type: `Boolean`
+
+If true, don't log informative messages via syslog.
+
+Default value: `false`
+
+##### <a name="-pam--faillock_local_users_only"></a>`faillock_local_users_only`
+
+Data type: `Boolean`
+
+If true, only track failed user authentications attempts for local users in
+/etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
+
+Default value: `false`
+
+##### <a name="-pam--faillock_nodelay"></a>`faillock_nodelay`
+
+Data type: `Boolean`
+
+If true, don't enforce a delay after authentication failures.
+
+Default value: `false`
+
+##### <a name="-pam--faillock_admin_group"></a>`faillock_admin_group`
+
+Data type: `Optional[String]`
+
+If a group name is specified with this option, members of the group will be handled by
+this module the same as the root account.
+
+Default value: `undef`
+
 ### <a name="pam--access"></a>`pam::access`
 
 Use ``pam::access::rule`` to manage ``access.conf`` entries and remember
@@ -992,6 +1049,12 @@ The following parameters are available in the `pam::auth` defined type:
 * [`password_check_backend`](#-pam--auth--password_check_backend)
 * [`locale_file`](#-pam--auth--locale_file)
 * [`auth_content_pre`](#-pam--auth--auth_content_pre)
+* [`manage_faillock_conf`](#-pam--auth--manage_faillock_conf)
+* [`faillock_audit`](#-pam--auth--faillock_audit)
+* [`faillock_no_log_info`](#-pam--auth--faillock_no_log_info)
+* [`faillock_local_users_only`](#-pam--auth--faillock_local_users_only)
+* [`faillock_nodelay`](#-pam--auth--faillock_nodelay)
+* [`faillock_admin_group`](#-pam--auth--faillock_admin_group)
 * [`cracklib_enforce_for_root`](#-pam--auth--cracklib_enforce_for_root)
 * [`cracklib_reject_username`](#-pam--auth--cracklib_reject_username)
 * [`cracklib_difok`](#-pam--auth--cracklib_difok)
@@ -1055,6 +1118,54 @@ Data type: `Optional[Array[String]]`
 
 Default value: `$pam::auth_content_pre`
 
+##### <a name="-pam--auth--manage_faillock_conf"></a>`manage_faillock_conf`
+
+Data type: `Boolean`
+
+
+
+Default value: `$pam::manage_faillock_conf`
+
+##### <a name="-pam--auth--faillock_audit"></a>`faillock_audit`
+
+Data type: `Boolean`
+
+
+
+Default value: `$pam::faillock_audit`
+
+##### <a name="-pam--auth--faillock_no_log_info"></a>`faillock_no_log_info`
+
+Data type: `Boolean`
+
+
+
+Default value: `$pam::faillock_no_log_info`
+
+##### <a name="-pam--auth--faillock_local_users_only"></a>`faillock_local_users_only`
+
+Data type: `Boolean`
+
+
+
+Default value: `$pam::faillock_local_users_only`
+
+##### <a name="-pam--auth--faillock_nodelay"></a>`faillock_nodelay`
+
+Data type: `Boolean`
+
+
+
+Default value: `$pam::faillock_nodelay`
+
+##### <a name="-pam--auth--faillock_admin_group"></a>`faillock_admin_group`
+
+Data type: `Optional[String]`
+
+
+
+Default value: `$pam::faillock_admin_group`
+
 ##### <a name="-pam--auth--cracklib_enforce_for_root"></a>`cracklib_enforce_for_root`
 
 Data type: `Boolean`
@@ -1205,7 +1316,7 @@ Data type: `Optional[Stdlib::Absolutepath]`
 
 
 
-Default value: `undef`
+Default value: `$pam::faillock_log_dir`
 
 ##### <a name="-pam--auth--display_account_lock"></a>`display_account_lock`
 

diff --git a/manifests/auth.pp b/manifests/auth.pp
@@ -9,6 +9,12 @@
 # @param password_check_backend
 # @param locale_file
 # @param auth_content_pre
+# @param manage_faillock_conf
+# @param faillock_audit
+# @param faillock_no_log_info
+# @param faillock_local_users_only
+# @param faillock_nodelay
+# @param faillock_admin_group
 # @param cracklib_enforce_for_root
 # @param cracklib_reject_username
 # @param cracklib_difok
@@ -70,7 +76,13 @@
   Integer[0]                     $cracklib_retry            = $pam::cracklib_retry,
   Integer[0]                     $deny                      = $pam::deny,
   Boolean                        $faillock                  = $pam::faillock,
-  Optional[Stdlib::Absolutepath] $faillock_log_dir          = undef,
+  Boolean                        $manage_faillock_conf      = $pam::manage_faillock_conf,
+  Optional[Stdlib::Absolutepath] $faillock_log_dir          = $pam::faillock_log_dir,
+  Boolean                        $faillock_audit            = $pam::faillock_audit,
+  Boolean                        $faillock_no_log_info      = $pam::faillock_no_log_info,
+  Boolean                        $faillock_local_users_only = $pam::faillock_local_users_only,
+  Boolean                        $faillock_nodelay          = $pam::faillock_nodelay,
+  Optional[String]               $faillock_admin_group      = $pam::faillock_admin_group,
   Boolean                        $display_account_lock      = $pam::display_account_lock,
   Integer[0]                     $fail_interval             = $pam::fail_interval,
   Integer[0]                     $remember                  = $pam::remember,
@@ -143,6 +155,7 @@
           password_check_backend    => $password_check_backend,
           locale_file               => $locale_file,
           auth_content_pre          => $auth_content_pre,
+          manage_faillock_conf      => $manage_faillock_conf,
           cracklib_enforce_for_root => $cracklib_enforce_for_root,
           cracklib_reject_username  => $cracklib_reject_username,
           cracklib_difok            => $cracklib_difok,
@@ -160,6 +173,11 @@
           deny                      => $deny,
           faillock                  => $faillock,
           faillock_log_dir          => $faillock_log_dir,
+          faillock_audit            => $faillock_audit,
+          faillock_no_log_info      => $faillock_no_log_info,
+          faillock_local_users_only => $faillock_local_users_only,
+          faillock_nodelay          => $faillock_nodelay,
+          faillock_admin_group      => $faillock_admin_group,
           display_account_lock      => $display_account_lock,
           fail_interval             => $fail_interval,
           remember                  => $remember,

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -116,16 +116,40 @@
     }
   }
 
-  if ($pam::faillock_log_dir) {
-    file { $pam::faillock_log_dir:
-      ensure   => 'dir',
-      owner    => 'root',
-      group    => 'root',
-      mode     => '0750',
-      seluser  => 'system_u',
-      selrole  => 'object_r',
-      seltype  => 'faillog_t',
-      selrange => 's0',
+  # EL 7 doesn't utilize faillock.conf and will break if used
+  if ($facts['os']['family'] == 'RedHat') and ($facts['os']['release']['major'] > '7') and ($pam::manage_faillock_conf) {
+    if ($pam::faillock_log_dir) {
+      file { $pam::faillock_log_dir:
+        ensure   => 'directory',
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0750',
+        seluser  => 'system_u',
+        selrole  => 'object_r',
+        seltype  => 'faillog_t',
+        selrange => 's0',
+      }
+    }
+
+    file { '/etc/security/faillock.conf':
+      ensure  => 'file',
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => epp("${module_name}/etc/security/faillock.conf.epp", {
+          dir              => $pam::faillock_log_dir,
+          audit            => $pam::faillock_audit,
+          silent           => !$pam::display_account_lock,
+          no_log_info      => $pam::faillock_no_log_info,
+          local_users_only => $pam::faillock_local_users_only,
+          nodelay          => $pam::faillock_nodelay,
+          deny             => $pam::deny,
+          fail_interval    => $pam::fail_interval,
+          unlock_time      => $pam::unlock_time,
+          even_deny_root   => $pam::even_deny_root,
+          root_unlock_time => $pam::root_unlock_time,
+          admin_group      => $pam::faillock_admin_group
+      }),
     }
   }