From 1a420f394bc41e8f5217a6a7d1a9a0913d8ef656 Mon Sep 17 00:00:00 2001 From: Mike Riddle Date: Mon, 29 Jan 2024 17:14:00 -0500 Subject: [PATCH] (#140) Added parameters to control /etc/security/faillock.conf (#141) * (#140) Added parameters to control /etc/security/faillock.conf Fixes #140 * Updated the REFERENCE.md * Removed support for faillock.conf in el7 since it is not supported by that major release * Updated how the auth files are handled when managing faillock.conf and updated user documentation explaining how to use the new feature * Fixed missing variable declaration in auth template and fixed spec tests for the new feature * Updated the REFERENCE.md * Refactored changes so that existing variables can be re-used and new ones can be used inline in the auth files * Added a test for pam faillock parameters when they're not in the faillock.conf file * Made the test for whether faillock should be implemented or not also look at os family --- CHANGELOG | 4 + README.md | 47 ++++++++ REFERENCE.md | 143 ++++++++++++++++++++--- manifests/auth.pp | 20 +++- manifests/config.pp | 44 +++++-- manifests/init.pp | 63 +++++++--- metadata.json | 2 +- spec/classes/config_spec.rb | 78 ++++++++++++- spec/classes/init_spec.rb | 32 +++++ templates/etc/pam.d/auth.epp | 54 ++++++++- templates/etc/security/faillock.conf.epp | 53 +++++++++ 11 files changed, 487 insertions(+), 53 deletions(-) create mode 100644 templates/etc/security/faillock.conf.epp diff --git a/CHANGELOG b/CHANGELOG index 23631fc..ece3b4e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,7 @@ + +* Mon Jan 29 2024 Mike Riddle - 6.16.0 +- Added functionality to control /etc/security/faillock.conf + * Wed Jan 17 2024 Richard Gardner - 6.15.1 - Updated hiera.yaml facts to support puppet 8 diff --git a/README.md b/README.md index d62abba..8c0e996 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,8 @@ * [Managing System Access](#managing-system-access) * [Restricting Resource Usage (pam_limits)](#restricting-resource-usage-pam_limits) * [Restricting ``su`` to the ``wheel`` Group](#restricting-su-to-the-wheel-group) + * [Managing /etc/security/faillock.conf](#managing-etcsecurityfaillockconf) + * [/etc/security_faillock.conf Example With All Parameters](#etcsecurityfaillockconf-hieradata-example-with-all-parameters) * [Development](#development) * [Acceptance tests](#acceptance-tests) @@ -201,6 +203,51 @@ include 'pam::wheel' You can change the target group by updating the value of ``pam::wheel::wheel_group`` via Hiera. +### Managing /etc/security/faillock.conf + +To manage faillock with ``/etc/security/faillock.conf`` instead of inline parameters in the auth files set the following in hieradata: + +```yaml +pam::manage_faillock_conf: true +``` + +A couple of things to note here are: + +- ``pam::faillock`` must still be true for faillock to work appropriately +- By default, /etc/security/faillock.conf will be empty except for a comment saying the file is managed by puppet. To set content in the file, the following parameters are available: + + - ``pam::faillock_dir`` + - ``pam::faillock_audit`` + - ``pam::faillock_silent`` + - ``pam::faillock_no_log_info`` + - ``pam::faillock_local_users_only`` + - ``pam::faillock_nodelay`` + - ``pam::faillock_deny`` + - ``pam::faillock_fail_interval`` + - ``pam::faillock_unlock_time`` + - ``pam::faillock_even_deny_root`` + - ``pam::faillock_root_unlock_time`` + - ``pam::faillock_admin_group`` + +#### /etc/security/faillock.conf Hieradata Example With All Parameters + +```yaml +pam::faillock: true +pam::manage_faillock_conf: true +pam::faillock_dir: '/var/log/faillock' +pam::faillock_audit: true +pam::faillock_silent: true +pam::faillock_no_log_info: false +pam::faillock_local_users_only: false +pam::faillock_nodelay: false +pam::faillock_deny: 5 +pam::faillock_fail_interval: 900 +pam::faillock_unlock_time: 900 +pam::faillock_even_deny_root: true +pam::faillock_root_unlock_time: 60 +pam::faillock_admin_group: 'wheel' +``` + ## Development Please read our [Contribution Guide](https://simp.readthedocs.io/en/stable/contributors_guide/Contribution_Procedure.html) diff --git a/REFERENCE.md b/REFERENCE.md index 1958215..2d12171 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -65,7 +65,6 @@ The following parameters are available in the `pam` class: * [`rm_pwquality_conf_d`](#-pam--rm_pwquality_conf_d) * [`deny`](#-pam--deny) * [`faillock`](#-pam--faillock) -* [`faillock_log_dir`](#-pam--faillock_log_dir) * [`display_account_lock`](#-pam--display_account_lock) * [`fail_interval`](#-pam--fail_interval) * [`homedir_umask`](#-pam--homedir_umask) @@ -104,6 +103,13 @@ The following parameters are available in the `pam` class: * [`use_authselect`](#-pam--use_authselect) * [`auth_basedir`](#-pam--auth_basedir) * [`package_ensure`](#-pam--package_ensure) +* [`manage_faillock_conf`](#-pam--manage_faillock_conf) +* [`faillock_log_dir`](#-pam--faillock_log_dir) +* [`faillock_audit`](#-pam--faillock_audit) +* [`faillock_no_log_info`](#-pam--faillock_no_log_info) +* [`faillock_local_users_only`](#-pam--faillock_local_users_only) +* [`faillock_nodelay`](#-pam--faillock_nodelay) +* [`faillock_admin_group`](#-pam--faillock_admin_group) ##### `password_check_backend` @@ -328,7 +334,7 @@ Default value: `true` Data type: `Integer[0]` -The number of failed attempts before PAM denies a user from logging in +The number of failed attempts before PAM denies a user from logging in. Default value: `5` @@ -340,19 +346,11 @@ Enable or disable the use of ``faillock`` Default value: `true` -##### `faillock_log_dir` - -Data type: `Optional[Stdlib::Absolutepath]` - -The location in which to log failed login attempts and account lockouts - -Default value: `undef` - ##### `display_account_lock` Data type: `Boolean` -Display to the remote user that their account has been locked +Display to the remote user that their account has been locked. Default value: `false` @@ -360,7 +358,7 @@ Default value: `false` Data type: `Integer[0]` -Sets the time until the check fails +Sets the time until the check fails. Default value: `900` @@ -402,7 +400,7 @@ Default value: `true` Data type: `Boolean` -Enforce an account lockout for the ``root`` account +Enforce an account lockout for the ``root`` account. Default value: `true` @@ -410,7 +408,7 @@ Default value: `true` Data type: `Integer[0]` -Allow access after N seconds to root account after failed attempt +Allow access after N seconds to root account after failed attempt. * Has no effect if ``even_deny_root`` is not set @@ -445,7 +443,7 @@ Default value: `simplib::lookup('simp_options::uid::min', { 'default_value' => p Data type: `Pam::AccountUnlockTime` -Allow acesss after N seconds to user account after failed attempt +Allow acesss after N seconds to user account after failed attempt. Default value: `900` @@ -686,6 +684,65 @@ Ensure setting for all packages installed by this module Default value: `simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' })` +##### `manage_faillock_conf` + +Data type: `Boolean` + +If true, the faillock parameters will be managed within /etc/security/faillock.conf +instead of inline in the auth files. This parameter will be ignored on el7 and earlier systems. + +Default value: `false` + +##### `faillock_log_dir` + +Data type: `Optional[Stdlib::Absolutepath]` + +The directory where the user files with the failure records are kept. + +Default value: `undef` + +##### `faillock_audit` + +Data type: `Boolean` + +If true, log the user name into the system log if the user is not found. + +Default value: `true` + +##### `faillock_no_log_info` + +Data type: `Boolean` + +If true, don't log informative messages via syslog. + +Default value: `false` + +##### `faillock_local_users_only` + +Data type: `Boolean` + +If true, only track failed user authentications attempts for local users in +/etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. + +Default value: `false` + +##### `faillock_nodelay` + +Data type: `Boolean` + +If true, don't enforce a delay after authentication failures. + +Default value: `false` + +##### `faillock_admin_group` + +Data type: `Optional[String]` + +If a group name is specified with this option, members of the group will be handled by +this module the same as the root account. + +Default value: `undef` + ### `pam::access` Use ``pam::access::rule`` to manage ``access.conf`` entries and remember @@ -992,6 +1049,12 @@ The following parameters are available in the `pam::auth` defined type: * [`password_check_backend`](#-pam--auth--password_check_backend) * [`locale_file`](#-pam--auth--locale_file) * [`auth_content_pre`](#-pam--auth--auth_content_pre) +* [`manage_faillock_conf`](#-pam--auth--manage_faillock_conf) +* [`faillock_audit`](#-pam--auth--faillock_audit) +* [`faillock_no_log_info`](#-pam--auth--faillock_no_log_info) +* [`faillock_local_users_only`](#-pam--auth--faillock_local_users_only) +* [`faillock_nodelay`](#-pam--auth--faillock_nodelay) +* [`faillock_admin_group`](#-pam--auth--faillock_admin_group) * [`cracklib_enforce_for_root`](#-pam--auth--cracklib_enforce_for_root) * [`cracklib_reject_username`](#-pam--auth--cracklib_reject_username) * [`cracklib_difok`](#-pam--auth--cracklib_difok) @@ -1055,6 +1118,54 @@ Data type: `Optional[Array[String]]` Default value: `$pam::auth_content_pre` +##### `manage_faillock_conf` + +Data type: `Boolean` + + + +Default value: `$pam::manage_faillock_conf` + +##### `faillock_audit` + +Data type: `Boolean` + + + +Default value: `$pam::faillock_audit` + +##### `faillock_no_log_info` + +Data type: `Boolean` + + + +Default value: `$pam::faillock_no_log_info` + +##### `faillock_local_users_only` + +Data type: `Boolean` + + + +Default value: `$pam::faillock_local_users_only` + +##### `faillock_nodelay` + +Data type: `Boolean` + + + +Default value: `$pam::faillock_nodelay` + +##### `faillock_admin_group` + +Data type: `Optional[String]` + + + +Default value: `$pam::faillock_admin_group` + ##### `cracklib_enforce_for_root` Data type: `Boolean` @@ -1205,7 +1316,7 @@ Data type: `Optional[Stdlib::Absolutepath]` -Default value: `undef` +Default value: `$pam::faillock_log_dir` ##### `display_account_lock` diff --git a/manifests/auth.pp b/manifests/auth.pp index 38cce41..ce0c1a8 100644 --- a/manifests/auth.pp +++ b/manifests/auth.pp @@ -9,6 +9,12 @@ # @param password_check_backend # @param locale_file # @param auth_content_pre +# @param manage_faillock_conf +# @param faillock_audit +# @param faillock_no_log_info +# @param faillock_local_users_only +# @param faillock_nodelay +# @param faillock_admin_group # @param cracklib_enforce_for_root # @param cracklib_reject_username # @param cracklib_difok @@ -70,7 +76,13 @@ Integer[0] $cracklib_retry = $pam::cracklib_retry, Integer[0] $deny = $pam::deny, Boolean $faillock = $pam::faillock, - Optional[Stdlib::Absolutepath] $faillock_log_dir = undef, + Boolean $manage_faillock_conf = $pam::manage_faillock_conf, + Optional[Stdlib::Absolutepath] $faillock_log_dir = $pam::faillock_log_dir, + Boolean $faillock_audit = $pam::faillock_audit, + Boolean $faillock_no_log_info = $pam::faillock_no_log_info, + Boolean $faillock_local_users_only = $pam::faillock_local_users_only, + Boolean $faillock_nodelay = $pam::faillock_nodelay, + Optional[String] $faillock_admin_group = $pam::faillock_admin_group, Boolean $display_account_lock = $pam::display_account_lock, Integer[0] $fail_interval = $pam::fail_interval, Integer[0] $remember = $pam::remember, @@ -143,6 +155,7 @@ password_check_backend => $password_check_backend, locale_file => $locale_file, auth_content_pre => $auth_content_pre, + manage_faillock_conf => $manage_faillock_conf, cracklib_enforce_for_root => $cracklib_enforce_for_root, cracklib_reject_username => $cracklib_reject_username, cracklib_difok => $cracklib_difok, @@ -160,6 +173,11 @@ deny => $deny, faillock => $faillock, faillock_log_dir => $faillock_log_dir, + faillock_audit => $faillock_audit, + faillock_no_log_info => $faillock_no_log_info, + faillock_local_users_only => $faillock_local_users_only, + faillock_nodelay => $faillock_nodelay, + faillock_admin_group => $faillock_admin_group, display_account_lock => $display_account_lock, fail_interval => $fail_interval, remember => $remember, diff --git a/manifests/config.pp b/manifests/config.pp index 407dc50..0f48fff 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -116,16 +116,40 @@ } } - if ($pam::faillock_log_dir) { - file { $pam::faillock_log_dir: - ensure => 'dir', - owner => 'root', - group => 'root', - mode => '0750', - seluser => 'system_u', - selrole => 'object_r', - seltype => 'faillog_t', - selrange => 's0', + # EL 7 doesn't utilize faillock.conf and will break if used + if ($facts['os']['family'] == 'RedHat') and ($facts['os']['release']['major'] > '7') and ($pam::manage_faillock_conf) { + if ($pam::faillock_log_dir) { + file { $pam::faillock_log_dir: + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0750', + seluser => 'system_u', + selrole => 'object_r', + seltype => 'faillog_t', + selrange => 's0', + } + } + + file { '/etc/security/faillock.conf': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0644', + content => epp("${module_name}/etc/security/faillock.conf.epp", { + dir => $pam::faillock_log_dir, + audit => $pam::faillock_audit, + silent => !$pam::display_account_lock, + no_log_info => $pam::faillock_no_log_info, + local_users_only => $pam::faillock_local_users_only, + nodelay => $pam::faillock_nodelay, + deny => $pam::deny, + fail_interval => $pam::fail_interval, + unlock_time => $pam::unlock_time, + even_deny_root => $pam::even_deny_root, + root_unlock_time => $pam::root_unlock_time, + admin_group => $pam::faillock_admin_group + }), } } diff --git a/manifests/init.pp b/manifests/init.pp index e070147..cab79ef 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -128,19 +128,16 @@ # ability of users to override our settings directly on the system. # # @param deny -# The number of failed attempts before PAM denies a user from logging in +# The number of failed attempts before PAM denies a user from logging in. # # @param faillock # Enable or disable the use of ``faillock`` # -# @param faillock_log_dir -# The location in which to log failed login attempts and account lockouts -# # @param display_account_lock -# Display to the remote user that their account has been locked +# Display to the remote user that their account has been locked. # # @param fail_interval -# Sets the time until the check fails +# Sets the time until the check fails. # # @param homedir_umask # Sets the file mode creation mask of the user home directories @@ -157,10 +154,10 @@ # Remember the last ``$remember`` passwords for the root user # # @param even_deny_root -# Enforce an account lockout for the ``root`` account +# Enforce an account lockout for the ``root`` account. # # @param root_unlock_time -# Allow access after N seconds to root account after failed attempt +# Allow access after N seconds to root account after failed attempt. # # * Has no effect if ``even_deny_root`` is not set # @@ -175,7 +172,7 @@ # Allow user logins for users with UID higher than N # # @param unlock_time -# Allow acesss after N seconds to user account after failed attempt +# Allow acesss after N seconds to user account after failed attempt. # # @param preserve_ac # Keep the original ``-ac`` files around for reference @@ -282,6 +279,30 @@ # @param package_ensure # Ensure setting for all packages installed by this module # +# @param manage_faillock_conf +# If true, the faillock parameters will be managed within /etc/security/faillock.conf +# instead of inline in the auth files. This parameter will be ignored on el7 and earlier systems. +# +# @param faillock_log_dir +# The directory where the user files with the failure records are kept. +# +# @param faillock_audit +# If true, log the user name into the system log if the user is not found. +# +# @param faillock_no_log_info +# If true, don't log informative messages via syslog. +# +# @param faillock_local_users_only +# If true, only track failed user authentications attempts for local users in +# /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. +# +# @param faillock_nodelay +# If true, don't enforce a delay after authentication failures. +# +# @param faillock_admin_group +# If a group name is specified with this option, members of the group will be handled by +# this module the same as the root account. +# # @author https://github.com/simp/pupmod-simp-pam/graphs/contributors # class pam ( @@ -308,21 +329,13 @@ Boolean $rm_pwquality_conf_d = true, Boolean $oath = simplib::lookup('simp_options::oath', { 'default_value' => false }), Integer[0] $oath_window = 1, - Integer[0] $deny = 5, - Boolean $faillock = true, - Optional[Stdlib::Absolutepath] $faillock_log_dir = undef, - Boolean $display_account_lock = false, Simplib::Umask $homedir_umask = '0077', Integer[0] $remember = 24, Integer[0] $remember_retry = 1, Boolean $remember_for_root = true, - Boolean $even_deny_root = true, - Integer[0] $root_unlock_time = 60, Pam::HashAlgorithm $hash_algorithm = 'sha512', Integer[0] $rounds = 10000, Integer[0] $uid = simplib::lookup('simp_options::uid::min', { 'default_value' => pick(fact('login_defs.uid_min'), 1000) }), - Pam::AccountUnlockTime $unlock_time = 900, - Integer[0] $fail_interval = 900, Boolean $preserve_ac = false, Boolean $warn_if_unknown = true, Boolean $deny_if_unknown = true, @@ -346,7 +359,21 @@ Boolean $enable_warning = true, Boolean $disable_authconfig = true, Boolean $use_authselect = simplib::lookup('simp_options::authselect', { 'default_value' => false }), - Simplib::PackageEnsure $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' }) + Simplib::PackageEnsure $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' }), + Boolean $faillock = true, + Boolean $manage_faillock_conf = false, + Integer[0] $deny = 5, + Boolean $display_account_lock = false, + Pam::AccountUnlockTime $unlock_time = 900, + Integer[0] $fail_interval = 900, + Boolean $even_deny_root = true, + Integer[0] $root_unlock_time = 60, + Optional[Stdlib::Absolutepath] $faillock_log_dir = undef, + Boolean $faillock_audit = true, + Boolean $faillock_no_log_info = false, + Boolean $faillock_local_users_only = false, + Boolean $faillock_nodelay = false, + Optional[String] $faillock_admin_group = undef ) { if simplib::lookup('simp_options::pam', { 'default_value' => true }) { if $enable { diff --git a/metadata.json b/metadata.json index 3744f6b..2fe48fc 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-pam", - "version": "6.15.1", + "version": "6.16.0", "author": "SIMP Team", "summary": "A SIMP puppet module for managing pam", "license": "Apache-2.0", diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index 1449825..c8f3750 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -64,6 +64,41 @@ EOM } + let(:default_faillock_conf){ + <<~EOM + # This file is generated by Puppet + # Any changes made to it will be overwritten. + # + audit + silent + deny=5 + fail_interval=900 + unlock_time=900 + even_deny_root + root_unlock_time=60 + EOM + } + + let(:all_params_faillock_conf){ + <<~EOM + # This file is generated by Puppet + # Any changes made to it will be overwritten. + # + dir=/var/log/faillock + audit + silent + no_log_info + local_users_only + nodelay + deny=4 + fail_interval=1200 + unlock_time=180 + even_deny_root + root_unlock_time=60 + admin_group=wheel + EOM + } + on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do @@ -155,7 +190,7 @@ ) } - if os_facts[:os][:release][:major] <= '7' + if os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] <= '7' it { project_dir = File.expand_path(File.join(File.dirname(__FILE__), '..', '..')) expected = IO.read(File.join(project_dir, 'files', 'simp_authconfig.sh')) @@ -325,11 +360,6 @@ } end - context 'with faillock_log_dir set' do - let(:params){{ :faillock_log_dir => '/var/log/faillock' }} - it { is_expected.to contain_file('/var/log/faillock') } - end - context 'no warn_if_unknown = false' do let(:params){{ :warn_if_unknown => false }} it { is_expected.to contain_file('/etc/pam.d/other').with_content(<<~EOM @@ -363,6 +393,42 @@ it { is_expected.to_not contain_pam__auth('password') } it { is_expected.to_not contain_pam__auth('smartcard') } end + + context 'with managing faillock.conf with default parameters' do + let(:params){{ :manage_faillock_conf => true}} + + it {is_expected.to compile.with_all_deps} + if os_facts[:os][:release][:major] <= '7' + it {is_expected.to_not contain_file('/etc/security/faillock.conf')} + else + it {is_expected.to contain_file('/etc/security/faillock.conf').with_content( default_faillock_conf )} + end + end + + context 'with managing faillock.conf with all non-default parameters' do + let(:params){{ + :manage_faillock_conf => true, + :faillock_log_dir => '/var/log/faillock', + :faillock_audit => true, + :display_account_lock => false, + :faillock_no_log_info => true, + :faillock_local_users_only => true, + :faillock_nodelay => true, + :deny => 4, + :fail_interval => 1200, + :unlock_time => 180, + :even_deny_root => true, + :root_unlock_time => 60, + :faillock_admin_group => 'wheel' + }} + + it {is_expected.to compile.with_all_deps} + if os_facts[:os][:release][:major] <= '7' + it {is_expected.to_not contain_file('/etc/security/faillock.conf')} + else + it {is_expected.to contain_file('/etc/security/faillock.conf').with_content( all_params_faillock_conf )} + end + end end end end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index f22056f..5f30674 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -39,6 +39,38 @@ it { is_expected.to contain_package('pam').with_ensure('latest') } it { is_expected.to contain_package('libpwquality').with_ensure('latest') } end + + context 'with all possible faillock params set' do + let(:params) {{ + :manage_faillock_conf => false, + :display_account_lock => false, + :deny => 6, + :faillock_audit => true, + :unlock_time => 600, + :fail_interval => 600, + :faillock_log_dir => '/var/log/faillock', + :faillock_no_log_info => true, + :faillock_local_users_only => true, + :faillock_nodelay => true, + :faillock_admin_group => 'admin', + :even_deny_root => true + }} + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_file('/etc/pam.d/password-auth').with_content(/auth required pam_faillock.so preauth silent deny=6 audit unlock_time=600 fail_interval=600 dir=\/var\/log\/faillock no_log_info local_users_only nodelay admin_group=admin even_deny_root/) } + it { is_expected.to contain_file('/etc/pam.d/system-auth').with_content(/auth required pam_faillock.so preauth silent deny=6 audit unlock_time=600 fail_interval=600 dir=\/var\/log\/faillock no_log_info local_users_only nodelay admin_group=admin even_deny_root/) } + end + + context 'with manage_faillock_conf=true' do + let(:params) {{ :manage_faillock_conf => true }} + + it { is_expected.to compile.with_all_deps } + if os_facts[:os][:release][:major] > '7' + it { is_expected.to contain_file('/etc/security/faillock.conf') } + else + it { is_expected.to_not contain_file('/etc/security/faillock.conf') } + end + end end end end diff --git a/templates/etc/pam.d/auth.epp b/templates/etc/pam.d/auth.epp index 2ac9ae9..40230eb 100644 --- a/templates/etc/pam.d/auth.epp +++ b/templates/etc/pam.d/auth.epp @@ -19,6 +19,12 @@ Integer[0] $cracklib_retry, Integer[0] $deny, Boolean $faillock, + Boolean $manage_faillock_conf, + Boolean $faillock_audit, + Boolean $faillock_no_log_info, + Boolean $faillock_local_users_only, + Boolean $faillock_nodelay, + Optional[String] $faillock_admin_group, Optional[Stdlib::Absolutepath] $faillock_log_dir, Boolean $display_account_lock, Integer[0] $fail_interval, @@ -64,12 +70,52 @@ else { auth optional pam_faildelay.so auth required pam_env.so <% if $faillock { + if $manage_faillock_conf { +-%> +auth required pam_faillock.so preauth +<% } else { if $faillock_log_dir { $_faillock_log_dir = " dir=${faillock_log_dir}" } else { $_faillock_log_dir = '' } + + if $faillock_audit { + $_faillock_audit = ' audit' + } + else { + $_faillock_audit = '' + } + + if $faillock_no_log_info { + $_faillock_no_log_info = ' no_log_info' + } + else { + $_faillock_no_log_info = '' + } + + if $faillock_local_users_only { + $_faillock_local_users_only = ' local_users_only' + } + else { + $_faillock_local_users_only = '' + } + + if $faillock_nodelay { + $_faillock_nodelay = ' nodelay' + } + else { + $_faillock_nodelay = '' + } + + if $faillock_admin_group { + $_faillock_admin_group = " admin_group=${faillock_admin_group}" + } + else { + $_faillock_admin_group = '' + } + if $display_account_lock { $_display_account_lock = '' } @@ -77,7 +123,8 @@ auth required pam_env.so $_display_account_lock = ' silent' } -%> -auth required pam_faillock.so preauth<%= $_faillock_log_dir %><%= $_display_account_lock %> deny=<%= $deny %> audit unlock_time=<%= $unlock_time %> fail_interval=<%= $fail_interval %><%= $_even_deny_root %> +auth required pam_faillock.so preauth<%= $_display_account_lock %> deny=<%= $deny %><%= $_faillock_audit %> unlock_time=<%= $unlock_time %> fail_interval=<%= $fail_interval %><%= $_faillock_log_dir %><%= $_faillock_no_log_info %><%= $_faillock_local_users_only %><%= $_faillock_nodelay %><%= $_faillock_admin_group %><%= $_even_deny_root %> +<% } -%> <% } -%> <% if $name == 'fingerprint' { -%> auth sufficient pam_fprintd.so @@ -97,8 +144,13 @@ auth requisite pam_deny.so auth [success=2 default=ignore] pam_sss.so forward_pass <% } -%> auth [success=1 default=ignore] pam_unix.so try_first_pass +<% if $manage_faillock_conf { -%> +auth [default=die] pam_faillock.so authfail +auth sufficient pam_faillock.so authsucc +<% } else { -%> auth [default=die] pam_faillock.so authfail deny=<%= $deny %> audit unlock_time=<%= $unlock_time %><%= $_even_deny_root %> auth sufficient pam_faillock.so authsucc deny=<%= $deny %> audit unlock_time=<%= $unlock_time %><%= $_even_deny_root %> +<% } -%> <% } else { -%> <% if $sssd { -%> auth sufficient pam_sss.so forward_pass diff --git a/templates/etc/security/faillock.conf.epp b/templates/etc/security/faillock.conf.epp new file mode 100644 index 0000000..352627f --- /dev/null +++ b/templates/etc/security/faillock.conf.epp @@ -0,0 +1,53 @@ +<%-| + Optional[Stdlib::Absolutepath] $dir, + Boolean $audit, + Boolean $silent, + Boolean $no_log_info, + Boolean $local_users_only, + Boolean $nodelay, + Optional[Integer[0]] $deny, + Optional[Integer[0]] $fail_interval, + Optional[Integer[0]] $unlock_time, + Boolean $even_deny_root, + Optional[Integer[0]] $root_unlock_time, + Optional[String] $admin_group +|-%> +# This file is generated by Puppet +# Any changes made to it will be overwritten. +# +<% if $dir { -%> +dir=<%= $dir %> +<% } -%> +<% if $audit { -%> +audit +<% } -%> +<% if $silent { -%> +silent +<% } -%> +<% if $no_log_info { -%> +no_log_info +<% } -%> +<% if $local_users_only { -%> +local_users_only +<% } -%> +<% if $nodelay { -%> +nodelay +<% } -%> +<% if $deny { -%> +deny=<%= $deny %> +<% } -%> +<% if $fail_interval { -%> +fail_interval=<%= $fail_interval %> +<% } -%> +<% if $unlock_time { -%> +unlock_time=<%= $unlock_time %> +<% } -%> +<% if $even_deny_root { -%> +even_deny_root +<% } -%> +<% if $root_unlock_time { -%> +root_unlock_time=<%= $root_unlock_time %> +<% } -%> +<% if $admin_group { -%> +admin_group=<%= $admin_group %> +<% } -%>