Skip to content

Commit

Permalink
(#145) Added the ability to control pwhistory.conf (#146)
Browse files Browse the repository at this point in the history
* (#145) Added the ability to control pwhistory.conf

Fixes #145

* Updated major version, README, and CHANGELOG

* Minor updates to the README, and removed incorrectly added .err files
  • Loading branch information
michael-riddle committed Feb 6, 2024
1 parent 1a420f3 commit 98dd210
Show file tree
Hide file tree
Showing 114 changed files with 2,447 additions and 155 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@

* Wed Jan 31 2024 Mike Riddle <mike@sicura.us> - 7.0.0
- Added functionality to control /etc/security/pwhistory.conf
- Fixed logic that would cause certain functionality to break on Amazon Linux 2022 and above

* Mon Jan 29 2024 Mike Riddle <mike@sicura.us> - 6.16.0
- Added functionality to control /etc/security/faillock.conf

Expand Down
60 changes: 44 additions & 16 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@
* [Restricting Resource Usage (pam_limits)](#restricting-resource-usage-pam_limits)
* [Restricting ``su`` to the ``wheel`` Group](#restricting-su-to-the-wheel-group)
* [Managing /etc/security/faillock.conf](#managing-etcsecurityfaillockconf)
* [/etc/security_faillock.conf Example With All Parameters](#etcsecurityfaillockconf-hieradata-example-with-all-parameters)
* [/etc/security/faillock.conf Example With All Parameters](#etcsecurityfaillockconf-hieradata-example-with-all-parameters)
* [Managing /etc/security/pwhistory.conf](#managing-etcsecuritypwhistoryconf)
* [/etc/security/pwhistory.conf Example With All Parameters](#etcsecuritypwhistoryconf-hieradata-example-with-all-parameters)
* [Development](#development)
* [Acceptance tests](#acceptance-tests)

Expand Down Expand Up @@ -205,49 +207,75 @@ You can change the target group by updating the value of

### Managing /etc/security/faillock.conf

To manage faillock with ``/etc/security/faillock.conf`` instead of inline parameters in the auth files set the following in hieradata:
To manage faillock with ``/etc/security/faillock.conf`` set the following in hieradata:

```yaml
pam::manage_faillock_conf: true
```

A couple of things to note here are:

- This feature will only work on systems running EL 8 (or equivalent) and above.
- ``pam::faillock`` must still be true for faillock to work appropriately
- By default, /etc/security/faillock.conf will be empty except for a comment saying the file is managed by puppet. To set content in the file, the following parameters are available:

- ``pam::faillock_dir``
- ``pam::faillock_log_dir``
- ``pam::faillock_audit``
- ``pam::faillock_silent``
- ``pam::display_account_lock``
- ``pam::faillock_no_log_info``
- ``pam::faillock_local_users_only``
- ``pam::faillock_nodelay``
- ``pam::faillock_deny``
- ``pam::faillock_fail_interval``
- ``pam::faillock_unlock_time``
- ``pam::faillock_even_deny_root``
- ``pam::faillock_root_unlock_time``
- ``pam::deny``
- ``pam::fail_interval``
- ``pam::unlock_time``
- ``pam::even_deny_root``
- ``pam::root_unlock_time``
- ``pam::faillock_admin_group``

#### /etc/security/faillock.conf Hieradata Example With All Parameters

```yaml
pam::faillock: true
pam::manage_faillock_conf: true
pam::faillock_dir: '/var/log/faillock'
pam::faillock_log_dir: '/var/log/faillock'
pam::faillock_audit: true
pam::faillock_silent: true
pam::display_account_lock: true
pam::faillock_no_log_info: false
pam::faillock_local_users_only: false
pam::faillock_nodelay: false
pam::faillock_deny: 5
pam::faillock_fail_interval: 900
pam::faillock_unlock_time: 900
pam::faillock_even_deny_root: true
pam::faillock_root_unlock_time: 60
pam::deny: 5
pam::fail_interval: 900
pam::unlock_time: 900
pam::even_deny_root: true
pam::root_unlock_time: 60
pam::faillock_admin_group: 'wheel'
```

### Managing /etc/security/pwhistory.conf

To manage pwhistory with ``/etc/security/pwhistory.conf`` set the following in hieradata:

```yaml
pam::manage_pwhistory_conf: true
```

A couple of things to note here are:

- This feature will only work on systems running EL 8 (or equivalent) and above.
- This feature replaced management of /etc/security/opasswd in the SIMP Useradd module as of version 7.0.0 and will conflict with any version of useradd older than 1.0.0.
- The parameter to control where password history is set is ``pam::remember_file``

#### /etc/security/pwhistory.conf Hieradata Example With All Parameters

```yaml
pam::manage_pwhistory_conf: true
pam::remember: 32
pam::remember_retry: 3
pam::remember_file: '/etc/security/opasswd'
pam::remember_debug: true
pam::remember_for_root: true
```

## Development

Please read our [Contribution Guide](https://simp.readthedocs.io/en/stable/contributors_guide/Contribution_Procedure.html)
Expand Down
60 changes: 58 additions & 2 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,12 @@ The following parameters are available in the `pam` class:
* [`display_account_lock`](#-pam--display_account_lock)
* [`fail_interval`](#-pam--fail_interval)
* [`homedir_umask`](#-pam--homedir_umask)
* [`manage_pwhistory_conf`](#-pam--manage_pwhistory_conf)
* [`remember`](#-pam--remember)
* [`remember_retry`](#-pam--remember_retry)
* [`remember_for_root`](#-pam--remember_for_root)
* [`remember_file`](#-pam--remember_file)
* [`remember_debug`](#-pam--remember_debug)
* [`even_deny_root`](#-pam--even_deny_root)
* [`root_unlock_time`](#-pam--root_unlock_time)
* [`hash_algorithm`](#-pam--hash_algorithm)
Expand Down Expand Up @@ -370,11 +373,21 @@ Sets the file mode creation mask of the user home directories

Default value: `'0077'`

##### <a name="-pam--manage_pwhistory_conf"></a>`manage_pwhistory_conf`

Data type: `Boolean`

If true, password history settings will be managed inside of
/etc/security/pwhistory.conf instead of inline in the pam auth files.
This parameter will be ignored if the host is EL 7.

Default value: `false`

##### <a name="-pam--remember"></a>`remember`

Data type: `Integer[0]`

The last N passwords for each user are saved in ``/etc/security/opasswd``
The last N passwords for each user are saved in ``$remember_file``
in order to force password change history and keep the user from
alternating between the same password too frequently

Expand All @@ -392,10 +405,26 @@ Default value: `1`

Data type: `Boolean`

Remember the last ``$remember`` passwords for the root user
Remember the last ``$remember`` passwords for the root user.

Default value: `true`

##### <a name="-pam--remember_file"></a>`remember_file`

Data type: `StdLib::Absolutepath`

The location for user's remembered passwords to be saved.

Default value: `'/etc/security/opasswd'`

##### <a name="-pam--remember_debug"></a>`remember_debug`

Data type: `Boolean`

If true, turn on debugging for pwhistory to syslog.

Default value: `false`

##### <a name="-pam--even_deny_root"></a>`even_deny_root`

Data type: `Boolean`
Expand Down Expand Up @@ -1076,9 +1105,12 @@ The following parameters are available in the `pam::auth` defined type:
* [`faillock_log_dir`](#-pam--auth--faillock_log_dir)
* [`display_account_lock`](#-pam--auth--display_account_lock)
* [`fail_interval`](#-pam--auth--fail_interval)
* [`manage_pwhistory_conf`](#-pam--auth--manage_pwhistory_conf)
* [`remember_debug`](#-pam--auth--remember_debug)
* [`remember`](#-pam--auth--remember)
* [`remember_retry`](#-pam--auth--remember_retry)
* [`remember_for_root`](#-pam--auth--remember_for_root)
* [`remember_file`](#-pam--auth--remember_file)
* [`even_deny_root`](#-pam--auth--even_deny_root)
* [`root_unlock_time`](#-pam--auth--root_unlock_time)
* [`hash_algorithm`](#-pam--auth--hash_algorithm)
Expand Down Expand Up @@ -1334,6 +1366,22 @@ Data type: `Integer[0]`

Default value: `$pam::fail_interval`

##### <a name="-pam--auth--manage_pwhistory_conf"></a>`manage_pwhistory_conf`

Data type: `Boolean`



Default value: `$pam::manage_pwhistory_conf`

##### <a name="-pam--auth--remember_debug"></a>`remember_debug`

Data type: `Boolean`



Default value: `$pam::remember_debug`

##### <a name="-pam--auth--remember"></a>`remember`

Data type: `Integer[0]`
Expand All @@ -1358,6 +1406,14 @@ Data type: `Boolean`

Default value: `$pam::remember_for_root`

##### <a name="-pam--auth--remember_file"></a>`remember_file`

Data type: `Stdlib::Absolutepath`



Default value: `$pam::remember_file`

##### <a name="-pam--auth--even_deny_root"></a>`even_deny_root`

Data type: `Boolean`
Expand Down
33 changes: 29 additions & 4 deletions manifests/auth.pp
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,12 @@
# @param faillock_log_dir
# @param display_account_lock
# @param fail_interval
# @param manage_pwhistory_conf
# @param remember_debug
# @param remember
# @param remember_retry
# @param remember_for_root
# @param remember_file
# @param even_deny_root
# @param root_unlock_time
# @param hash_algorithm
Expand Down Expand Up @@ -85,9 +88,12 @@
Optional[String] $faillock_admin_group = $pam::faillock_admin_group,
Boolean $display_account_lock = $pam::display_account_lock,
Integer[0] $fail_interval = $pam::fail_interval,
Boolean $manage_pwhistory_conf = $pam::manage_pwhistory_conf,
Boolean $remember_debug = $pam::remember_debug,
Integer[0] $remember = $pam::remember,
Integer[0] $remember_retry = $pam::remember_retry,
Boolean $remember_for_root = $pam::remember_for_root,
Stdlib::Absolutepath $remember_file = $pam::remember_file,
Boolean $even_deny_root = $pam::even_deny_root,
Integer[0] $root_unlock_time = $pam::root_unlock_time,
Pam::HashAlgorithm $hash_algorithm = $pam::hash_algorithm,
Expand Down Expand Up @@ -150,14 +156,30 @@
$_content = $_top_var
}
else {
if ($facts['os']['family'] == 'RedHat' and Integer($facts['os']['release']['major']) < 8) or
($facts['os']['name'] == 'Amazon') and Integer(($facts['os']['release']['major']) < 2022) {
$_cracklib_retry = $cracklib_retry
$_cracklib_enforce_for_root = $cracklib_enforce_for_root
$_cracklib_reject_username = $cracklib_reject_username
# faillock.conf and pwhistory.conf don't exist in el 7 and Amazon Linux 2
$_manage_faillock_conf = false
$_manage_pwhistory_conf = false
} else {
$_manage_faillock_conf = $manage_faillock_conf
$_manage_pwhistory_conf = $manage_pwhistory_conf
# retry, enforce_for_root, and reject_username will be enforced via pwquality.conf in el8 and Amazon Linux 2022 and higher
$_cracklib_retry = false
$_cracklib_enforce_for_root = false
$_cracklib_reject_username = false
}
$_content = epp("${module_name}/etc/pam.d/auth.epp", {
name => $name,
password_check_backend => $password_check_backend,
locale_file => $locale_file,
auth_content_pre => $auth_content_pre,
manage_faillock_conf => $manage_faillock_conf,
cracklib_enforce_for_root => $cracklib_enforce_for_root,
cracklib_reject_username => $cracklib_reject_username,
manage_faillock_conf => $_manage_faillock_conf,
cracklib_enforce_for_root => $_cracklib_enforce_for_root,
cracklib_reject_username => $_cracklib_reject_username,
cracklib_difok => $cracklib_difok,
cracklib_maxrepeat => $cracklib_maxrepeat,
cracklib_maxsequence => $cracklib_maxsequence,
Expand All @@ -169,7 +191,7 @@
cracklib_ocredit => $cracklib_ocredit,
cracklib_minclass => $cracklib_minclass,
cracklib_minlen => $cracklib_minlen,
cracklib_retry => $cracklib_retry,
cracklib_retry => $_cracklib_retry,
deny => $deny,
faillock => $faillock,
faillock_log_dir => $faillock_log_dir,
Expand All @@ -180,9 +202,12 @@
faillock_admin_group => $faillock_admin_group,
display_account_lock => $display_account_lock,
fail_interval => $fail_interval,
manage_pwhistory_conf => $_manage_pwhistory_conf,
remember_debug => $remember_debug,
remember => $remember,
remember_retry => $remember_retry,
remember_for_root => $remember_for_root,
remember_file => $remember_file,
even_deny_root => $even_deny_root,
root_unlock_time => $root_unlock_time,
hash_algorithm => $hash_algorithm,
Expand Down

0 comments on commit 98dd210

Please sign in to comment.