(#145) Added the ability to control pwhistory.conf (#146)

* (#145) Added the ability to control pwhistory.conf

Fixes #145

* Updated major version, README, and CHANGELOG

* Minor updates to the README, and removed incorrectly added .err files

CHANGELOG

@@ -1,4 +1,8 @@
 
+* Wed Jan 31 2024 Mike Riddle <mike@sicura.us> - 7.0.0
+- Added functionality to control /etc/security/pwhistory.conf
+- Fixed logic that would cause certain functionality to break on Amazon Linux 2022 and above
+
 * Mon Jan 29 2024 Mike Riddle <mike@sicura.us> - 6.16.0
 - Added functionality to control /etc/security/faillock.conf
 

README.md

@@ -21,7 +21,9 @@
   * [Restricting Resource Usage (pam_limits)](#restricting-resource-usage-pam_limits)
   * [Restricting ``su`` to the ``wheel`` Group](#restricting-su-to-the-wheel-group)
   * [Managing /etc/security/faillock.conf](#managing-etcsecurityfaillockconf)
-    * [/etc/security_faillock.conf Example With All Parameters](#etcsecurityfaillockconf-hieradata-example-with-all-parameters)
+    * [/etc/security/faillock.conf Example With All Parameters](#etcsecurityfaillockconf-hieradata-example-with-all-parameters)
+  * [Managing /etc/security/pwhistory.conf](#managing-etcsecuritypwhistoryconf)
+    * [/etc/security/pwhistory.conf Example With All Parameters](#etcsecuritypwhistoryconf-hieradata-example-with-all-parameters)
 * [Development](#development)
   * [Acceptance tests](#acceptance-tests)
 
@@ -205,49 +207,75 @@ You can change the target group by updating the value of
 
 ### Managing /etc/security/faillock.conf
 
-To manage faillock with ``/etc/security/faillock.conf`` instead of inline parameters in the auth files set the following in hieradata:
+To manage faillock with ``/etc/security/faillock.conf`` set the following in hieradata:
 
 ```yaml
 pam::manage_faillock_conf: true
 ```
 
 A couple of things to note here are:
 
+- This feature will only work on systems running EL 8 (or equivalent) and above.
 - ``pam::faillock`` must still be true for faillock to work appropriately
 - By default, /etc/security/faillock.conf will be empty except for a comment saying the file is managed by puppet. To set content in the file, the following parameters are available:
 
-  - ``pam::faillock_dir``
+  - ``pam::faillock_log_dir``
   - ``pam::faillock_audit``
-  - ``pam::faillock_silent``
+  - ``pam::display_account_lock``
   - ``pam::faillock_no_log_info``
   - ``pam::faillock_local_users_only``
   - ``pam::faillock_nodelay``
-  - ``pam::faillock_deny``
-  - ``pam::faillock_fail_interval``
-  - ``pam::faillock_unlock_time``
-  - ``pam::faillock_even_deny_root``
-  - ``pam::faillock_root_unlock_time``
+  - ``pam::deny``
+  - ``pam::fail_interval``
+  - ``pam::unlock_time``
+  - ``pam::even_deny_root``
+  - ``pam::root_unlock_time``
   - ``pam::faillock_admin_group``
 
 #### /etc/security/faillock.conf Hieradata Example With All Parameters
 
 ```yaml
 pam::faillock: true
 pam::manage_faillock_conf: true
-pam::faillock_dir: '/var/log/faillock'
+pam::faillock_log_dir: '/var/log/faillock'
 pam::faillock_audit: true
-pam::faillock_silent: true
+pam::display_account_lock: true
 pam::faillock_no_log_info: false
 pam::faillock_local_users_only: false
 pam::faillock_nodelay: false
-pam::faillock_deny: 5
-pam::faillock_fail_interval: 900
-pam::faillock_unlock_time: 900
-pam::faillock_even_deny_root: true
-pam::faillock_root_unlock_time: 60
+pam::deny: 5
+pam::fail_interval: 900
+pam::unlock_time: 900
+pam::even_deny_root: true
+pam::root_unlock_time: 60
 pam::faillock_admin_group: 'wheel'
 ```
 
+### Managing /etc/security/pwhistory.conf
+
+To manage pwhistory with ``/etc/security/pwhistory.conf`` set the following in hieradata:
+
+```yaml
+pam::manage_pwhistory_conf: true
+```
+
+A couple of things to note here are:
+
+- This feature will only work on systems running EL 8 (or equivalent) and above.
+- This feature replaced management of /etc/security/opasswd in the SIMP Useradd module as of version 7.0.0 and will conflict with any version of useradd older than 1.0.0.
+  - The parameter to control where password history is set is ``pam::remember_file``
+
+#### /etc/security/pwhistory.conf Hieradata Example With All Parameters
+
+```yaml
+pam::manage_pwhistory_conf: true
+pam::remember: 32
+pam::remember_retry: 3
+pam::remember_file: '/etc/security/opasswd'
+pam::remember_debug: true
+pam::remember_for_root: true
+```
+
 ## Development
 
 Please read our [Contribution Guide](https://simp.readthedocs.io/en/stable/contributors_guide/Contribution_Procedure.html)

REFERENCE.md

@@ -68,9 +68,12 @@ The following parameters are available in the `pam` class:
 * [`display_account_lock`](#-pam--display_account_lock)
 * [`fail_interval`](#-pam--fail_interval)
 * [`homedir_umask`](#-pam--homedir_umask)
+* [`manage_pwhistory_conf`](#-pam--manage_pwhistory_conf)
 * [`remember`](#-pam--remember)
 * [`remember_retry`](#-pam--remember_retry)
 * [`remember_for_root`](#-pam--remember_for_root)
+* [`remember_file`](#-pam--remember_file)
+* [`remember_debug`](#-pam--remember_debug)
 * [`even_deny_root`](#-pam--even_deny_root)
 * [`root_unlock_time`](#-pam--root_unlock_time)
 * [`hash_algorithm`](#-pam--hash_algorithm)
@@ -370,11 +373,21 @@ Sets the file mode creation mask of the user home directories
 
 Default value: `'0077'`
 
+##### <a name="-pam--manage_pwhistory_conf"></a>`manage_pwhistory_conf`
+
+Data type: `Boolean`
+
+If true, password history settings will be managed inside of
+/etc/security/pwhistory.conf instead of inline in the pam auth files.
+This parameter will be ignored if the host is EL 7.
+
+Default value: `false`
+
 ##### <a name="-pam--remember"></a>`remember`
 
 Data type: `Integer[0]`
 
-The last N passwords for each user are saved in ``/etc/security/opasswd``
+The last N passwords for each user are saved in ``$remember_file``
 in order to force password change history and keep the user from
 alternating between the same password too frequently
 
@@ -392,10 +405,26 @@ Default value: `1`
 
 Data type: `Boolean`
 
-Remember the last ``$remember`` passwords for the root user
+Remember the last ``$remember`` passwords for the root user.
 
 Default value: `true`
 
+##### <a name="-pam--remember_file"></a>`remember_file`
+
+Data type: `StdLib::Absolutepath`
+
+The location for user's remembered passwords to be saved.
+
+Default value: `'/etc/security/opasswd'`
+
+##### <a name="-pam--remember_debug"></a>`remember_debug`
+
+Data type: `Boolean`
+
+If true, turn on debugging for pwhistory to syslog.
+
+Default value: `false`
+
 ##### <a name="-pam--even_deny_root"></a>`even_deny_root`
 
 Data type: `Boolean`
@@ -1076,9 +1105,12 @@ The following parameters are available in the `pam::auth` defined type:
 * [`faillock_log_dir`](#-pam--auth--faillock_log_dir)
 * [`display_account_lock`](#-pam--auth--display_account_lock)
 * [`fail_interval`](#-pam--auth--fail_interval)
+* [`manage_pwhistory_conf`](#-pam--auth--manage_pwhistory_conf)
+* [`remember_debug`](#-pam--auth--remember_debug)
 * [`remember`](#-pam--auth--remember)
 * [`remember_retry`](#-pam--auth--remember_retry)
 * [`remember_for_root`](#-pam--auth--remember_for_root)
+* [`remember_file`](#-pam--auth--remember_file)
 * [`even_deny_root`](#-pam--auth--even_deny_root)
 * [`root_unlock_time`](#-pam--auth--root_unlock_time)
 * [`hash_algorithm`](#-pam--auth--hash_algorithm)
@@ -1334,6 +1366,22 @@ Data type: `Integer[0]`
 
 Default value: `$pam::fail_interval`
 
+##### <a name="-pam--auth--manage_pwhistory_conf"></a>`manage_pwhistory_conf`
+
+Data type: `Boolean`
+
+
+
+Default value: `$pam::manage_pwhistory_conf`
+
+##### <a name="-pam--auth--remember_debug"></a>`remember_debug`
+
+Data type: `Boolean`
+
+
+
+Default value: `$pam::remember_debug`
+
 ##### <a name="-pam--auth--remember"></a>`remember`
 
 Data type: `Integer[0]`
@@ -1358,6 +1406,14 @@ Data type: `Boolean`
 
 Default value: `$pam::remember_for_root`
 
+##### <a name="-pam--auth--remember_file"></a>`remember_file`
+
+Data type: `Stdlib::Absolutepath`
+
+
+
+Default value: `$pam::remember_file`
+
 ##### <a name="-pam--auth--even_deny_root"></a>`even_deny_root`
 
 Data type: `Boolean`

manifests/auth.pp

@@ -36,9 +36,12 @@
 # @param faillock_log_dir
 # @param display_account_lock
 # @param fail_interval
+# @param manage_pwhistory_conf
+# @param remember_debug
 # @param remember
 # @param remember_retry
 # @param remember_for_root
+# @param remember_file
 # @param even_deny_root
 # @param root_unlock_time
 # @param hash_algorithm
@@ -85,9 +88,12 @@
   Optional[String]               $faillock_admin_group      = $pam::faillock_admin_group,
   Boolean                        $display_account_lock      = $pam::display_account_lock,
   Integer[0]                     $fail_interval             = $pam::fail_interval,
+  Boolean                        $manage_pwhistory_conf     = $pam::manage_pwhistory_conf,
+  Boolean                        $remember_debug            = $pam::remember_debug,
   Integer[0]                     $remember                  = $pam::remember,
   Integer[0]                     $remember_retry            = $pam::remember_retry,
   Boolean                        $remember_for_root         = $pam::remember_for_root,
+  Stdlib::Absolutepath           $remember_file             = $pam::remember_file,
   Boolean                        $even_deny_root            = $pam::even_deny_root,
   Integer[0]                     $root_unlock_time          = $pam::root_unlock_time,
   Pam::HashAlgorithm             $hash_algorithm            = $pam::hash_algorithm,
@@ -150,14 +156,30 @@
       $_content = $_top_var
     }
     else {
+      if ($facts['os']['family'] == 'RedHat' and Integer($facts['os']['release']['major']) < 8) or
+      ($facts['os']['name'] == 'Amazon') and Integer(($facts['os']['release']['major']) < 2022) {
+        $_cracklib_retry = $cracklib_retry
+        $_cracklib_enforce_for_root = $cracklib_enforce_for_root
+        $_cracklib_reject_username = $cracklib_reject_username
+        # faillock.conf and pwhistory.conf don't exist in el 7 and Amazon Linux 2
+        $_manage_faillock_conf = false
+        $_manage_pwhistory_conf = false
+      } else {
+        $_manage_faillock_conf = $manage_faillock_conf
+        $_manage_pwhistory_conf = $manage_pwhistory_conf
+        # retry, enforce_for_root, and reject_username will be enforced via pwquality.conf in el8 and Amazon Linux 2022 and higher
+        $_cracklib_retry = false
+        $_cracklib_enforce_for_root = false
+        $_cracklib_reject_username = false
+      }
       $_content = epp("${module_name}/etc/pam.d/auth.epp", {
           name                      => $name,
           password_check_backend    => $password_check_backend,
           locale_file               => $locale_file,
           auth_content_pre          => $auth_content_pre,
-          manage_faillock_conf      => $manage_faillock_conf,
-          cracklib_enforce_for_root => $cracklib_enforce_for_root,
-          cracklib_reject_username  => $cracklib_reject_username,
+          manage_faillock_conf      => $_manage_faillock_conf,
+          cracklib_enforce_for_root => $_cracklib_enforce_for_root,
+          cracklib_reject_username  => $_cracklib_reject_username,
           cracklib_difok            => $cracklib_difok,
           cracklib_maxrepeat        => $cracklib_maxrepeat,
           cracklib_maxsequence      => $cracklib_maxsequence,
@@ -169,7 +191,7 @@
           cracklib_ocredit          => $cracklib_ocredit,
           cracklib_minclass         => $cracklib_minclass,
           cracklib_minlen           => $cracklib_minlen,
-          cracklib_retry            => $cracklib_retry,
+          cracklib_retry            => $_cracklib_retry,
           deny                      => $deny,
           faillock                  => $faillock,
           faillock_log_dir          => $faillock_log_dir,
@@ -180,9 +202,12 @@
           faillock_admin_group      => $faillock_admin_group,
           display_account_lock      => $display_account_lock,
           fail_interval             => $fail_interval,
+          manage_pwhistory_conf     => $_manage_pwhistory_conf,
+          remember_debug            => $remember_debug,
           remember                  => $remember,
           remember_retry            => $remember_retry,
           remember_for_root         => $remember_for_root,
+          remember_file             => $remember_file,
           even_deny_root            => $even_deny_root,
           root_unlock_time          => $root_unlock_time,
           hash_algorithm            => $hash_algorithm,