From 98dd210859c18588078a3de1bc4eeb6c3e22d63d Mon Sep 17 00:00:00 2001 From: Mike Riddle Date: Tue, 6 Feb 2024 16:55:27 -0500 Subject: [PATCH] (#145) Added the ability to control pwhistory.conf (#146) * (#145) Added the ability to control pwhistory.conf Fixes #145 * Updated major version, README, and CHANGELOG * Minor updates to the README, and removed incorrectly added .err files --- CHANGELOG | 4 + README.md | 60 +++++-- REFERENCE.md | 60 ++++++- manifests/auth.pp | 33 +++- manifests/config.pp | 155 ++++++++++++------ manifests/init.pp | 18 +- metadata.json | 6 +- spec/classes/config_spec.rb | 71 +++++++- spec/classes/init_spec.rb | 30 +++- spec/defines/auth_spec.rb | 72 +++++++- .../cracklib-el7-password-separator-0 | 41 +++++ .../cracklib-el7-password-separator-1 | 41 +++++ .../cracklib-el7-password-separator-2 | 41 +++++ .../cracklib-el7-password-separator-false | 41 +++++ ...or-0 => cracklib-el8-password-separator-0} | 0 ...rams => cracklib-el8-password-separator-1} | 0 ...or-2 => cracklib-el8-password-separator-2} | 0 ... => cracklib-el8-password-separator-false} | 0 ...cklib-fingerprint-el7-auth_custom_content} | 0 ...cklib-fingerprint-el7-auth_default_params} | 0 ...ib-fingerprint-el7-auth_sssd_no_tty_audit} | 0 ...t-el7-auth_sssd_openshift_multi_tty_audit} | 0 ...ib-fingerprint-el7-auth_unlock_time_never} | 0 ...cklib-fingerprint-el8-auth_custom_content} | 0 ...klib-fingerprint-el8-auth_default_params } | 0 ...ib-fingerprint-el8-auth_sssd_no_tty_audit} | 0 ...t-el8-auth_sssd_openshift_multi_tty_audit} | 0 ...ib-fingerprint-el8-auth_unlock_time_never} | 0 .../cracklib-password-el7-auth_default_params | 41 +++++ ...acklib-password-el7-auth_sssd_no_tty_audit | 44 +++++ ...rd-el7-auth_sssd_openshift_multi_tty_audit | 49 ++++++ ...acklib-password-el7-auth_unlock_time_never | 39 +++++ ...cracklib-password-el8-auth_default_params} | 0 ...cklib-password-el8-auth_sssd_no_tty_audit} | 0 ...d-el8-auth_sssd_openshift_multi_tty_audit} | 0 ...cklib-password-el8-auth_unlock_time_never} | 0 ...racklib-smartcard-el7-auth_custom_content} | 0 ...racklib-smartcard-el7-auth_default_params} | 0 ...klib-smartcard-el7-auth_sssd_no_tty_audit} | 0 ...d-el7-auth_sssd_openshift_multi_tty_audit} | 0 ...klib-smartcard-el7-auth_unlock_time_never} | 0 ...racklib-smartcard-el8-auth_custom_content} | 0 ...racklib-smartcard-el8-auth_default_params} | 0 ...klib-smartcard-el8-auth_sssd_no_tty_audit} | 0 ...d-el8-auth_sssd_openshift_multi_tty_audit} | 0 ...klib-smartcard-el8-auth_unlock_time_never} | 0 .../cracklib-system-el7-auth_default_params | 41 +++++ .../cracklib-system-el7-auth_oath_enabled | 45 +++++ ...cracklib-system-el7-auth_sssd_no_tty_audit | 44 +++++ ...em-el7-auth_sssd_openshift_multi_tty_audit | 49 ++++++ ...cracklib-system-el7-auth_unlock_time_never | 41 +++++ ...> cracklib-system-el8-auth_default_params} | 0 ... => cracklib-system-el8-auth_oath_enabled} | 0 ...racklib-system-el8-auth_sssd_no_tty_audit} | 0 ...m-el8-auth_sssd_openshift_multi_tty_audit} | 0 ...racklib-system-el8-auth_unlock_time_never} | 0 ...r-0 => pwquality-el7-password-separator-0} | 2 +- ...ams => pwquality-el7-password-separator-1} | 2 +- ...r-2 => pwquality-el7-password-separator-2} | 2 +- ...=> pwquality-el7-password-separator-false} | 2 +- .../pwquality-el8-password-separator-0 | 41 +++++ .../pwquality-el8-password-separator-1 | 41 +++++ .../pwquality-el8-password-separator-2 | 41 +++++ .../pwquality-el8-password-separator-false | 41 +++++ ...uality-fingerprint-el7-auth_custom_content | 1 + ...uality-fingerprint-el7-auth_default_params | 36 ++++ ...ity-fingerprint-el7-auth_sssd_no_tty_audit | 37 +++++ ...nt-el7-auth_sssd_openshift_multi_tty_audit | 42 +++++ ...int-el7-auth_sssd_user_specified_centrify} | 0 ...ity-fingerprint-el7-auth_unlock_time_never | 36 ++++ ...uality-fingerprint-el8-auth_custom_content | 1 + ...uality-fingerprint-el8-auth_default_params | 36 ++++ ...ity-fingerprint-el8-auth_sssd_no_tty_audit | 37 +++++ ...nt-el8-auth_sssd_openshift_multi_tty_audit | 42 +++++ ...rint-el8-auth_sssd_user_specified_centrify | 47 ++++++ ...ity-fingerprint-el8-auth_unlock_time_never | 36 ++++ ...wquality-password-el7-auth_default_params} | 2 +- ...ality-password-el7-auth_sssd_no_tty_audit} | 2 +- ...d-el7-auth_sssd_openshift_multi_tty_audit} | 2 +- ...ord-el7-auth_sssd_user_specified_centrify} | 2 +- ...ality-password-el7-auth_unlock_time_never} | 2 +- ...pwquality-password-el8-auth_default_params | 41 +++++ ...uality-password-el8-auth_sssd_no_tty_audit | 44 +++++ ...rd-el8-auth_sssd_openshift_multi_tty_audit | 49 ++++++ ...word-el8-auth_sssd_user_specified_centrify | 54 ++++++ ...uality-password-el8-auth_unlock_time_never | 41 +++++ ...wquality-smartcard-el7-auth_custom_content | 1 + ...wquality-smartcard-el7-auth_default_params | 32 ++++ ...ality-smartcard-el7-auth_sssd_no_tty_audit | 37 +++++ ...rd-el7-auth_sssd_openshift_multi_tty_audit | 38 +++++ ...ard-el7-auth_sssd_user_specified_centrify} | 0 ...ality-smartcard-el7-auth_unlock_time_never | 32 ++++ ...wquality-smartcard-el8-auth_custom_content | 1 + ...wquality-smartcard-el8-auth_default_params | 32 ++++ ...ality-smartcard-el8-auth_sssd_no_tty_audit | 37 +++++ ...rd-el8-auth_sssd_openshift_multi_tty_audit | 38 +++++ ...card-el8-auth_sssd_user_specified_centrify | 43 +++++ ...ality-smartcard-el8-auth_unlock_time_never | 32 ++++ ... pwquality-system-el7-auth_default_params} | 2 +- ...=> pwquality-system-el7-auth_oath_enabled} | 2 +- ...quality-system-el7-auth_sssd_no_tty_audit} | 2 +- ...m-el7-auth_sssd_openshift_multi_tty_audit} | 2 +- ...tem-el7-auth_sssd_user_specified_centrify} | 2 +- ...quality-system-el7-auth_unlock_time_never} | 2 +- .../pwquality-system-el8-auth_default_params | 41 +++++ .../pwquality-system-el8-auth_oath_enabled | 45 +++++ ...wquality-system-el8-auth_sssd_no_tty_audit | 44 +++++ ...em-el8-auth_sssd_openshift_multi_tty_audit | 49 ++++++ ...stem-el8-auth_sssd_user_specified_centrify | 54 ++++++ ...wquality-system-el8-auth_unlock_time_never | 41 +++++ templates/etc/pam.d/auth.epp | 78 ++++++--- templates/etc/security/faillock.conf.epp | 22 +-- templates/etc/security/pwhistory.conf.epp | 19 +++ templates/etc/security/pwquality.conf.epp | 46 +++--- 114 files changed, 2447 insertions(+), 155 deletions(-) create mode 100644 spec/expected/auth_spec/cracklib-el7-password-separator-0 create mode 100644 spec/expected/auth_spec/cracklib-el7-password-separator-1 create mode 100644 spec/expected/auth_spec/cracklib-el7-password-separator-2 create mode 100644 spec/expected/auth_spec/cracklib-el7-password-separator-false rename spec/expected/auth_spec/{cracklib-password-separator-0 => cracklib-el8-password-separator-0} (100%) rename spec/expected/auth_spec/{cracklib-password-auth_default_params => cracklib-el8-password-separator-1} (100%) rename spec/expected/auth_spec/{cracklib-password-separator-2 => cracklib-el8-password-separator-2} (100%) rename spec/expected/auth_spec/{cracklib-password-separator-false => cracklib-el8-password-separator-false} (100%) rename spec/expected/auth_spec/{cracklib-fingerprint-auth_custom_content => cracklib-fingerprint-el7-auth_custom_content} (100%) rename spec/expected/auth_spec/{cracklib-fingerprint-auth_default_params => cracklib-fingerprint-el7-auth_default_params} (100%) rename spec/expected/auth_spec/{cracklib-fingerprint-auth_sssd_no_tty_audit => cracklib-fingerprint-el7-auth_sssd_no_tty_audit} (100%) rename spec/expected/auth_spec/{cracklib-fingerprint-auth_sssd_openshift_multi_tty_audit => cracklib-fingerprint-el7-auth_sssd_openshift_multi_tty_audit} (100%) rename spec/expected/auth_spec/{cracklib-fingerprint-auth_unlock_time_never => cracklib-fingerprint-el7-auth_unlock_time_never} (100%) rename spec/expected/auth_spec/{pwquality-fingerprint-auth_custom_content => cracklib-fingerprint-el8-auth_custom_content} (100%) rename spec/expected/auth_spec/{pwquality-fingerprint-auth_default_params => cracklib-fingerprint-el8-auth_default_params } (100%) rename spec/expected/auth_spec/{pwquality-fingerprint-auth_sssd_no_tty_audit => cracklib-fingerprint-el8-auth_sssd_no_tty_audit} (100%) rename spec/expected/auth_spec/{pwquality-fingerprint-auth_sssd_openshift_multi_tty_audit => cracklib-fingerprint-el8-auth_sssd_openshift_multi_tty_audit} (100%) rename spec/expected/auth_spec/{pwquality-fingerprint-auth_unlock_time_never => cracklib-fingerprint-el8-auth_unlock_time_never} (100%) create mode 100644 spec/expected/auth_spec/cracklib-password-el7-auth_default_params create mode 100644 spec/expected/auth_spec/cracklib-password-el7-auth_sssd_no_tty_audit create mode 100644 spec/expected/auth_spec/cracklib-password-el7-auth_sssd_openshift_multi_tty_audit create mode 100644 spec/expected/auth_spec/cracklib-password-el7-auth_unlock_time_never rename spec/expected/auth_spec/{cracklib-password-separator-1 => cracklib-password-el8-auth_default_params} (100%) rename spec/expected/auth_spec/{cracklib-password-auth_sssd_no_tty_audit => cracklib-password-el8-auth_sssd_no_tty_audit} (100%) rename spec/expected/auth_spec/{cracklib-password-auth_sssd_openshift_multi_tty_audit => cracklib-password-el8-auth_sssd_openshift_multi_tty_audit} (100%) rename spec/expected/auth_spec/{cracklib-password-auth_unlock_time_never => cracklib-password-el8-auth_unlock_time_never} (100%) rename spec/expected/auth_spec/{cracklib-smartcard-auth_custom_content => cracklib-smartcard-el7-auth_custom_content} (100%) rename spec/expected/auth_spec/{cracklib-smartcard-auth_default_params => cracklib-smartcard-el7-auth_default_params} (100%) rename spec/expected/auth_spec/{cracklib-smartcard-auth_sssd_no_tty_audit => cracklib-smartcard-el7-auth_sssd_no_tty_audit} (100%) rename spec/expected/auth_spec/{cracklib-smartcard-auth_sssd_openshift_multi_tty_audit => cracklib-smartcard-el7-auth_sssd_openshift_multi_tty_audit} (100%) rename spec/expected/auth_spec/{cracklib-smartcard-auth_unlock_time_never => cracklib-smartcard-el7-auth_unlock_time_never} (100%) rename spec/expected/auth_spec/{pwquality-smartcard-auth_custom_content => cracklib-smartcard-el8-auth_custom_content} (100%) rename spec/expected/auth_spec/{pwquality-smartcard-auth_default_params => cracklib-smartcard-el8-auth_default_params} (100%) rename spec/expected/auth_spec/{pwquality-smartcard-auth_sssd_no_tty_audit => cracklib-smartcard-el8-auth_sssd_no_tty_audit} (100%) rename spec/expected/auth_spec/{pwquality-smartcard-auth_sssd_openshift_multi_tty_audit => cracklib-smartcard-el8-auth_sssd_openshift_multi_tty_audit} (100%) rename spec/expected/auth_spec/{pwquality-smartcard-auth_unlock_time_never => cracklib-smartcard-el8-auth_unlock_time_never} (100%) create mode 100644 spec/expected/auth_spec/cracklib-system-el7-auth_default_params create mode 100644 spec/expected/auth_spec/cracklib-system-el7-auth_oath_enabled create mode 100644 spec/expected/auth_spec/cracklib-system-el7-auth_sssd_no_tty_audit create mode 100644 spec/expected/auth_spec/cracklib-system-el7-auth_sssd_openshift_multi_tty_audit create mode 100644 spec/expected/auth_spec/cracklib-system-el7-auth_unlock_time_never rename spec/expected/auth_spec/{cracklib-system-auth_default_params => cracklib-system-el8-auth_default_params} (100%) rename spec/expected/auth_spec/{cracklib-system-auth_oath_enabled => cracklib-system-el8-auth_oath_enabled} (100%) rename spec/expected/auth_spec/{cracklib-system-auth_sssd_no_tty_audit => cracklib-system-el8-auth_sssd_no_tty_audit} (100%) rename spec/expected/auth_spec/{cracklib-system-auth_sssd_openshift_multi_tty_audit => cracklib-system-el8-auth_sssd_openshift_multi_tty_audit} (100%) rename spec/expected/auth_spec/{cracklib-system-auth_unlock_time_never => cracklib-system-el8-auth_unlock_time_never} (100%) rename spec/expected/auth_spec/{pwquality-password-separator-0 => pwquality-el7-password-separator-0} (97%) rename spec/expected/auth_spec/{pwquality-password-auth_default_params => pwquality-el7-password-separator-1} (97%) rename spec/expected/auth_spec/{pwquality-password-separator-2 => pwquality-el7-password-separator-2} (97%) rename spec/expected/auth_spec/{pwquality-password-separator-false => pwquality-el7-password-separator-false} (97%) create mode 100644 spec/expected/auth_spec/pwquality-el8-password-separator-0 create mode 100644 spec/expected/auth_spec/pwquality-el8-password-separator-1 create mode 100644 spec/expected/auth_spec/pwquality-el8-password-separator-2 create mode 100644 spec/expected/auth_spec/pwquality-el8-password-separator-false create mode 100644 spec/expected/auth_spec/pwquality-fingerprint-el7-auth_custom_content create mode 100644 spec/expected/auth_spec/pwquality-fingerprint-el7-auth_default_params create mode 100644 spec/expected/auth_spec/pwquality-fingerprint-el7-auth_sssd_no_tty_audit create mode 100644 spec/expected/auth_spec/pwquality-fingerprint-el7-auth_sssd_openshift_multi_tty_audit rename spec/expected/auth_spec/{pwquality-fingerprint-auth_sssd_user_specified_centrify => pwquality-fingerprint-el7-auth_sssd_user_specified_centrify} (100%) create mode 100644 spec/expected/auth_spec/pwquality-fingerprint-el7-auth_unlock_time_never create mode 100644 spec/expected/auth_spec/pwquality-fingerprint-el8-auth_custom_content create mode 100644 spec/expected/auth_spec/pwquality-fingerprint-el8-auth_default_params create mode 100644 spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_no_tty_audit create mode 100644 spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_openshift_multi_tty_audit create mode 100644 spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_user_specified_centrify create mode 100644 spec/expected/auth_spec/pwquality-fingerprint-el8-auth_unlock_time_never rename spec/expected/auth_spec/{pwquality-system-auth_default_params => pwquality-password-el7-auth_default_params} (97%) rename spec/expected/auth_spec/{pwquality-system-auth_sssd_no_tty_audit => pwquality-password-el7-auth_sssd_no_tty_audit} (97%) rename spec/expected/auth_spec/{pwquality-system-auth_sssd_openshift_multi_tty_audit => pwquality-password-el7-auth_sssd_openshift_multi_tty_audit} (98%) rename spec/expected/auth_spec/{pwquality-system-auth_sssd_user_specified_centrify => pwquality-password-el7-auth_sssd_user_specified_centrify} (98%) rename spec/expected/auth_spec/{pwquality-system-auth_unlock_time_never => pwquality-password-el7-auth_unlock_time_never} (97%) create mode 100644 spec/expected/auth_spec/pwquality-password-el8-auth_default_params create mode 100644 spec/expected/auth_spec/pwquality-password-el8-auth_sssd_no_tty_audit create mode 100644 spec/expected/auth_spec/pwquality-password-el8-auth_sssd_openshift_multi_tty_audit create mode 100644 spec/expected/auth_spec/pwquality-password-el8-auth_sssd_user_specified_centrify create mode 100644 spec/expected/auth_spec/pwquality-password-el8-auth_unlock_time_never create mode 100644 spec/expected/auth_spec/pwquality-smartcard-el7-auth_custom_content create mode 100644 spec/expected/auth_spec/pwquality-smartcard-el7-auth_default_params create mode 100644 spec/expected/auth_spec/pwquality-smartcard-el7-auth_sssd_no_tty_audit create mode 100644 spec/expected/auth_spec/pwquality-smartcard-el7-auth_sssd_openshift_multi_tty_audit rename spec/expected/auth_spec/{pwquality-smartcard-auth_sssd_user_specified_centrify => pwquality-smartcard-el7-auth_sssd_user_specified_centrify} (100%) create mode 100644 spec/expected/auth_spec/pwquality-smartcard-el7-auth_unlock_time_never create mode 100644 spec/expected/auth_spec/pwquality-smartcard-el8-auth_custom_content create mode 100644 spec/expected/auth_spec/pwquality-smartcard-el8-auth_default_params create mode 100644 spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_no_tty_audit create mode 100644 spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_openshift_multi_tty_audit create mode 100644 spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_user_specified_centrify create mode 100644 spec/expected/auth_spec/pwquality-smartcard-el8-auth_unlock_time_never rename spec/expected/auth_spec/{pwquality-password-separator-1 => pwquality-system-el7-auth_default_params} (97%) rename spec/expected/auth_spec/{pwquality-system-auth_oath_enabled => pwquality-system-el7-auth_oath_enabled} (97%) rename spec/expected/auth_spec/{pwquality-password-auth_sssd_no_tty_audit => pwquality-system-el7-auth_sssd_no_tty_audit} (97%) rename spec/expected/auth_spec/{pwquality-password-auth_sssd_openshift_multi_tty_audit => pwquality-system-el7-auth_sssd_openshift_multi_tty_audit} (98%) rename spec/expected/auth_spec/{pwquality-password-auth_sssd_user_specified_centrify => pwquality-system-el7-auth_sssd_user_specified_centrify} (98%) rename spec/expected/auth_spec/{pwquality-password-auth_unlock_time_never => pwquality-system-el7-auth_unlock_time_never} (97%) create mode 100644 spec/expected/auth_spec/pwquality-system-el8-auth_default_params create mode 100644 spec/expected/auth_spec/pwquality-system-el8-auth_oath_enabled create mode 100644 spec/expected/auth_spec/pwquality-system-el8-auth_sssd_no_tty_audit create mode 100644 spec/expected/auth_spec/pwquality-system-el8-auth_sssd_openshift_multi_tty_audit create mode 100644 spec/expected/auth_spec/pwquality-system-el8-auth_sssd_user_specified_centrify create mode 100644 spec/expected/auth_spec/pwquality-system-el8-auth_unlock_time_never create mode 100644 templates/etc/security/pwhistory.conf.epp diff --git a/CHANGELOG b/CHANGELOG index ece3b4e..3e4ae8b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,4 +1,8 @@ +* Wed Jan 31 2024 Mike Riddle - 7.0.0 +- Added functionality to control /etc/security/pwhistory.conf +- Fixed logic that would cause certain functionality to break on Amazon Linux 2022 and above + * Mon Jan 29 2024 Mike Riddle - 6.16.0 - Added functionality to control /etc/security/faillock.conf diff --git a/README.md b/README.md index 8c0e996..5b21837 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,9 @@ * [Restricting Resource Usage (pam_limits)](#restricting-resource-usage-pam_limits) * [Restricting ``su`` to the ``wheel`` Group](#restricting-su-to-the-wheel-group) * [Managing /etc/security/faillock.conf](#managing-etcsecurityfaillockconf) - * [/etc/security_faillock.conf Example With All Parameters](#etcsecurityfaillockconf-hieradata-example-with-all-parameters) + * [/etc/security/faillock.conf Example With All Parameters](#etcsecurityfaillockconf-hieradata-example-with-all-parameters) + * [Managing /etc/security/pwhistory.conf](#managing-etcsecuritypwhistoryconf) + * [/etc/security/pwhistory.conf Example With All Parameters](#etcsecuritypwhistoryconf-hieradata-example-with-all-parameters) * [Development](#development) * [Acceptance tests](#acceptance-tests) @@ -205,7 +207,7 @@ You can change the target group by updating the value of ### Managing /etc/security/faillock.conf -To manage faillock with ``/etc/security/faillock.conf`` instead of inline parameters in the auth files set the following in hieradata: +To manage faillock with ``/etc/security/faillock.conf`` set the following in hieradata: ```yaml pam::manage_faillock_conf: true @@ -213,20 +215,21 @@ pam::manage_faillock_conf: true A couple of things to note here are: +- This feature will only work on systems running EL 8 (or equivalent) and above. - ``pam::faillock`` must still be true for faillock to work appropriately - By default, /etc/security/faillock.conf will be empty except for a comment saying the file is managed by puppet. To set content in the file, the following parameters are available: - - ``pam::faillock_dir`` + - ``pam::faillock_log_dir`` - ``pam::faillock_audit`` - - ``pam::faillock_silent`` + - ``pam::display_account_lock`` - ``pam::faillock_no_log_info`` - ``pam::faillock_local_users_only`` - ``pam::faillock_nodelay`` - - ``pam::faillock_deny`` - - ``pam::faillock_fail_interval`` - - ``pam::faillock_unlock_time`` - - ``pam::faillock_even_deny_root`` - - ``pam::faillock_root_unlock_time`` + - ``pam::deny`` + - ``pam::fail_interval`` + - ``pam::unlock_time`` + - ``pam::even_deny_root`` + - ``pam::root_unlock_time`` - ``pam::faillock_admin_group`` #### /etc/security/faillock.conf Hieradata Example With All Parameters @@ -234,20 +237,45 @@ A couple of things to note here are: ```yaml pam::faillock: true pam::manage_faillock_conf: true -pam::faillock_dir: '/var/log/faillock' +pam::faillock_log_dir: '/var/log/faillock' pam::faillock_audit: true -pam::faillock_silent: true +pam::display_account_lock: true pam::faillock_no_log_info: false pam::faillock_local_users_only: false pam::faillock_nodelay: false -pam::faillock_deny: 5 -pam::faillock_fail_interval: 900 -pam::faillock_unlock_time: 900 -pam::faillock_even_deny_root: true -pam::faillock_root_unlock_time: 60 +pam::deny: 5 +pam::fail_interval: 900 +pam::unlock_time: 900 +pam::even_deny_root: true +pam::root_unlock_time: 60 pam::faillock_admin_group: 'wheel' ``` +### Managing /etc/security/pwhistory.conf + +To manage pwhistory with ``/etc/security/pwhistory.conf`` set the following in hieradata: + +```yaml +pam::manage_pwhistory_conf: true +``` + +A couple of things to note here are: + +- This feature will only work on systems running EL 8 (or equivalent) and above. +- This feature replaced management of /etc/security/opasswd in the SIMP Useradd module as of version 7.0.0 and will conflict with any version of useradd older than 1.0.0. + - The parameter to control where password history is set is ``pam::remember_file`` + +#### /etc/security/pwhistory.conf Hieradata Example With All Parameters + +```yaml +pam::manage_pwhistory_conf: true +pam::remember: 32 +pam::remember_retry: 3 +pam::remember_file: '/etc/security/opasswd' +pam::remember_debug: true +pam::remember_for_root: true +``` + ## Development Please read our [Contribution Guide](https://simp.readthedocs.io/en/stable/contributors_guide/Contribution_Procedure.html) diff --git a/REFERENCE.md b/REFERENCE.md index 2d12171..abca253 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -68,9 +68,12 @@ The following parameters are available in the `pam` class: * [`display_account_lock`](#-pam--display_account_lock) * [`fail_interval`](#-pam--fail_interval) * [`homedir_umask`](#-pam--homedir_umask) +* [`manage_pwhistory_conf`](#-pam--manage_pwhistory_conf) * [`remember`](#-pam--remember) * [`remember_retry`](#-pam--remember_retry) * [`remember_for_root`](#-pam--remember_for_root) +* [`remember_file`](#-pam--remember_file) +* [`remember_debug`](#-pam--remember_debug) * [`even_deny_root`](#-pam--even_deny_root) * [`root_unlock_time`](#-pam--root_unlock_time) * [`hash_algorithm`](#-pam--hash_algorithm) @@ -370,11 +373,21 @@ Sets the file mode creation mask of the user home directories Default value: `'0077'` +##### `manage_pwhistory_conf` + +Data type: `Boolean` + +If true, password history settings will be managed inside of +/etc/security/pwhistory.conf instead of inline in the pam auth files. +This parameter will be ignored if the host is EL 7. + +Default value: `false` + ##### `remember` Data type: `Integer[0]` -The last N passwords for each user are saved in ``/etc/security/opasswd`` +The last N passwords for each user are saved in ``$remember_file`` in order to force password change history and keep the user from alternating between the same password too frequently @@ -392,10 +405,26 @@ Default value: `1` Data type: `Boolean` -Remember the last ``$remember`` passwords for the root user +Remember the last ``$remember`` passwords for the root user. Default value: `true` +##### `remember_file` + +Data type: `StdLib::Absolutepath` + +The location for user's remembered passwords to be saved. + +Default value: `'/etc/security/opasswd'` + +##### `remember_debug` + +Data type: `Boolean` + +If true, turn on debugging for pwhistory to syslog. + +Default value: `false` + ##### `even_deny_root` Data type: `Boolean` @@ -1076,9 +1105,12 @@ The following parameters are available in the `pam::auth` defined type: * [`faillock_log_dir`](#-pam--auth--faillock_log_dir) * [`display_account_lock`](#-pam--auth--display_account_lock) * [`fail_interval`](#-pam--auth--fail_interval) +* [`manage_pwhistory_conf`](#-pam--auth--manage_pwhistory_conf) +* [`remember_debug`](#-pam--auth--remember_debug) * [`remember`](#-pam--auth--remember) * [`remember_retry`](#-pam--auth--remember_retry) * [`remember_for_root`](#-pam--auth--remember_for_root) +* [`remember_file`](#-pam--auth--remember_file) * [`even_deny_root`](#-pam--auth--even_deny_root) * [`root_unlock_time`](#-pam--auth--root_unlock_time) * [`hash_algorithm`](#-pam--auth--hash_algorithm) @@ -1334,6 +1366,22 @@ Data type: `Integer[0]` Default value: `$pam::fail_interval` +##### `manage_pwhistory_conf` + +Data type: `Boolean` + + + +Default value: `$pam::manage_pwhistory_conf` + +##### `remember_debug` + +Data type: `Boolean` + + + +Default value: `$pam::remember_debug` + ##### `remember` Data type: `Integer[0]` @@ -1358,6 +1406,14 @@ Data type: `Boolean` Default value: `$pam::remember_for_root` +##### `remember_file` + +Data type: `Stdlib::Absolutepath` + + + +Default value: `$pam::remember_file` + ##### `even_deny_root` Data type: `Boolean` diff --git a/manifests/auth.pp b/manifests/auth.pp index ce0c1a8..59ba31f 100644 --- a/manifests/auth.pp +++ b/manifests/auth.pp @@ -36,9 +36,12 @@ # @param faillock_log_dir # @param display_account_lock # @param fail_interval +# @param manage_pwhistory_conf +# @param remember_debug # @param remember # @param remember_retry # @param remember_for_root +# @param remember_file # @param even_deny_root # @param root_unlock_time # @param hash_algorithm @@ -85,9 +88,12 @@ Optional[String] $faillock_admin_group = $pam::faillock_admin_group, Boolean $display_account_lock = $pam::display_account_lock, Integer[0] $fail_interval = $pam::fail_interval, + Boolean $manage_pwhistory_conf = $pam::manage_pwhistory_conf, + Boolean $remember_debug = $pam::remember_debug, Integer[0] $remember = $pam::remember, Integer[0] $remember_retry = $pam::remember_retry, Boolean $remember_for_root = $pam::remember_for_root, + Stdlib::Absolutepath $remember_file = $pam::remember_file, Boolean $even_deny_root = $pam::even_deny_root, Integer[0] $root_unlock_time = $pam::root_unlock_time, Pam::HashAlgorithm $hash_algorithm = $pam::hash_algorithm, @@ -150,14 +156,30 @@ $_content = $_top_var } else { + if ($facts['os']['family'] == 'RedHat' and Integer($facts['os']['release']['major']) < 8) or + ($facts['os']['name'] == 'Amazon') and Integer(($facts['os']['release']['major']) < 2022) { + $_cracklib_retry = $cracklib_retry + $_cracklib_enforce_for_root = $cracklib_enforce_for_root + $_cracklib_reject_username = $cracklib_reject_username + # faillock.conf and pwhistory.conf don't exist in el 7 and Amazon Linux 2 + $_manage_faillock_conf = false + $_manage_pwhistory_conf = false + } else { + $_manage_faillock_conf = $manage_faillock_conf + $_manage_pwhistory_conf = $manage_pwhistory_conf + # retry, enforce_for_root, and reject_username will be enforced via pwquality.conf in el8 and Amazon Linux 2022 and higher + $_cracklib_retry = false + $_cracklib_enforce_for_root = false + $_cracklib_reject_username = false + } $_content = epp("${module_name}/etc/pam.d/auth.epp", { name => $name, password_check_backend => $password_check_backend, locale_file => $locale_file, auth_content_pre => $auth_content_pre, - manage_faillock_conf => $manage_faillock_conf, - cracklib_enforce_for_root => $cracklib_enforce_for_root, - cracklib_reject_username => $cracklib_reject_username, + manage_faillock_conf => $_manage_faillock_conf, + cracklib_enforce_for_root => $_cracklib_enforce_for_root, + cracklib_reject_username => $_cracklib_reject_username, cracklib_difok => $cracklib_difok, cracklib_maxrepeat => $cracklib_maxrepeat, cracklib_maxsequence => $cracklib_maxsequence, @@ -169,7 +191,7 @@ cracklib_ocredit => $cracklib_ocredit, cracklib_minclass => $cracklib_minclass, cracklib_minlen => $cracklib_minlen, - cracklib_retry => $cracklib_retry, + cracklib_retry => $_cracklib_retry, deny => $deny, faillock => $faillock, faillock_log_dir => $faillock_log_dir, @@ -180,9 +202,12 @@ faillock_admin_group => $faillock_admin_group, display_account_lock => $display_account_lock, fail_interval => $fail_interval, + manage_pwhistory_conf => $_manage_pwhistory_conf, + remember_debug => $remember_debug, remember => $remember, remember_retry => $remember_retry, remember_for_root => $remember_for_root, + remember_file => $remember_file, even_deny_root => $even_deny_root, root_unlock_time => $root_unlock_time, hash_algorithm => $hash_algorithm, diff --git a/manifests/config.pp b/manifests/config.pp index 0f48fff..a287987 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -24,27 +24,54 @@ } if ($pam::password_check_backend == 'pwquality') { + # The 'retry' option was introduced in RHEL 8.4 and Amazon Linux 2022, set it to false if + # lower than those versions so it doesn't get included + if ($facts['os']['name'] == 'Amazon' and Integer($facts['os']['release']['major']) < 2022) or + ($facts['os']['family'] == 'RedHat' and Integer($facts['os']['release']['major']) < 8) or + # CentOS Streams doesn't provide a minor version number: + (Integer($facts['os']['release']['major']) == 8 and + $facts['os']['release']['minor'] and Integer($facts['os']['release']['minor']) < 4) { + $_cracklib_retry = false + } else { + $_cracklib_retry = $pam::cracklib_retry + } + + # The dictcheck, enforce_for_root, and reject_username options were introduced to the pwquality.conf file in RHEL 8 and Amazon 2022, + # Set them to false if less than those versions. + if ($facts['os']['name'] == 'Amazon' and Integer($facts['os']['release']['major']) < 2022) or + ($facts['os']['family'] == 'RedHat' and Integer($facts['os']['release']['major']) < 8) { + $_cracklib_enforce_for_root = false + $_cracklib_reject_username = false + $_dictcheck = false + } else { + $_cracklib_enforce_for_root = $pam::cracklib_enforce_for_root + $_cracklib_reject_username = $pam::cracklib_reject_username + $_dictcheck = $pam::dictcheck + } + file { '/etc/security/pwquality.conf': ensure => 'file', owner => 'root', group => 'root', mode => '0644', content => epp("${module_name}/etc/security/pwquality.conf.epp", { - difok => $pam::cracklib_difok, - maxrepeat => $pam::cracklib_maxrepeat, - maxsequence => $pam::cracklib_maxsequence, - maxclassrepeat => $pam::cracklib_maxclassrepeat, - gecoscheck => $pam::cracklib_gecoscheck, - dcredit => $pam::cracklib_dcredit, - ucredit => $pam::cracklib_ucredit, - lcredit => $pam::cracklib_lcredit, - ocredit => $pam::cracklib_ocredit, - minclass => $pam::cracklib_minclass, - minlen => $pam::cracklib_minlen, - retry => $pam::cracklib_retry, - badwords => $pam::cracklib_badwords, - dictpath => $pam::cracklib_dictpath, - dictcheck => $pam::dictcheck + difok => $pam::cracklib_difok, + maxrepeat => $pam::cracklib_maxrepeat, + maxsequence => $pam::cracklib_maxsequence, + maxclassrepeat => $pam::cracklib_maxclassrepeat, + gecoscheck => $pam::cracklib_gecoscheck, + dcredit => $pam::cracklib_dcredit, + ucredit => $pam::cracklib_ucredit, + lcredit => $pam::cracklib_lcredit, + ocredit => $pam::cracklib_ocredit, + minclass => $pam::cracklib_minclass, + minlen => $pam::cracklib_minlen, + retry => $_cracklib_retry, + enforce_for_root => $_cracklib_enforce_for_root, + reject_username => $_cracklib_reject_username, + badwords => $pam::cracklib_badwords, + dictpath => $pam::cracklib_dictpath, + dictcheck => $_dictcheck }), } @@ -95,7 +122,9 @@ ; } - if ($facts['os']['release']['major'] <= '7') and ($pam::disable_authconfig == true) { + if (($facts['os']['family'] == 'RedHat' and Integer($facts['os']['release']['major']) < 8) or + ($facts['os']['name'] == 'Amazon' and Integer($facts['os']['release']['major']) < 2022)) and + ($pam::disable_authconfig == true) { # Replace authconfig and authconfig-tui with a no-op script # so that those tools can't be used to modify PAM. file { '/usr/local/sbin/simp_authconfig.sh': @@ -116,40 +145,72 @@ } } - # EL 7 doesn't utilize faillock.conf and will break if used - if ($facts['os']['family'] == 'RedHat') and ($facts['os']['release']['major'] > '7') and ($pam::manage_faillock_conf) { - if ($pam::faillock_log_dir) { - file { $pam::faillock_log_dir: - ensure => 'directory', - owner => 'root', - group => 'root', - mode => '0750', - seluser => 'system_u', - selrole => 'object_r', - seltype => 'faillog_t', - selrange => 's0', + if ($pam::faillock_log_dir) { + file { $pam::faillock_log_dir: + ensure => 'directory', + owner => 'root', + group => 'root', + mode => '0750', + seluser => 'system_u', + selrole => 'object_r', + seltype => 'faillog_t', + selrange => 's0', + } + } + + if ($pam::remember_file) { + file { $pam::remember_file: + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0600', + seluser => 'system_u', + selrole => 'object_r', + seltype => 'shadow_t', + selrange => 's0', + } + } + + # EL 7 and Amazon Linux 2 don't utilize faillock.conf and pwhistory.conf, it will break if used + if ($facts['os']['family'] == 'RedHat' and Integer($facts['os']['release']['major']) > 7) or + (($facts['os']['name'] == 'Amazon') and Integer($facts['os']['release']['major']) >= 2022) { + if ($pam::manage_faillock_conf) { + file { '/etc/security/faillock.conf': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0644', + content => epp("${module_name}/etc/security/faillock.conf.epp", { + dir => $pam::faillock_log_dir, + audit => $pam::faillock_audit, + silent => !$pam::display_account_lock, + no_log_info => $pam::faillock_no_log_info, + local_users_only => $pam::faillock_local_users_only, + nodelay => $pam::faillock_nodelay, + deny => $pam::deny, + fail_interval => $pam::fail_interval, + unlock_time => $pam::unlock_time, + even_deny_root => $pam::even_deny_root, + root_unlock_time => $pam::root_unlock_time, + admin_group => $pam::faillock_admin_group + }), } } - file { '/etc/security/faillock.conf': - ensure => 'file', - owner => 'root', - group => 'root', - mode => '0644', - content => epp("${module_name}/etc/security/faillock.conf.epp", { - dir => $pam::faillock_log_dir, - audit => $pam::faillock_audit, - silent => !$pam::display_account_lock, - no_log_info => $pam::faillock_no_log_info, - local_users_only => $pam::faillock_local_users_only, - nodelay => $pam::faillock_nodelay, - deny => $pam::deny, - fail_interval => $pam::fail_interval, - unlock_time => $pam::unlock_time, - even_deny_root => $pam::even_deny_root, - root_unlock_time => $pam::root_unlock_time, - admin_group => $pam::faillock_admin_group - }), + if ($pam::manage_pwhistory_conf) { + file { '/etc/security/pwhistory.conf': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0644', + content => epp("${module_name}/etc/security/pwhistory.conf.epp", { + debug => $pam::remember_debug, + enforce_for_root => $pam::remember_for_root, + remember => $pam::remember, + retry => $pam::remember_retry, + remember_file => $pam::remember_file, + }), + } } } diff --git a/manifests/init.pp b/manifests/init.pp index cab79ef..1ff6207 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -142,8 +142,13 @@ # @param homedir_umask # Sets the file mode creation mask of the user home directories # +# @param manage_pwhistory_conf +# If true, password history settings will be managed inside of +# /etc/security/pwhistory.conf instead of inline in the pam auth files. +# This parameter will be ignored if the host is EL 7. +# # @param remember -# The last N passwords for each user are saved in ``/etc/security/opasswd`` +# The last N passwords for each user are saved in ``$remember_file`` # in order to force password change history and keep the user from # alternating between the same password too frequently # @@ -151,7 +156,13 @@ # Allow this many retries # # @param remember_for_root -# Remember the last ``$remember`` passwords for the root user +# Remember the last ``$remember`` passwords for the root user. +# +# @param remember_file +# The location for user's remembered passwords to be saved. +# +# @param remember_debug +# If true, turn on debugging for pwhistory to syslog. # # @param even_deny_root # Enforce an account lockout for the ``root`` account. @@ -330,8 +341,11 @@ Boolean $oath = simplib::lookup('simp_options::oath', { 'default_value' => false }), Integer[0] $oath_window = 1, Simplib::Umask $homedir_umask = '0077', + Boolean $manage_pwhistory_conf = false, Integer[0] $remember = 24, Integer[0] $remember_retry = 1, + StdLib::Absolutepath $remember_file = '/etc/security/opasswd', + Boolean $remember_debug = false, Boolean $remember_for_root = true, Pam::HashAlgorithm $hash_algorithm = 'sha512', Integer[0] $rounds = 10000, diff --git a/metadata.json b/metadata.json index 2fe48fc..4f6b4aa 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-pam", - "version": "6.16.0", + "version": "7.0.0", "author": "SIMP Team", "summary": "A SIMP puppet module for managing pam", "license": "Apache-2.0", @@ -27,6 +27,10 @@ { "name": "simp/simplib", "version_requirement": ">= 4.9.0 < 5.0.0" + }, + { + "name": "simp/useradd", + "version_requirement": ">= 1.0.0 < 2.0.0" } ], "simp": { diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index c8f3750..b7f116f 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -38,6 +38,8 @@ maxrepeat = 2 maxclassrepeat = 3 maxsequence = 4 + enforce_for_root + reject_username gecoscheck = 1 EOM } @@ -60,6 +62,8 @@ maxsequence = 4 retry = 3 dictcheck = 1 + enforce_for_root + reject_username gecoscheck = 1 EOM } @@ -99,6 +103,31 @@ EOM } + let(:default_pwhistory_conf){ + <<~EOM + # This file is generated by Puppet + # Any changes made to it will be overwritten. + # + enforce_for_root + remember = 24 + retry = 1 + file = /etc/security/opasswd + EOM + } + + let(:all_params_pwhistory_conf){ + <<~EOM + # This file is generated by Puppet + # Any changes made to it will be overwritten. + # + debug + enforce_for_root + remember = 18 + retry = 3 + file = /etc/test/opasswd + EOM + } + on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do @@ -190,7 +219,8 @@ ) } - if os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] <= '7' + if (os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] <= '7') or + (os_facts[:os][:name] == "Amazon" and os_facts[:os][:release][:major] < '2022') it { project_dir = File.expand_path(File.join(File.dirname(__FILE__), '..', '..')) expected = IO.read(File.join(project_dir, 'files', 'simp_authconfig.sh')) @@ -398,7 +428,8 @@ let(:params){{ :manage_faillock_conf => true}} it {is_expected.to compile.with_all_deps} - if os_facts[:os][:release][:major] <= '7' + if (os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] <= '7') or + (os_facts[:os][:name] == "Amazon" and os_facts[:os][:release][:major] <= '2022') it {is_expected.to_not contain_file('/etc/security/faillock.conf')} else it {is_expected.to contain_file('/etc/security/faillock.conf').with_content( default_faillock_conf )} @@ -406,7 +437,7 @@ end context 'with managing faillock.conf with all non-default parameters' do - let(:params){{ + let(:params){{ :manage_faillock_conf => true, :faillock_log_dir => '/var/log/faillock', :faillock_audit => true, @@ -423,12 +454,44 @@ }} it {is_expected.to compile.with_all_deps} - if os_facts[:os][:release][:major] <= '7' + if (os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] <= '7') or + (os_facts[:os][:name] == "Amazon" and os_facts[:os][:release][:major] <= '2022') it {is_expected.to_not contain_file('/etc/security/faillock.conf')} else it {is_expected.to contain_file('/etc/security/faillock.conf').with_content( all_params_faillock_conf )} end end + + context 'with managing pwhistory.conf with default parameters' do + let(:params){{ :manage_pwhistory_conf => true}} + + it {is_expected.to compile.with_all_deps} + if (os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] <= '7') or + (os_facts[:os][:name] == "Amazon" and os_facts[:os][:release][:major] <= '2022') + it {is_expected.to_not contain_file('/etc/security/pwhistory.conf')} + else + it {is_expected.to contain_file('/etc/security/pwhistory.conf').with_content( default_pwhistory_conf )} + end + end + + context 'with managing pwhistory.conf with all parameters set' do + let(:params){{ + :manage_pwhistory_conf => true, + :remember_debug => true, + :remember_for_root => true, + :remember => 18, + :remember_retry => 3, + :remember_file => '/etc/test/opasswd' + }} + + it {is_expected.to compile.with_all_deps} + if (os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] <= '7') or + (os_facts[:os][:name] == "Amazon" and os_facts[:os][:release][:major] <= '2022') + it {is_expected.to_not contain_file('/etc/security/pwhistory.conf')} + else + it {is_expected.to contain_file('/etc/security/pwhistory.conf').with_content( all_params_pwhistory_conf )} + end + end end end end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 5f30674..e5b1084 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -65,12 +65,40 @@ let(:params) {{ :manage_faillock_conf => true }} it { is_expected.to compile.with_all_deps } - if os_facts[:os][:release][:major] > '7' + if (os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] > '7') or + (os_facts[:os][:name] == "Amazon" and os_facts[:os][:release][:major] >= '2022') it { is_expected.to contain_file('/etc/security/faillock.conf') } else it { is_expected.to_not contain_file('/etc/security/faillock.conf') } end end + + context 'with all possible pwhistory params set' do + let(:params) {{ + :manage_pwhistory_conf => false, + :remember_debug => true, + :remember => 18, + :remember_for_root => true, + :remember_retry => 3, + :remember_file => '/etc/test/opasswd' + }} + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_file('/etc/pam.d/password-auth').with_content(/password required pam_pwhistory.so use_authtok remember=18 retry=3 file=\/etc\/test\/opasswd debug enforce_for_root/) } + it { is_expected.to contain_file('/etc/pam.d/system-auth').with_content(/password required pam_pwhistory.so use_authtok remember=18 retry=3 file=\/etc\/test\/opasswd debug enforce_for_root/) } + end + + context 'with manage_pwhistory_conf=true' do + let(:params) {{ :manage_pwhistory_conf => true }} + + it { is_expected.to compile.with_all_deps } + if (os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] > '7') or + (os_facts[:os][:name] == "Amazon" and os_facts[:os][:release][:major] >= '2022') + it { is_expected.to contain_file('/etc/security/pwhistory.conf') } + else + it { is_expected.to_not contain_file('/etc/security/pwhistory.conf') } + end + end end end end diff --git a/spec/defines/auth_spec.rb b/spec/defines/auth_spec.rb index 2f29840..26fb3fb 100644 --- a/spec/defines/auth_spec.rb +++ b/spec/defines/auth_spec.rb @@ -45,8 +45,15 @@ def get_expected(filename) context "auth type '#{auth_type}'" do let(:pw_backend) { 'pwquality' } let(:title){ auth_type } + let(:el_version){ + if Integer(os_facts[:os][:release][:major]) <= 7 + 'el7' + else + 'el8' + end + } let(:filename){ "/etc/pam.d/#{auth_type}-auth" } - let(:file_content) { get_expected("#{pw_backend}-#{auth_type}-auth_default_params") } + let(:file_content) { get_expected("#{pw_backend}-#{auth_type}-#{el_version}-auth_default_params") } it_should_behave_like "a pam.d config file generator" it { is_expected.to contain_file(filename).with_content(file_content) } @@ -94,8 +101,15 @@ def get_expected(filename) context "auth type '#{auth_type}'" do let(:pw_backend) { 'pwquality' } let(:title){ auth_type } + let(:el_version){ + if Integer(os_facts[:os][:release][:major]) <= 7 + 'el7' + else + 'el8' + end + } let(:filename){ "/etc/pam.d/#{auth_type}-auth" } - let(:file_content) { get_expected("#{pw_backend}-#{auth_type}-auth_unlock_time_never") } + let(:file_content) { get_expected("#{pw_backend}-#{auth_type}-#{el_version}-auth_unlock_time_never") } it_should_behave_like "a pam.d config file generator" it { is_expected.to contain_file(filename).with_content(file_content) } @@ -187,8 +201,15 @@ def get_expected(filename) context "auth type '#{auth_type}'" do let(:pw_backend) { 'pwquality' } let(:title){ auth_type } + let(:el_version){ + if Integer(os_facts[:os][:release][:major]) <= 7 + 'el7' + else + 'el8' + end + } let(:filename){ "/etc/pam.d/#{auth_type}-auth" } - let(:file_content) { get_expected("#{pw_backend}-#{auth_type}-auth_sssd_no_tty_audit") } + let(:file_content) { get_expected("#{pw_backend}-#{auth_type}-#{el_version}-auth_sssd_no_tty_audit") } it_should_behave_like "a pam.d config file generator" it { is_expected.to contain_file(filename).with_content(file_content) } @@ -207,8 +228,15 @@ def get_expected(filename) context "auth type '#{auth_type}'" do let(:pw_backend) { 'pwquality' } let(:title){ auth_type } + let(:el_version){ + if Integer(os_facts[:os][:release][:major]) <= 7 + 'el7' + else + 'el8' + end + } let(:filename){ "/etc/pam.d/#{auth_type}-auth" } - let(:file_content) { get_expected("#{pw_backend}-#{auth_type}-auth_sssd_openshift_multi_tty_audit") } + let(:file_content) { get_expected("#{pw_backend}-#{auth_type}-#{el_version}-auth_sssd_openshift_multi_tty_audit") } it_should_behave_like "a pam.d config file generator" it { is_expected.to contain_file(filename).with_content(file_content) } @@ -233,8 +261,15 @@ def get_expected(filename) context "auth type '#{auth_type}'" do let(:pw_backend) { 'pwquality' } let(:title){ auth_type } + let(:el_version){ + if Integer(os_facts[:os][:release][:major]) <= 7 + 'el7' + else + 'el8' + end + } let(:filename){ "/etc/pam.d/#{auth_type}-auth" } - let(:file_content) { get_expected("#{pw_backend}-#{auth_type}-auth_sssd_user_specified_centrify") } + let(:file_content) { get_expected("#{pw_backend}-#{auth_type}-#{el_version}-auth_sssd_user_specified_centrify") } it_should_behave_like "a pam.d config file generator" it { is_expected.to contain_file(filename).with_content(file_content) } @@ -254,7 +289,14 @@ def get_expected(filename) let(:pw_backend) { 'pwquality' } let(:title){ 'password' } let(:filename){ "/etc/pam.d/password-auth" } - let(:file_content) { get_expected("#{pw_backend}-password-separator-#{index}") } + let(:el_version){ + if Integer(os_facts[:os][:release][:major]) <= 7 + 'el7' + else + 'el8' + end + } + let(:file_content) { get_expected("#{pw_backend}-#{el_version}-password-separator-#{index}") } it_should_behave_like "a pam.d config file generator" it { is_expected.to contain_file(filename).with_content(file_content) } @@ -269,7 +311,14 @@ def get_expected(filename) let(:pw_backend) { 'pwquality' } let(:title){ 'password' } let(:filename){ "/etc/pam.d/password-auth" } - let(:file_content) { get_expected("#{pw_backend}-password-separator-false") } + let(:el_version){ + if Integer(os_facts[:os][:release][:major]) <= 7 + 'el7' + else + 'el8' + end + } + let(:file_content) { get_expected("#{pw_backend}-#{el_version}-password-separator-false") } it_should_behave_like "a pam.d config file generator" it { is_expected.to contain_file(filename).with_content(file_content) } @@ -282,7 +331,14 @@ def get_expected(filename) let(:pw_backend) { 'pwquality' } let(:title){ 'system' } let(:filename){ "/etc/pam.d/system-auth" } - let(:file_content) { get_expected("#{pw_backend}-system-auth_oath_enabled") } + let(:el_version){ + if Integer(os_facts[:os][:release][:major]) <= 7 + 'el7' + else + 'el8' + end + } + let(:file_content) { get_expected("#{pw_backend}-system-#{el_version}-auth_oath_enabled") } it_should_behave_like "a pam.d config file generator" it { is_expected.to contain_file(filename).with_content(file_content) } diff --git a/spec/expected/auth_spec/cracklib-el7-password-separator-0 b/spec/expected/auth_spec/cracklib-el7-password-separator-0 new file mode 100644 index 0000000..bae1e35 --- /dev/null +++ b/spec/expected/auth_spec/cracklib-el7-password-separator-0 @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=! nodefgroup +account required pam_permit.so + +password requisite pam_cracklib.so retry=3 enforce_for_root reject_username minlen=15 minclass=3 maxrepeat=2 difok=4 maxsequence=4 maxclassrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 gecoscheck +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=! nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-el7-password-separator-1 b/spec/expected/auth_spec/cracklib-el7-password-separator-1 new file mode 100644 index 0000000..cb021e6 --- /dev/null +++ b/spec/expected/auth_spec/cracklib-el7-password-separator-1 @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_cracklib.so retry=3 enforce_for_root reject_username minlen=15 minclass=3 maxrepeat=2 difok=4 maxsequence=4 maxclassrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 gecoscheck +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-el7-password-separator-2 b/spec/expected/auth_spec/cracklib-el7-password-separator-2 new file mode 100644 index 0000000..69e7fb5 --- /dev/null +++ b/spec/expected/auth_spec/cracklib-el7-password-separator-2 @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=@ nodefgroup +account required pam_permit.so + +password requisite pam_cracklib.so retry=3 enforce_for_root reject_username minlen=15 minclass=3 maxrepeat=2 difok=4 maxsequence=4 maxclassrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 gecoscheck +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=@ nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-el7-password-separator-false b/spec/expected/auth_spec/cracklib-el7-password-separator-false new file mode 100644 index 0000000..653cdb4 --- /dev/null +++ b/spec/expected/auth_spec/cracklib-el7-password-separator-false @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so nodefgroup +account required pam_permit.so + +password requisite pam_cracklib.so retry=3 enforce_for_root reject_username minlen=15 minclass=3 maxrepeat=2 difok=4 maxsequence=4 maxclassrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 gecoscheck +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-password-separator-0 b/spec/expected/auth_spec/cracklib-el8-password-separator-0 similarity index 100% rename from spec/expected/auth_spec/cracklib-password-separator-0 rename to spec/expected/auth_spec/cracklib-el8-password-separator-0 diff --git a/spec/expected/auth_spec/cracklib-password-auth_default_params b/spec/expected/auth_spec/cracklib-el8-password-separator-1 similarity index 100% rename from spec/expected/auth_spec/cracklib-password-auth_default_params rename to spec/expected/auth_spec/cracklib-el8-password-separator-1 diff --git a/spec/expected/auth_spec/cracklib-password-separator-2 b/spec/expected/auth_spec/cracklib-el8-password-separator-2 similarity index 100% rename from spec/expected/auth_spec/cracklib-password-separator-2 rename to spec/expected/auth_spec/cracklib-el8-password-separator-2 diff --git a/spec/expected/auth_spec/cracklib-password-separator-false b/spec/expected/auth_spec/cracklib-el8-password-separator-false similarity index 100% rename from spec/expected/auth_spec/cracklib-password-separator-false rename to spec/expected/auth_spec/cracklib-el8-password-separator-false diff --git a/spec/expected/auth_spec/cracklib-fingerprint-auth_custom_content b/spec/expected/auth_spec/cracklib-fingerprint-el7-auth_custom_content similarity index 100% rename from spec/expected/auth_spec/cracklib-fingerprint-auth_custom_content rename to spec/expected/auth_spec/cracklib-fingerprint-el7-auth_custom_content diff --git a/spec/expected/auth_spec/cracklib-fingerprint-auth_default_params b/spec/expected/auth_spec/cracklib-fingerprint-el7-auth_default_params similarity index 100% rename from spec/expected/auth_spec/cracklib-fingerprint-auth_default_params rename to spec/expected/auth_spec/cracklib-fingerprint-el7-auth_default_params diff --git a/spec/expected/auth_spec/cracklib-fingerprint-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-fingerprint-el7-auth_sssd_no_tty_audit similarity index 100% rename from spec/expected/auth_spec/cracklib-fingerprint-auth_sssd_no_tty_audit rename to spec/expected/auth_spec/cracklib-fingerprint-el7-auth_sssd_no_tty_audit diff --git a/spec/expected/auth_spec/cracklib-fingerprint-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-fingerprint-el7-auth_sssd_openshift_multi_tty_audit similarity index 100% rename from spec/expected/auth_spec/cracklib-fingerprint-auth_sssd_openshift_multi_tty_audit rename to spec/expected/auth_spec/cracklib-fingerprint-el7-auth_sssd_openshift_multi_tty_audit diff --git a/spec/expected/auth_spec/cracklib-fingerprint-auth_unlock_time_never b/spec/expected/auth_spec/cracklib-fingerprint-el7-auth_unlock_time_never similarity index 100% rename from spec/expected/auth_spec/cracklib-fingerprint-auth_unlock_time_never rename to spec/expected/auth_spec/cracklib-fingerprint-el7-auth_unlock_time_never diff --git a/spec/expected/auth_spec/pwquality-fingerprint-auth_custom_content b/spec/expected/auth_spec/cracklib-fingerprint-el8-auth_custom_content similarity index 100% rename from spec/expected/auth_spec/pwquality-fingerprint-auth_custom_content rename to spec/expected/auth_spec/cracklib-fingerprint-el8-auth_custom_content diff --git a/spec/expected/auth_spec/pwquality-fingerprint-auth_default_params b/spec/expected/auth_spec/cracklib-fingerprint-el8-auth_default_params similarity index 100% rename from spec/expected/auth_spec/pwquality-fingerprint-auth_default_params rename to spec/expected/auth_spec/cracklib-fingerprint-el8-auth_default_params diff --git a/spec/expected/auth_spec/pwquality-fingerprint-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-fingerprint-el8-auth_sssd_no_tty_audit similarity index 100% rename from spec/expected/auth_spec/pwquality-fingerprint-auth_sssd_no_tty_audit rename to spec/expected/auth_spec/cracklib-fingerprint-el8-auth_sssd_no_tty_audit diff --git a/spec/expected/auth_spec/pwquality-fingerprint-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-fingerprint-el8-auth_sssd_openshift_multi_tty_audit similarity index 100% rename from spec/expected/auth_spec/pwquality-fingerprint-auth_sssd_openshift_multi_tty_audit rename to spec/expected/auth_spec/cracklib-fingerprint-el8-auth_sssd_openshift_multi_tty_audit diff --git a/spec/expected/auth_spec/pwquality-fingerprint-auth_unlock_time_never b/spec/expected/auth_spec/cracklib-fingerprint-el8-auth_unlock_time_never similarity index 100% rename from spec/expected/auth_spec/pwquality-fingerprint-auth_unlock_time_never rename to spec/expected/auth_spec/cracklib-fingerprint-el8-auth_unlock_time_never diff --git a/spec/expected/auth_spec/cracklib-password-el7-auth_default_params b/spec/expected/auth_spec/cracklib-password-el7-auth_default_params new file mode 100644 index 0000000..cb021e6 --- /dev/null +++ b/spec/expected/auth_spec/cracklib-password-el7-auth_default_params @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_cracklib.so retry=3 enforce_for_root reject_username minlen=15 minclass=3 maxrepeat=2 difok=4 maxsequence=4 maxclassrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 gecoscheck +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-password-el7-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-password-el7-auth_sssd_no_tty_audit new file mode 100644 index 0000000..1ba3040 --- /dev/null +++ b/spec/expected/auth_spec/cracklib-password-el7-auth_sssd_no_tty_audit @@ -0,0 +1,44 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth sufficient pam_sss.so forward_pass +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 17 quiet +auth [default=1 success=ok] pam_localuser.so +auth sufficient pam_unix.so try_first_pass +auth requisite pam_succeed_if.so uid >= 17 quiet +auth required pam_deny.so + +account required pam_access.so listsep=, accessfile=/etc/security/access.conf +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 17 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_cracklib.so retry=10 minlen=8 minclass=7 maxrepeat=5 difok=2 maxsequence=6 maxclassrepeat=4 dcredit=1 ucredit=11 lcredit=3 ocredit=9 +password required pam_pwhistory.so use_authtok remember=14 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=16 shadow try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-password-el7-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-password-el7-auth_sssd_openshift_multi_tty_audit new file mode 100644 index 0000000..c18cbac --- /dev/null +++ b/spec/expected/auth_spec/cracklib-password-el7-auth_sssd_openshift_multi_tty_audit @@ -0,0 +1,49 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=2 default=ignore] pam_sss.so forward_pass +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_cracklib.so retry=3 enforce_for_root reject_username minlen=15 minclass=3 maxrepeat=2 difok=4 maxsequence=4 maxclassrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 gecoscheck +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root,user1,user2 +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-password-el7-auth_unlock_time_never b/spec/expected/auth_spec/cracklib-password-el7-auth_unlock_time_never new file mode 100644 index 0000000..85f3085 --- /dev/null +++ b/spec/expected/auth_spec/cracklib-password-el7-auth_unlock_time_never @@ -0,0 +1,39 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=never fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=never even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=never even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_cracklib.so retry=3 enforce_for_root reject_username minlen=15 minclass=3 maxrepeat=2 difok=4 maxsequence=4 maxclassrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 gecoscheck +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-password-separator-1 b/spec/expected/auth_spec/cracklib-password-el8-auth_default_params similarity index 100% rename from spec/expected/auth_spec/cracklib-password-separator-1 rename to spec/expected/auth_spec/cracklib-password-el8-auth_default_params diff --git a/spec/expected/auth_spec/cracklib-password-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-password-el8-auth_sssd_no_tty_audit similarity index 100% rename from spec/expected/auth_spec/cracklib-password-auth_sssd_no_tty_audit rename to spec/expected/auth_spec/cracklib-password-el8-auth_sssd_no_tty_audit diff --git a/spec/expected/auth_spec/cracklib-password-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-password-el8-auth_sssd_openshift_multi_tty_audit similarity index 100% rename from spec/expected/auth_spec/cracklib-password-auth_sssd_openshift_multi_tty_audit rename to spec/expected/auth_spec/cracklib-password-el8-auth_sssd_openshift_multi_tty_audit diff --git a/spec/expected/auth_spec/cracklib-password-auth_unlock_time_never b/spec/expected/auth_spec/cracklib-password-el8-auth_unlock_time_never similarity index 100% rename from spec/expected/auth_spec/cracklib-password-auth_unlock_time_never rename to spec/expected/auth_spec/cracklib-password-el8-auth_unlock_time_never diff --git a/spec/expected/auth_spec/cracklib-smartcard-auth_custom_content b/spec/expected/auth_spec/cracklib-smartcard-el7-auth_custom_content similarity index 100% rename from spec/expected/auth_spec/cracklib-smartcard-auth_custom_content rename to spec/expected/auth_spec/cracklib-smartcard-el7-auth_custom_content diff --git a/spec/expected/auth_spec/cracklib-smartcard-auth_default_params b/spec/expected/auth_spec/cracklib-smartcard-el7-auth_default_params similarity index 100% rename from spec/expected/auth_spec/cracklib-smartcard-auth_default_params rename to spec/expected/auth_spec/cracklib-smartcard-el7-auth_default_params diff --git a/spec/expected/auth_spec/cracklib-smartcard-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-smartcard-el7-auth_sssd_no_tty_audit similarity index 100% rename from spec/expected/auth_spec/cracklib-smartcard-auth_sssd_no_tty_audit rename to spec/expected/auth_spec/cracklib-smartcard-el7-auth_sssd_no_tty_audit diff --git a/spec/expected/auth_spec/cracklib-smartcard-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-smartcard-el7-auth_sssd_openshift_multi_tty_audit similarity index 100% rename from spec/expected/auth_spec/cracklib-smartcard-auth_sssd_openshift_multi_tty_audit rename to spec/expected/auth_spec/cracklib-smartcard-el7-auth_sssd_openshift_multi_tty_audit diff --git a/spec/expected/auth_spec/cracklib-smartcard-auth_unlock_time_never b/spec/expected/auth_spec/cracklib-smartcard-el7-auth_unlock_time_never similarity index 100% rename from spec/expected/auth_spec/cracklib-smartcard-auth_unlock_time_never rename to spec/expected/auth_spec/cracklib-smartcard-el7-auth_unlock_time_never diff --git a/spec/expected/auth_spec/pwquality-smartcard-auth_custom_content b/spec/expected/auth_spec/cracklib-smartcard-el8-auth_custom_content similarity index 100% rename from spec/expected/auth_spec/pwquality-smartcard-auth_custom_content rename to spec/expected/auth_spec/cracklib-smartcard-el8-auth_custom_content diff --git a/spec/expected/auth_spec/pwquality-smartcard-auth_default_params b/spec/expected/auth_spec/cracklib-smartcard-el8-auth_default_params similarity index 100% rename from spec/expected/auth_spec/pwquality-smartcard-auth_default_params rename to spec/expected/auth_spec/cracklib-smartcard-el8-auth_default_params diff --git a/spec/expected/auth_spec/pwquality-smartcard-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-smartcard-el8-auth_sssd_no_tty_audit similarity index 100% rename from spec/expected/auth_spec/pwquality-smartcard-auth_sssd_no_tty_audit rename to spec/expected/auth_spec/cracklib-smartcard-el8-auth_sssd_no_tty_audit diff --git a/spec/expected/auth_spec/pwquality-smartcard-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-smartcard-el8-auth_sssd_openshift_multi_tty_audit similarity index 100% rename from spec/expected/auth_spec/pwquality-smartcard-auth_sssd_openshift_multi_tty_audit rename to spec/expected/auth_spec/cracklib-smartcard-el8-auth_sssd_openshift_multi_tty_audit diff --git a/spec/expected/auth_spec/pwquality-smartcard-auth_unlock_time_never b/spec/expected/auth_spec/cracklib-smartcard-el8-auth_unlock_time_never similarity index 100% rename from spec/expected/auth_spec/pwquality-smartcard-auth_unlock_time_never rename to spec/expected/auth_spec/cracklib-smartcard-el8-auth_unlock_time_never diff --git a/spec/expected/auth_spec/cracklib-system-el7-auth_default_params b/spec/expected/auth_spec/cracklib-system-el7-auth_default_params new file mode 100644 index 0000000..cb021e6 --- /dev/null +++ b/spec/expected/auth_spec/cracklib-system-el7-auth_default_params @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_cracklib.so retry=3 enforce_for_root reject_username minlen=15 minclass=3 maxrepeat=2 difok=4 maxsequence=4 maxclassrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 gecoscheck +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-system-el7-auth_oath_enabled b/spec/expected/auth_spec/cracklib-system-el7-auth_oath_enabled new file mode 100644 index 0000000..25a140b --- /dev/null +++ b/spec/expected/auth_spec/cracklib-system-el7-auth_oath_enabled @@ -0,0 +1,45 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=3 default=ignore] pam_listfile.so item=group sense=allow file=/etc/liboath/exclude_groups.oath quiet +auth [success=2 default=ignore] pam_listfile.so item=user sense=allow file=/etc/liboath/exclude_users.oath quiet +auth [success=1 default=bad] pam_oath.so usersfile=/etc/liboath/users.oath window=1 +auth requisite pam_deny.so +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_cracklib.so retry=3 enforce_for_root reject_username minlen=15 minclass=3 maxrepeat=2 difok=4 maxsequence=4 maxclassrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 gecoscheck +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-system-el7-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-system-el7-auth_sssd_no_tty_audit new file mode 100644 index 0000000..1ba3040 --- /dev/null +++ b/spec/expected/auth_spec/cracklib-system-el7-auth_sssd_no_tty_audit @@ -0,0 +1,44 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth sufficient pam_sss.so forward_pass +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 17 quiet +auth [default=1 success=ok] pam_localuser.so +auth sufficient pam_unix.so try_first_pass +auth requisite pam_succeed_if.so uid >= 17 quiet +auth required pam_deny.so + +account required pam_access.so listsep=, accessfile=/etc/security/access.conf +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 17 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_cracklib.so retry=10 minlen=8 minclass=7 maxrepeat=5 difok=2 maxsequence=6 maxclassrepeat=4 dcredit=1 ucredit=11 lcredit=3 ocredit=9 +password required pam_pwhistory.so use_authtok remember=14 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=16 shadow try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-system-el7-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-system-el7-auth_sssd_openshift_multi_tty_audit new file mode 100644 index 0000000..c18cbac --- /dev/null +++ b/spec/expected/auth_spec/cracklib-system-el7-auth_sssd_openshift_multi_tty_audit @@ -0,0 +1,49 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=2 default=ignore] pam_sss.so forward_pass +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_cracklib.so retry=3 enforce_for_root reject_username minlen=15 minclass=3 maxrepeat=2 difok=4 maxsequence=4 maxclassrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 gecoscheck +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root,user1,user2 +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-system-el7-auth_unlock_time_never b/spec/expected/auth_spec/cracklib-system-el7-auth_unlock_time_never new file mode 100644 index 0000000..c395892 --- /dev/null +++ b/spec/expected/auth_spec/cracklib-system-el7-auth_unlock_time_never @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=never fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=never even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=never even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_cracklib.so retry=3 enforce_for_root reject_username minlen=15 minclass=3 maxrepeat=2 difok=4 maxsequence=4 maxclassrepeat=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 gecoscheck +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/cracklib-system-auth_default_params b/spec/expected/auth_spec/cracklib-system-el8-auth_default_params similarity index 100% rename from spec/expected/auth_spec/cracklib-system-auth_default_params rename to spec/expected/auth_spec/cracklib-system-el8-auth_default_params diff --git a/spec/expected/auth_spec/cracklib-system-auth_oath_enabled b/spec/expected/auth_spec/cracklib-system-el8-auth_oath_enabled similarity index 100% rename from spec/expected/auth_spec/cracklib-system-auth_oath_enabled rename to spec/expected/auth_spec/cracklib-system-el8-auth_oath_enabled diff --git a/spec/expected/auth_spec/cracklib-system-auth_sssd_no_tty_audit b/spec/expected/auth_spec/cracklib-system-el8-auth_sssd_no_tty_audit similarity index 100% rename from spec/expected/auth_spec/cracklib-system-auth_sssd_no_tty_audit rename to spec/expected/auth_spec/cracklib-system-el8-auth_sssd_no_tty_audit diff --git a/spec/expected/auth_spec/cracklib-system-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/cracklib-system-el8-auth_sssd_openshift_multi_tty_audit similarity index 100% rename from spec/expected/auth_spec/cracklib-system-auth_sssd_openshift_multi_tty_audit rename to spec/expected/auth_spec/cracklib-system-el8-auth_sssd_openshift_multi_tty_audit diff --git a/spec/expected/auth_spec/cracklib-system-auth_unlock_time_never b/spec/expected/auth_spec/cracklib-system-el8-auth_unlock_time_never similarity index 100% rename from spec/expected/auth_spec/cracklib-system-auth_unlock_time_never rename to spec/expected/auth_spec/cracklib-system-el8-auth_unlock_time_never diff --git a/spec/expected/auth_spec/pwquality-password-separator-0 b/spec/expected/auth_spec/pwquality-el7-password-separator-0 similarity index 97% rename from spec/expected/auth_spec/pwquality-password-separator-0 rename to spec/expected/auth_spec/pwquality-el7-password-separator-0 index 68ae656..fbd6e3c 100644 --- a/spec/expected/auth_spec/pwquality-password-separator-0 +++ b/spec/expected/auth_spec/pwquality-el7-password-separator-0 @@ -20,7 +20,7 @@ account requisite pam_access.so listsep=! nodefgroup account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-password-auth_default_params b/spec/expected/auth_spec/pwquality-el7-password-separator-1 similarity index 97% rename from spec/expected/auth_spec/pwquality-password-auth_default_params rename to spec/expected/auth_spec/pwquality-el7-password-separator-1 index 93d79e6..d98ee6f 100644 --- a/spec/expected/auth_spec/pwquality-password-auth_default_params +++ b/spec/expected/auth_spec/pwquality-el7-password-separator-1 @@ -20,7 +20,7 @@ account requisite pam_access.so listsep=, nodefgroup account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-password-separator-2 b/spec/expected/auth_spec/pwquality-el7-password-separator-2 similarity index 97% rename from spec/expected/auth_spec/pwquality-password-separator-2 rename to spec/expected/auth_spec/pwquality-el7-password-separator-2 index c893c1e..0ec2a09 100644 --- a/spec/expected/auth_spec/pwquality-password-separator-2 +++ b/spec/expected/auth_spec/pwquality-el7-password-separator-2 @@ -20,7 +20,7 @@ account requisite pam_access.so listsep=@ nodefgroup account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-password-separator-false b/spec/expected/auth_spec/pwquality-el7-password-separator-false similarity index 97% rename from spec/expected/auth_spec/pwquality-password-separator-false rename to spec/expected/auth_spec/pwquality-el7-password-separator-false index 719d849..333cfd3 100644 --- a/spec/expected/auth_spec/pwquality-password-separator-false +++ b/spec/expected/auth_spec/pwquality-el7-password-separator-false @@ -20,7 +20,7 @@ account requisite pam_access.so nodefgroup account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-el8-password-separator-0 b/spec/expected/auth_spec/pwquality-el8-password-separator-0 new file mode 100644 index 0000000..af65be5 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-el8-password-separator-0 @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=! nodefgroup +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=! nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-el8-password-separator-1 b/spec/expected/auth_spec/pwquality-el8-password-separator-1 new file mode 100644 index 0000000..874c06f --- /dev/null +++ b/spec/expected/auth_spec/pwquality-el8-password-separator-1 @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-el8-password-separator-2 b/spec/expected/auth_spec/pwquality-el8-password-separator-2 new file mode 100644 index 0000000..2f41f12 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-el8-password-separator-2 @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=@ nodefgroup +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=@ nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-el8-password-separator-false b/spec/expected/auth_spec/pwquality-el8-password-separator-false new file mode 100644 index 0000000..e348b78 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-el8-password-separator-false @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so nodefgroup +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_custom_content b/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_custom_content new file mode 100644 index 0000000..69aa048 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_custom_content @@ -0,0 +1 @@ +this is valid pam fingerprint_auth configuration, I promise diff --git a/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_default_params b/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_default_params new file mode 100644 index 0000000..1e80ea5 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_default_params @@ -0,0 +1,36 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth sufficient pam_fprintd.so +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_sssd_no_tty_audit b/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_sssd_no_tty_audit new file mode 100644 index 0000000..0c0913e --- /dev/null +++ b/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_sssd_no_tty_audit @@ -0,0 +1,37 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth sufficient pam_fprintd.so +auth requisite pam_succeed_if.so uid >= 17 quiet +auth required pam_deny.so + +account required pam_access.so listsep=, accessfile=/etc/security/access.conf +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 17 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_sssd_openshift_multi_tty_audit new file mode 100644 index 0000000..6385a0b --- /dev/null +++ b/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_sssd_openshift_multi_tty_audit @@ -0,0 +1,42 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth sufficient pam_fprintd.so +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root,user1,user2 +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-fingerprint-auth_sssd_user_specified_centrify b/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_sssd_user_specified_centrify similarity index 100% rename from spec/expected/auth_spec/pwquality-fingerprint-auth_sssd_user_specified_centrify rename to spec/expected/auth_spec/pwquality-fingerprint-el7-auth_sssd_user_specified_centrify diff --git a/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_unlock_time_never b/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_unlock_time_never new file mode 100644 index 0000000..77aa1ad --- /dev/null +++ b/spec/expected/auth_spec/pwquality-fingerprint-el7-auth_unlock_time_never @@ -0,0 +1,36 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=never fail_interval=900 even_deny_root root_unlock_time=60 +auth sufficient pam_fprintd.so +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_custom_content b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_custom_content new file mode 100644 index 0000000..69aa048 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_custom_content @@ -0,0 +1 @@ +this is valid pam fingerprint_auth configuration, I promise diff --git a/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_default_params b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_default_params new file mode 100644 index 0000000..1e80ea5 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_default_params @@ -0,0 +1,36 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth sufficient pam_fprintd.so +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_no_tty_audit b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_no_tty_audit new file mode 100644 index 0000000..0c0913e --- /dev/null +++ b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_no_tty_audit @@ -0,0 +1,37 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth sufficient pam_fprintd.so +auth requisite pam_succeed_if.so uid >= 17 quiet +auth required pam_deny.so + +account required pam_access.so listsep=, accessfile=/etc/security/access.conf +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 17 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_openshift_multi_tty_audit new file mode 100644 index 0000000..6385a0b --- /dev/null +++ b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_openshift_multi_tty_audit @@ -0,0 +1,42 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth sufficient pam_fprintd.so +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root,user1,user2 +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_user_specified_centrify b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_user_specified_centrify new file mode 100644 index 0000000..350bf68 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_sssd_user_specified_centrify @@ -0,0 +1,47 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# User defined prepended auth content +auth sufficient pam_centrifydc.so +auth requisite pam_centrifydc.so deny +account sufficient pam_centrifydc.so +account requisite pam_centrifydc.so deny +session required pam_centrifydc.so homedir +password sufficient pam_centrifydc.so try_first_pass +password requisite pam_centrifydc.so deny + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth sufficient pam_fprintd.so +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_unlock_time_never b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_unlock_time_never new file mode 100644 index 0000000..77aa1ad --- /dev/null +++ b/spec/expected/auth_spec/pwquality-fingerprint-el8-auth_unlock_time_never @@ -0,0 +1,36 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=never fail_interval=900 even_deny_root root_unlock_time=60 +auth sufficient pam_fprintd.so +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-system-auth_default_params b/spec/expected/auth_spec/pwquality-password-el7-auth_default_params similarity index 97% rename from spec/expected/auth_spec/pwquality-system-auth_default_params rename to spec/expected/auth_spec/pwquality-password-el7-auth_default_params index 93d79e6..d98ee6f 100644 --- a/spec/expected/auth_spec/pwquality-system-auth_default_params +++ b/spec/expected/auth_spec/pwquality-password-el7-auth_default_params @@ -20,7 +20,7 @@ account requisite pam_access.so listsep=, nodefgroup account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-system-auth_sssd_no_tty_audit b/spec/expected/auth_spec/pwquality-password-el7-auth_sssd_no_tty_audit similarity index 97% rename from spec/expected/auth_spec/pwquality-system-auth_sssd_no_tty_audit rename to spec/expected/auth_spec/pwquality-password-el7-auth_sssd_no_tty_audit index cb76818..a2c296f 100644 --- a/spec/expected/auth_spec/pwquality-system-auth_sssd_no_tty_audit +++ b/spec/expected/auth_spec/pwquality-password-el7-auth_sssd_no_tty_audit @@ -23,7 +23,7 @@ account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_s account required pam_permit.so password requisite pam_pwquality.so retry=10 -password required pam_pwhistory.so use_authtok remember=14 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=14 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=16 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-system-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/pwquality-password-el7-auth_sssd_openshift_multi_tty_audit similarity index 98% rename from spec/expected/auth_spec/pwquality-system-auth_sssd_openshift_multi_tty_audit rename to spec/expected/auth_spec/pwquality-password-el7-auth_sssd_openshift_multi_tty_audit index 0f0c514..bd58e3c 100644 --- a/spec/expected/auth_spec/pwquality-system-auth_sssd_openshift_multi_tty_audit +++ b/spec/expected/auth_spec/pwquality-password-el7-auth_sssd_openshift_multi_tty_audit @@ -24,7 +24,7 @@ account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_s account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-system-auth_sssd_user_specified_centrify b/spec/expected/auth_spec/pwquality-password-el7-auth_sssd_user_specified_centrify similarity index 98% rename from spec/expected/auth_spec/pwquality-system-auth_sssd_user_specified_centrify rename to spec/expected/auth_spec/pwquality-password-el7-auth_sssd_user_specified_centrify index c35ece4..74a7be4 100644 --- a/spec/expected/auth_spec/pwquality-system-auth_sssd_user_specified_centrify +++ b/spec/expected/auth_spec/pwquality-password-el7-auth_sssd_user_specified_centrify @@ -32,7 +32,7 @@ account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_s account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-system-auth_unlock_time_never b/spec/expected/auth_spec/pwquality-password-el7-auth_unlock_time_never similarity index 97% rename from spec/expected/auth_spec/pwquality-system-auth_unlock_time_never rename to spec/expected/auth_spec/pwquality-password-el7-auth_unlock_time_never index 9a4fb54..91d8a74 100644 --- a/spec/expected/auth_spec/pwquality-system-auth_unlock_time_never +++ b/spec/expected/auth_spec/pwquality-password-el7-auth_unlock_time_never @@ -20,7 +20,7 @@ account requisite pam_access.so listsep=, nodefgroup account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-password-el8-auth_default_params b/spec/expected/auth_spec/pwquality-password-el8-auth_default_params new file mode 100644 index 0000000..874c06f --- /dev/null +++ b/spec/expected/auth_spec/pwquality-password-el8-auth_default_params @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-password-el8-auth_sssd_no_tty_audit b/spec/expected/auth_spec/pwquality-password-el8-auth_sssd_no_tty_audit new file mode 100644 index 0000000..a46f3b7 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-password-el8-auth_sssd_no_tty_audit @@ -0,0 +1,44 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth sufficient pam_sss.so forward_pass +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 17 quiet +auth [default=1 success=ok] pam_localuser.so +auth sufficient pam_unix.so try_first_pass +auth requisite pam_succeed_if.so uid >= 17 quiet +auth required pam_deny.so + +account required pam_access.so listsep=, accessfile=/etc/security/access.conf +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 17 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=14 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=16 shadow try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-password-el8-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/pwquality-password-el8-auth_sssd_openshift_multi_tty_audit new file mode 100644 index 0000000..1533b06 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-password-el8-auth_sssd_openshift_multi_tty_audit @@ -0,0 +1,49 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=2 default=ignore] pam_sss.so forward_pass +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root,user1,user2 +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-password-el8-auth_sssd_user_specified_centrify b/spec/expected/auth_spec/pwquality-password-el8-auth_sssd_user_specified_centrify new file mode 100644 index 0000000..151c183 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-password-el8-auth_sssd_user_specified_centrify @@ -0,0 +1,54 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# User defined prepended auth content +auth sufficient pam_centrifydc.so +auth requisite pam_centrifydc.so deny +account sufficient pam_centrifydc.so +account requisite pam_centrifydc.so deny +session required pam_centrifydc.so homedir +password sufficient pam_centrifydc.so try_first_pass +password requisite pam_centrifydc.so deny + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=2 default=ignore] pam_sss.so forward_pass +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-password-el8-auth_unlock_time_never b/spec/expected/auth_spec/pwquality-password-el8-auth_unlock_time_never new file mode 100644 index 0000000..f68caf2 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-password-el8-auth_unlock_time_never @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=never fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=never even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=never even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-smartcard-el7-auth_custom_content b/spec/expected/auth_spec/pwquality-smartcard-el7-auth_custom_content new file mode 100644 index 0000000..178e760 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-smartcard-el7-auth_custom_content @@ -0,0 +1 @@ +this is valid pam smartcard_auth configuration, I promise diff --git a/spec/expected/auth_spec/pwquality-smartcard-el7-auth_default_params b/spec/expected/auth_spec/pwquality-smartcard-el7-auth_default_params new file mode 100644 index 0000000..10778b1 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-smartcard-el7-auth_default_params @@ -0,0 +1,32 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password required pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-smartcard-el7-auth_sssd_no_tty_audit b/spec/expected/auth_spec/pwquality-smartcard-el7-auth_sssd_no_tty_audit new file mode 100644 index 0000000..fa5a57b --- /dev/null +++ b/spec/expected/auth_spec/pwquality-smartcard-el7-auth_sssd_no_tty_audit @@ -0,0 +1,37 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only +auth requisite pam_succeed_if.so uid >= 17 quiet +auth required pam_deny.so + +account required pam_access.so listsep=, accessfile=/etc/security/access.conf +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 17 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password required pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-smartcard-el7-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/pwquality-smartcard-el7-auth_sssd_openshift_multi_tty_audit new file mode 100644 index 0000000..d1e59e4 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-smartcard-el7-auth_sssd_openshift_multi_tty_audit @@ -0,0 +1,38 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password required pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-smartcard-auth_sssd_user_specified_centrify b/spec/expected/auth_spec/pwquality-smartcard-el7-auth_sssd_user_specified_centrify similarity index 100% rename from spec/expected/auth_spec/pwquality-smartcard-auth_sssd_user_specified_centrify rename to spec/expected/auth_spec/pwquality-smartcard-el7-auth_sssd_user_specified_centrify diff --git a/spec/expected/auth_spec/pwquality-smartcard-el7-auth_unlock_time_never b/spec/expected/auth_spec/pwquality-smartcard-el7-auth_unlock_time_never new file mode 100644 index 0000000..c88b589 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-smartcard-el7-auth_unlock_time_never @@ -0,0 +1,32 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=never fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password required pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-smartcard-el8-auth_custom_content b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_custom_content new file mode 100644 index 0000000..178e760 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_custom_content @@ -0,0 +1 @@ +this is valid pam smartcard_auth configuration, I promise diff --git a/spec/expected/auth_spec/pwquality-smartcard-el8-auth_default_params b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_default_params new file mode 100644 index 0000000..10778b1 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_default_params @@ -0,0 +1,32 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password required pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_no_tty_audit b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_no_tty_audit new file mode 100644 index 0000000..fa5a57b --- /dev/null +++ b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_no_tty_audit @@ -0,0 +1,37 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only +auth requisite pam_succeed_if.so uid >= 17 quiet +auth required pam_deny.so + +account required pam_access.so listsep=, accessfile=/etc/security/access.conf +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 17 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password required pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_openshift_multi_tty_audit new file mode 100644 index 0000000..d1e59e4 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_openshift_multi_tty_audit @@ -0,0 +1,38 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password required pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_user_specified_centrify b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_user_specified_centrify new file mode 100644 index 0000000..54000b6 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_sssd_user_specified_centrify @@ -0,0 +1,43 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# User defined prepended auth content +auth sufficient pam_centrifydc.so +auth requisite pam_centrifydc.so deny +account sufficient pam_centrifydc.so +account requisite pam_centrifydc.so deny +session required pam_centrifydc.so homedir +password sufficient pam_centrifydc.so try_first_pass +password requisite pam_centrifydc.so deny + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password required pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-smartcard-el8-auth_unlock_time_never b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_unlock_time_never new file mode 100644 index 0000000..c88b589 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-smartcard-el8-auth_unlock_time_never @@ -0,0 +1,32 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=never fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password required pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-password-separator-1 b/spec/expected/auth_spec/pwquality-system-el7-auth_default_params similarity index 97% rename from spec/expected/auth_spec/pwquality-password-separator-1 rename to spec/expected/auth_spec/pwquality-system-el7-auth_default_params index 93d79e6..d98ee6f 100644 --- a/spec/expected/auth_spec/pwquality-password-separator-1 +++ b/spec/expected/auth_spec/pwquality-system-el7-auth_default_params @@ -20,7 +20,7 @@ account requisite pam_access.so listsep=, nodefgroup account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-system-auth_oath_enabled b/spec/expected/auth_spec/pwquality-system-el7-auth_oath_enabled similarity index 97% rename from spec/expected/auth_spec/pwquality-system-auth_oath_enabled rename to spec/expected/auth_spec/pwquality-system-el7-auth_oath_enabled index 51d1263..c0105e0 100644 --- a/spec/expected/auth_spec/pwquality-system-auth_oath_enabled +++ b/spec/expected/auth_spec/pwquality-system-el7-auth_oath_enabled @@ -24,7 +24,7 @@ account requisite pam_access.so listsep=, nodefgroup account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-password-auth_sssd_no_tty_audit b/spec/expected/auth_spec/pwquality-system-el7-auth_sssd_no_tty_audit similarity index 97% rename from spec/expected/auth_spec/pwquality-password-auth_sssd_no_tty_audit rename to spec/expected/auth_spec/pwquality-system-el7-auth_sssd_no_tty_audit index cb76818..a2c296f 100644 --- a/spec/expected/auth_spec/pwquality-password-auth_sssd_no_tty_audit +++ b/spec/expected/auth_spec/pwquality-system-el7-auth_sssd_no_tty_audit @@ -23,7 +23,7 @@ account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_s account required pam_permit.so password requisite pam_pwquality.so retry=10 -password required pam_pwhistory.so use_authtok remember=14 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=14 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=16 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-password-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/pwquality-system-el7-auth_sssd_openshift_multi_tty_audit similarity index 98% rename from spec/expected/auth_spec/pwquality-password-auth_sssd_openshift_multi_tty_audit rename to spec/expected/auth_spec/pwquality-system-el7-auth_sssd_openshift_multi_tty_audit index 0f0c514..bd58e3c 100644 --- a/spec/expected/auth_spec/pwquality-password-auth_sssd_openshift_multi_tty_audit +++ b/spec/expected/auth_spec/pwquality-system-el7-auth_sssd_openshift_multi_tty_audit @@ -24,7 +24,7 @@ account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_s account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-password-auth_sssd_user_specified_centrify b/spec/expected/auth_spec/pwquality-system-el7-auth_sssd_user_specified_centrify similarity index 98% rename from spec/expected/auth_spec/pwquality-password-auth_sssd_user_specified_centrify rename to spec/expected/auth_spec/pwquality-system-el7-auth_sssd_user_specified_centrify index c35ece4..74a7be4 100644 --- a/spec/expected/auth_spec/pwquality-password-auth_sssd_user_specified_centrify +++ b/spec/expected/auth_spec/pwquality-system-el7-auth_sssd_user_specified_centrify @@ -32,7 +32,7 @@ account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_s account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-password-auth_unlock_time_never b/spec/expected/auth_spec/pwquality-system-el7-auth_unlock_time_never similarity index 97% rename from spec/expected/auth_spec/pwquality-password-auth_unlock_time_never rename to spec/expected/auth_spec/pwquality-system-el7-auth_unlock_time_never index 9a4fb54..91d8a74 100644 --- a/spec/expected/auth_spec/pwquality-password-auth_unlock_time_never +++ b/spec/expected/auth_spec/pwquality-system-el7-auth_unlock_time_never @@ -20,7 +20,7 @@ account requisite pam_access.so listsep=, nodefgroup account required pam_permit.so password requisite pam_pwquality.so retry=3 enforce_for_root reject_username -password required pam_pwhistory.so use_authtok remember=24 retry=1 enforce_for_root +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok password required pam_deny.so diff --git a/spec/expected/auth_spec/pwquality-system-el8-auth_default_params b/spec/expected/auth_spec/pwquality-system-el8-auth_default_params new file mode 100644 index 0000000..874c06f --- /dev/null +++ b/spec/expected/auth_spec/pwquality-system-el8-auth_default_params @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-system-el8-auth_oath_enabled b/spec/expected/auth_spec/pwquality-system-el8-auth_oath_enabled new file mode 100644 index 0000000..41803d8 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-system-el8-auth_oath_enabled @@ -0,0 +1,45 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=3 default=ignore] pam_listfile.so item=group sense=allow file=/etc/liboath/exclude_groups.oath quiet +auth [success=2 default=ignore] pam_listfile.so item=user sense=allow file=/etc/liboath/exclude_users.oath quiet +auth [success=1 default=bad] pam_oath.so usersfile=/etc/liboath/users.oath window=1 +auth requisite pam_deny.so +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-system-el8-auth_sssd_no_tty_audit b/spec/expected/auth_spec/pwquality-system-el8-auth_sssd_no_tty_audit new file mode 100644 index 0000000..a46f3b7 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-system-el8-auth_sssd_no_tty_audit @@ -0,0 +1,44 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth sufficient pam_sss.so forward_pass +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 17 quiet +auth [default=1 success=ok] pam_localuser.so +auth sufficient pam_unix.so try_first_pass +auth requisite pam_succeed_if.so uid >= 17 quiet +auth required pam_deny.so + +account required pam_access.so listsep=, accessfile=/etc/security/access.conf +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 17 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=14 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=16 shadow try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-system-el8-auth_sssd_openshift_multi_tty_audit b/spec/expected/auth_spec/pwquality-system-el8-auth_sssd_openshift_multi_tty_audit new file mode 100644 index 0000000..1533b06 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-system-el8-auth_sssd_openshift_multi_tty_audit @@ -0,0 +1,49 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=2 default=ignore] pam_sss.so forward_pass +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=4 default=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root,user1,user2 +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session [default=1 success=ignore] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session required pam_namespace.so no_unmount_on_close +session [default=ignore success=1] pam_succeed_if.so quiet shell = /usr/bin/oo-trap-user +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-system-el8-auth_sssd_user_specified_centrify b/spec/expected/auth_spec/pwquality-system-el8-auth_sssd_user_specified_centrify new file mode 100644 index 0000000..151c183 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-system-el8-auth_sssd_user_specified_centrify @@ -0,0 +1,54 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# User defined prepended auth content +auth sufficient pam_centrifydc.so +auth requisite pam_centrifydc.so deny +account sufficient pam_centrifydc.so +account requisite pam_centrifydc.so deny +session required pam_centrifydc.so homedir +password sufficient pam_centrifydc.so try_first_pass +password requisite pam_centrifydc.so deny + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=2 default=ignore] pam_sss.so forward_pass +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=3 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account [success=1 default=ignore] pam_localuser.so +account [default=bad success=ok system_err=ignore user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session optional pam_sss.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-system-el8-auth_unlock_time_never b/spec/expected/auth_spec/pwquality-system-el8-auth_unlock_time_never new file mode 100644 index 0000000..f68caf2 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-system-el8-auth_unlock_time_never @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=never fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=never even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=never even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/templates/etc/pam.d/auth.epp b/templates/etc/pam.d/auth.epp index 40230eb..55844bd 100644 --- a/templates/etc/pam.d/auth.epp +++ b/templates/etc/pam.d/auth.epp @@ -16,7 +16,7 @@ Optional[Integer] $cracklib_ocredit, Optional[Integer[0]] $cracklib_minclass, Optional[Integer[0]] $cracklib_minlen, - Integer[0] $cracklib_retry, + Variant[Boolean, Integer[0]] $cracklib_retry, Integer[0] $deny, Boolean $faillock, Boolean $manage_faillock_conf, @@ -28,9 +28,12 @@ Optional[Stdlib::Absolutepath] $faillock_log_dir, Boolean $display_account_lock, Integer[0] $fail_interval, + Boolean $manage_pwhistory_conf, + Boolean $remember_debug, Integer[0] $remember, Integer[0] $remember_retry, Boolean $remember_for_root, + StdLib::Absolutepath $remember_file, Boolean $even_deny_root, Integer[0] $root_unlock_time, Pam::HashAlgorithm $hash_algorithm, @@ -70,7 +73,7 @@ else { auth optional pam_faildelay.so auth required pam_env.so <% if $faillock { - if $manage_faillock_conf { + if $manage_faillock_conf { -%> auth required pam_faillock.so preauth <% } else { @@ -202,28 +205,59 @@ account requisite pam_access.so nodefgroup account required pam_permit.so <% if $name in ['system', 'password'] { -%> -password requisite pam_<%= $password_check_backend %>.so retry=<%= $cracklib_retry -%> -<% if $cracklib_enforce_for_root { %> enforce_for_root<% } -%> -<% if $cracklib_reject_username { %> reject_username<% } -%> +<% if $cracklib_retry { + $_cracklib_retry = " retry=${cracklib_retry}" + } else { + $_cracklib_retry = '' + } + + if $cracklib_enforce_for_root { + $_cracklib_enforce_for_root = ' enforce_for_root' + } else { + $_cracklib_enforce_for_root = '' + } + + if $cracklib_reject_username { + $_cracklib_reject_username = ' reject_username' + } else { + $_cracklib_reject_username = '' + } + + $_pam_password_check = "password requisite pam_${password_check_backend}.so${_cracklib_retry}${_cracklib_enforce_for_root}${_cracklib_reject_username}" +-%> +<%= $_pam_password_check %> <% if ($password_check_backend == 'cracklib') { -%> -<% if $cracklib_minlen { %> minlen=<%= $cracklib_minlen %><% } -%> -<% if $cracklib_minclass { %> minclass=<%= $cracklib_minclass %><% } -%> -<% if $cracklib_maxrepeat { %> maxrepeat=<%= $cracklib_maxrepeat %><% } -%> -<% if $cracklib_difok { %> difok=<%= $cracklib_difok %><% } -%> -<% if $cracklib_maxsequence { %> maxsequence=<%= $cracklib_maxsequence %><% } -%> -<% if $cracklib_maxclassrepeat { %> maxclassrepeat=<%= $cracklib_maxclassrepeat %><% } -%> -<% if $cracklib_dcredit { %> dcredit=<%= $cracklib_dcredit %><% } -%> -<% if $cracklib_ucredit { %> ucredit=<%= $cracklib_ucredit %><% } -%> -<% if $cracklib_lcredit { %> lcredit=<%= $cracklib_lcredit %><% } -%> -<% if $cracklib_ocredit { %> ocredit=<%= $cracklib_ocredit %><% } -%> -<% if $cracklib_gecoscheck { %> gecoscheck<% } -%> -<% } -%> +<% if $cracklib_minlen { %> minlen=<%= $cracklib_minlen %><% } -%> +<% if $cracklib_minclass { %> minclass=<%= $cracklib_minclass %><% } -%> +<% if $cracklib_maxrepeat { %> maxrepeat=<%= $cracklib_maxrepeat %><% } -%> +<% if $cracklib_difok { %> difok=<%= $cracklib_difok %><% } -%> +<% if $cracklib_maxsequence { %> maxsequence=<%= $cracklib_maxsequence %><% } -%> +<% if $cracklib_maxclassrepeat { %> maxclassrepeat=<%= $cracklib_maxclassrepeat %><% } -%> +<% if $cracklib_dcredit { %> dcredit=<%= $cracklib_dcredit %><% } -%> +<% if $cracklib_ucredit { %> ucredit=<%= $cracklib_ucredit %><% } -%> +<% if $cracklib_lcredit { %> lcredit=<%= $cracklib_lcredit %><% } -%> +<% if $cracklib_ocredit { %> ocredit=<%= $cracklib_ocredit %><% } -%> +<% if $cracklib_gecoscheck { %> gecoscheck<% } -%> +<% } -%> +<% + if $manage_pwhistory_conf { + $_pam_pwhistory = 'password required pam_pwhistory.so use_authtok' + } else { + if $remember_debug { + $_remember_debug = ' debug' + } else { + $_remember_debug = '' + } -<% if $remember_for_root { -%> -<% $_pam_pwhistory = "password required pam_pwhistory.so use_authtok remember=${remember} retry=${remember_retry} enforce_for_root" -%> -<% } else { -%> -<% $_pam_pwhistory = "password required pam_pwhistory.so use_authtok remember=${remember} retry=${remember_retry}" -%> -<% } -%> + if $remember_for_root { + $_remember_for_root = ' enforce_for_root' + } else { + $_remember_for_root = '' + } + + $_pam_pwhistory = "password required pam_pwhistory.so use_authtok remember=${remember} retry=${remember_retry} file=${remember_file}${_remember_debug}${_remember_for_root}" +-%> +<% } -%> <% $_pam_unix = "password sufficient pam_unix.so ${hash_algorithm} rounds=${rounds} shadow try_first_pass use_authtok" -%> <% if $sssd { -%> <%= $_pam_pwhistory %> diff --git a/templates/etc/security/faillock.conf.epp b/templates/etc/security/faillock.conf.epp index 352627f..8a21e82 100644 --- a/templates/etc/security/faillock.conf.epp +++ b/templates/etc/security/faillock.conf.epp @@ -1,16 +1,16 @@ <%-| Optional[Stdlib::Absolutepath] $dir, - Boolean $audit, - Boolean $silent, - Boolean $no_log_info, - Boolean $local_users_only, - Boolean $nodelay, - Optional[Integer[0]] $deny, - Optional[Integer[0]] $fail_interval, - Optional[Integer[0]] $unlock_time, - Boolean $even_deny_root, - Optional[Integer[0]] $root_unlock_time, - Optional[String] $admin_group + Boolean $audit, + Boolean $silent, + Boolean $no_log_info, + Boolean $local_users_only, + Boolean $nodelay, + Optional[Integer[0]] $deny, + Optional[Integer[0]] $fail_interval, + Optional[Integer[0]] $unlock_time, + Boolean $even_deny_root, + Optional[Integer[0]] $root_unlock_time, + Optional[String] $admin_group |-%> # This file is generated by Puppet # Any changes made to it will be overwritten. diff --git a/templates/etc/security/pwhistory.conf.epp b/templates/etc/security/pwhistory.conf.epp new file mode 100644 index 0000000..11712fb --- /dev/null +++ b/templates/etc/security/pwhistory.conf.epp @@ -0,0 +1,19 @@ +<%-| + Boolean $debug, + Boolean $enforce_for_root, + Integer[0] $remember, + Integer[0] $retry, + StdLib::Absolutepath $remember_file +|-%> +# This file is generated by Puppet +# Any changes made to it will be overwritten. +# +<% if $debug { -%> +debug +<% } -%> +<% if $enforce_for_root { -%> +enforce_for_root +<% } -%> +remember = <%= $remember %> +retry = <%= $retry %> +file = <%= $remember_file %> diff --git a/templates/etc/security/pwquality.conf.epp b/templates/etc/security/pwquality.conf.epp index 7b7f1e7..a885ec2 100644 --- a/templates/etc/security/pwquality.conf.epp +++ b/templates/etc/security/pwquality.conf.epp @@ -1,18 +1,20 @@ <%-| - Integer[0] $difok, - Integer[0] $minlen, - Integer $dcredit, - Integer $ucredit, - Integer $lcredit, - Integer $ocredit, - Integer[0] $minclass, - Integer[0] $maxrepeat, - Integer[0] $maxclassrepeat, - Integer[0] $maxsequence, - Integer[0] $retry, - Integer[0] $dictcheck, - Boolean $gecoscheck, - Optional[Array[String[1]]] $badwords, + Integer[0] $difok, + Integer[0] $minlen, + Integer $dcredit, + Integer $ucredit, + Integer $lcredit, + Integer $ocredit, + Integer[0] $minclass, + Integer[0] $maxrepeat, + Integer[0] $maxclassrepeat, + Integer[0] $maxsequence, + Variant[Boolean, Integer[0]] $retry, + Variant[Boolean, Integer[0]] $dictcheck, + Boolean $gecoscheck, + Boolean $enforce_for_root, + Boolean $reject_username, + Optional[Array[String[1]]] $badwords, Optional[Stdlib::Absolutepath] $dictpath |-%> # This file is generated by Puppet @@ -28,18 +30,18 @@ minclass = <%= $minclass %> maxrepeat = <%= $maxrepeat %> maxclassrepeat = <%= $maxclassrepeat %> maxsequence = <%= $maxsequence %> -<% -# The 'retry' option was introduced in RHEL 8.4 and Amazon Linux 2022 -unless - ($facts['os']['name'] == 'Amazon' and Integer($facts['os']['release']['major']) < 2022) or - Integer($facts['os']['release']['major']) < 8 or - # CentOS Streams doesn't provide a minor version number: - (Integer($facts['os']['release']['major']) == 8 and $facts['os']['release']['minor'] and Integer($facts['os']['release']['minor']) < 4) { -%> +<% if $retry { -%> retry = <%= $retry %> <% } -%> -<% if Integer($facts['os']['release']['major']) > 7 { -%> +<% if $dictcheck { -%> dictcheck = <%= $dictcheck %> <% } -%> +<% if $enforce_for_root { -%> +enforce_for_root +<% } -%> +<% if $reject_username { -%> +reject_username +<% } -%> <% if $gecoscheck { -%> gecoscheck = 1 <% } -%>