Puppet Class: psick::hardening::pam

Defined in:
manifests/hardening/pam.pp

Overview

This class manages PAM settings

Examples:

To set password age settings:

psick::hardening::pam::login_defs_template: 'psick/hardening/pam/login.defs.erb'
psick::hardening::pam::options:
  password_max_age: 30
  password_min_age: 7

Parameters:

  • system_auth_template (String) (defaults to: '')

    Path of the erb template (as used in template()) used to manage the content of pam system-auth. By default a proper template for the underlying OS is used. Note: currently only RHEL 7 derivatives are supported.

  • password_auth_template (String) (defaults to: '')

    Path of the erb template (as used in template()) used to manage the content of pam passwotd-auth. By default a proper template for the underlying OS is used. Note: currently only RHEL 7 derivatives are supported.

  • login_defs_template (String) (defaults to: '')

    Path of the erb template (as used in template()) used to manage the content of /etc/login.defs If empty the file is not managed.

  • manage (Boolean) (defaults to: $psick::manage)
  • noop_manage (Boolean) (defaults to: $psick::noop_manage)
  • noop_value (Boolean) (defaults to: $psick::noop_value) 


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
# File 'manifests/hardening/pam.pp', line 27

class psick::hardening::pam (
  String $system_auth_template   = '', # lint:ignore:params_empty_string_assignment
  String $password_auth_template = '', # lint:ignore:params_empty_string_assignment
  String $login_defs_template    = '', # lint:ignore:params_empty_string_assignment
  Boolean $manage                = $psick::manage,
  Boolean $noop_manage           = $psick::noop_manage,
  Boolean $noop_value            = $psick::noop_value,
) {
  if $manage {
    if $noop_manage {
      noop($noop_value)
    }
    $options_user=lookup('psick::hardening::pam::options', Hash, 'deep', {})
    $options_default = {
      umask                    => '027',
      password_max_age         => 60,
      password_min_age         => 7,
      password_warb_age        => 7,
      ttygroup                 => 'tty',
      ttyperm                  => '0600',
      uid_min                  => 1000,
      uid_max                  => 60000,
      gid_min                  => 1000,
      gid_max                  => 60000,
      encrypt_method           => 'SHA512',
      login_retries            => 5,
      login_timeout            => 60,
      sha_crypt_max_rounds     => 10000,
      chfn_restrict            => '',
      allow_login_without_home => false,
      additional_user_paths    => '',
    }
    $options=merge($options_default,$options_user)

    $real_system_auth_template = $system_auth_template ? {
      ''     => "psick/hardening/pam/system-auth_${facts['os']['family']}${facts['os']['release']['major']}",
      default => $system_auth_template,
    }
    $real_password_auth_template = $password_auth_template ? {
      ''     => "psick/hardening/pam/password-auth_${facts['os']['family']}${facts['os']['release']['major']}",
      default => $password_auth_template,
    }

    if $login_defs_template != '' {
      file { '/etc/login.defs':
        ensure  => file,
        content => template($login_defs_template),
        owner   => root,
        group   => root,
        mode    => '0400',
      }
    }
    if ( $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '7' ) {
      file { '/etc/pam.d/system-auth-ac':
        content => template($real_system_auth_template),
      }
      file { '/etc/pam.d/password-auth-ac':
        content => template($real_password_auth_template),
      }
    }
  }
}