Puppet Class: cis_security_hardening::rules::authselect

Defined in:
manifests/rules/authselect.pp

Summary

Create custom authselect profile (Scored)

Overview

A custom profile can be created by copying and customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis.

Rationale: A custom profile is required to customize many of the pam options.

Examples:

class { 'cis_security_hardening::rules::authselect_profile':
          enforce => true,
          custom_profile => 'testprofile',
          base_profile => 'sssd',
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Sets rule enforcemt. If set to true, code will be exeuted to bring the system into a comliant state.

  • custom_profile (Cis_security_hardening::Numbers_letters) (defaults to: '')

    name of the custom profile to create

  • base_profile (Enum['sssd', 'nis', 'winbind', 'minimal']) (defaults to: 'sssd')

    Base profile to use for custom profile creation

  • profile_options (Array) (defaults to: ['with-faillock'])

    The authsselect feartures to enable.



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
 
# File 'manifests/rules/authselect.pp', line 30

class cis_security_hardening::rules::authselect (
  Boolean $enforce                                        = false,
  Enum['sssd', 'nis', 'winbind', 'minimal'] $base_profile = 'sssd',
  Cis_security_hardening::Numbers_letters $custom_profile = '',
  Array $profile_options                                  = ['with-faillock'],
) {
  if $enforce {
    exec { 'create custom profile':
      command => "authselect create-profile ${custom_profile} -b ${base_profile} --symlink-meta", #lint:ignore:security_class_or_define_parameter_in_exec lint:ignore:140chars
      path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      onlyif  => "test ! -d /etc/authselect/custom/${custom_profile}",
    }

    exec { 'select authselect profile':
      command => "authselect select custom/${custom_profile} -f",   #lint:ignore:security_class_or_define_parameter_in_exec
      path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      onlyif  => ["test -d /etc/authselect/custom/${custom_profile}", "test -z \"$(authselect current | grep 'custom/${custom_profile}')\""], #lint:ignore:140chars
      returns => [0, 1],
      require => Exec['create custom profile'],
    }

    $check = fact('cis_security_hardening.authselect.check') ? {
      undef   => 0,
      default => fact('cis_security_hardening.authselect.check'),
    }

    if $check == 3 {
      exec { 'fix authselect profile':
        command => "authselect select custom/${custom_profile} -f",   #lint:ignore:security_class_or_define_parameter_in_exec
        path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
        require => Exec['create custom profile'],
      }
    }

    $available_features = fact('cis_security_hardening.authselect.available_features') ? {
      undef   => [],
      default => fact('cis_security_hardening.authselect.available_features'),
    }
    $profile_options.each |$opt| {
      unless $opt =~ /^[0-9a-zA-Z\-_\.]+$/ {
        fail("Illegal profile option: ${opt}")
      }

      if $opt in $available_features {
        exec { "enable feature ${opt}":
          command => "authselect enable-feature ${opt}",
          path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
          onlyif  => ["test -d /etc/authselect/custom/${custom_profile}", "test -z \"$(authselect current | grep '${opt}')\""],
          require => Exec['select authselect profile'],
        }
      } else {
        echo { "unavailable feature ${opt}":
          message  => "authselect: unavailable feature ${opt} with base profile ${base_profile}",
          loglevel => 'warning',
          withpath => false,
        }
      }
    }
  }
}