Puppet Class: cis_security_hardening::rules::pam_passwd

Defined in:
manifests/rules/pam_passwd.pp

Summary

Ensure system-auth is used when changing passwords

Overview

The operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.

Rationale: Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.

Examples:

class { 'cis_security_hardening::rules::pam_passwd':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.



21
22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'manifests/rules/pam_passwd.pp', line 21

class cis_security_hardening::rules::pam_passwd (
  Boolean $enforce = false,
) {
  if $enforce {
    file_line { 'pam_passwd':
      ensure             => present,
      path               => '/etc/pam.d/passwd',
      match              => '^password\s+substack\s+system-auth',
      line               => 'password   substack     system-auth',
      append_on_no_match => true,
    }
  }
}