Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-pam', '6.10.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
Overview
This module configures PAM in an authoritative, but flexible, manner.
See REFERENCE.md for API details.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems will be disabled by default and must be explicitly opted into by administrators. Please review simp_options for details.
Module Description
This module provides a reasonably safe configuration of the main PAM stack focused on common security and compliance settings. Care has been taken to provide a significant set of switches and override mechanisms in order to provide for user flexibility.
Setup
Setup Requirements
No special dependencies are required for core functionality of this module.
You will need to download the simp/oath if you want to use the EXPERIMENTAL OATH (TOTP/HOTP) support.
What pam
Affects
The pam
module modifies various settings in the /etc/pam.d/
and
/etc/security
directories related to user logins via various authentication
methods.
Usage
Basic Usage
To set up PAM using a sane set of defaults, you can simply include
the
class as follows:
include 'pam'
This will set up PAM with the following capabilities:
pwquality
settingsfaillock
support with auto-unlocking- Password hash algorithm strengthening
- Password history management
- Automatic home directory creation
- User TTY auditing (only
root
by default) - Overall default deny
Restricting System Logins (pam_access)
To set up a 'default deny' policy for your system (local root
logins are
always allowed):
include 'pam::access'
Managing System Access
There are two methods for allowing users/groups into the system. The first is
to use the pam::access::rule
defined type.
The parameters are named after their counterparts as defined in
access.conf(5)
.
pam::access::rule { 'Allow Security Group from Anywhere':
users => ['(security)'],
origins => ['ALL']
}
pam::access::rule { 'Allow Alice from Home':
users => ['alice'],
origins => ['alice.home.net']
}
pam::access::rule { 'Allow Bob from Local':
users => ['bob'],
origins => ['LOCAL'],
order => 2000
}
pam::access::rule { 'Deny Bob from Remote':
users => ['bob'],
origins => ['ALL'],
permission => '-',
order => 2001
}
The second method is to define the access list as a Hash
directly in Hiera:
---
pam::access::users:
defaults:
origins:
- ALL
permission: "+"
"(security)":
alice:
origins:
- 'alice.home.net'
# Note, the hiera method is not as flexible so we needed to use the 'bob'
# group so that we could properly restrict the 'bob' user.
"(bob)":
origins:
- 'LOCAL'
order: 2000
'bob':
permission: "-"
order: 2001
Restricting Resource Usage (pam_limits)
To activate management of various PAM resource limits via
/etc/security/limits.conf
:
include 'pam::limits'
You can then use the module to restrict resource limits for logged in
accordance with the pam_limits(8)
documentation.
pam::limits::rule { 'Limit Number of Processes for all Users':
domains => ['*'],
type => 'soft',
item => 'nproc',
value => 50
}
The second method is to define the rule list as a Hash
directly in Hiera:
---
pam::limits::rules:
disable_core_for_all:
domains:
- '*'
type: 'hard'
item: 'core'
value: 0
order: 100
Restricting su
to the wheel
Group
To restrict the use of su
to the wheel
group:
include 'pam::wheel'
You can change the target group by updating the value of
pam::wheel::wheel_group
via Hiera.
Development
Please read our Contribution Guide
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_fips=yes
BEAKER_debug
: show the commands being run on the STU and their output.BEAKER_destroy=no
: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no
: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes
: cause all module dependencies to be loaded from thespec/fixtures/modules
directory, based on the contents of.fixtures.yml
. The contents of this directory are usually populated bybundle exec rake spec_prep
. This can be used to run acceptance tests to run on isolated networks.BEAKER_fips=yes
: enable FIPS-mode on the virtual instances. This can take a very long time, because it must enable FIPS in the kernel command-line, rebuild the initramfs, then reboot.
Please refer to the SIMP Beaker Helpers documentation for more information.
Reference
Table of Contents
Classes
pam
: Ensure that reasonable PAM security options are applied.pam::access
: Set up/etc/security/access.conf
with a default to allow root to login locally.pam::access::default_deny
: Add a "default deny" rule topam_access
pam::config
: Configuration class called from pam.pam::install
: Install the required PAM packagespam::limits
: Set up/etc/security/limits.conf
pam::wheel
: Enable wheel restrictions for su access
Defined types
pam::access::rule
: Set up entries in/etc/security/access.conf
pam::auth
: Set up the various -auth files in /etc/pam.d.pam::limits::rule
:domain type item value
resource limiting sets as defined inlimits.conf(5)
.
Data types
Pam::AccountUnlockTime
: Valid account unlock valuesPam::AuthSections
: Valid PAMauth
sectionsPam::HashAlgorithm
: Valid PAM password hash algorithmsPam::Limits::Item
: Valid PAM limitsPam::Limits::Value
: Valid PAM limit valuesPam::PasswordBackends
: Valid PAM password validation backends
Classes
pam
It also takes into account the global SIMP settings for LDAP and SSSD.
Many options are exposed here that may affect a large number of lower-level PAM module settings. This is done to provide continuity across the PAM stack where possible.
Parameters
The following parameters are available in the pam
class:
password_check_backend
locale_file
cracklib_difok
cracklib_maxrepeat
cracklib_maxsequence
cracklib_maxclassrepeat
cracklib_gecoscheck
cracklib_enforce_for_root
cracklib_dcredit
cracklib_ucredit
cracklib_lcredit
cracklib_ocredit
cracklib_minclass
cracklib_minlen
cracklib_reject_username
cracklib_retry
cracklib_badwords
cracklib_dictpath
rm_pwquality_conf_d
deny
faillock
display_account_lock
fail_interval
homedir_umask
remember
remember_retry
remember_for_root
even_deny_root
root_unlock_time
hash_algorithm
rounds
uid
unlock_time
preserve_ac
warn_if_unknown
oath
oath_window
deny_if_unknown
use_netgroups
use_openshift
sssd
tty_audit_users
su_content
other_content
auth_sections
fingerprint_auth_content
system_auth_content
password_auth_content
smartcard_auth_content
enable
enable_warning
enable_separator
separator
disable_authconfig
package_ensure
password_check_backend
Data type: Pam::PasswordBackends
The password checking library to use
- The default is based on the OS being targeted and is pulled from module data
locale_file
Data type: Optional[Stdlib::Absolutepath]
The path to the locale
configuration file on the system
- Explicitly set to
undef
to disable
Default value: undef
cracklib_difok
Data type: Integer[0]
The number of character changes between the old password and the new password that are enough to accept the new password
Default value: 4
cracklib_maxrepeat
Data type: Integer[0]
Reject passwords which contain more than this many of the same consecutive characters
Default value: 2
cracklib_maxsequence
Data type: Integer[0]
Reject passwords which contain monotonic character sequences longer than this
-
The default is 0 which means that this check is disabled. Examples of such sequence are
12345
orfedcb
-
Most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password
Default value: 4
cracklib_maxclassrepeat
Data type: Integer[0]
Reject passwords which contain more than this many consecutive characters of the same class
- Character classes include:
- Upper Case
- Lower Case
- Digit
- Special Character
Default value: 3
cracklib_gecoscheck
Data type: Boolean
Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password
Default value: true
cracklib_enforce_for_root
Data type: Boolean
Enforce all password check settings for the root
user
Default value: true
cracklib_dcredit
Data type: Integer
The required credit for having digits in the new password
-
For Positive Integers: If you have less than or N digits, each digit will count +1 towards meeting the current minlen value
-
For Negative Integers: The minimum number of digits that must be met for a new password
Default value: -
cracklib_ucredit
Data type: Integer
The required credit for having upper case letters in the new password
-
For Positive Integers: If you have less than or N characters , each character will count +1 towards meeting the current minlen value
-
For Negative Integers: The minimum number of characters that must be met for a new password
Default value: -
cracklib_lcredit
Data type: Integer
The required credit for having lower case letters in the new password
-
For Positive Integers: If you have less than or N characters , each character will count +1 towards meeting the current minlen value
-
For Negative Integers: The minimum number of characters that must be met for a new password
Default value: -
cracklib_ocredit
Data type: Integer
The required credit for having special characters in the new password
-
For Positive Integers: If you have less than or N characters , each character will count +1 towards meeting the current minlen value
-
For Negative Integers: The minimum number of characters that must be met for a new password
Default value: -
cracklib_minclass
Data type: Integer[0]
The minimum number of required classes for the new password
-
The four classes are digits, upper and lower letters and other characters
-
The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required.
Default value: 3
cracklib_minlen
Data type: Integer[0]
The minimum acceptable size for the new password (plus one if credits are not disabled)
Default value: 15
cracklib_reject_username
Data type: Boolean
Don't let the username be used in password
Default value: true
cracklib_retry
Data type: Integer[0]
Prompt user at most N times before returning with error
Default value: 3
cracklib_badwords
Data type: Optional[Array[String[1],1]]
Array of words that must not be contained in the password. These are additional words to the cracklib dictionary check.
Default value: undef
cracklib_dictpath
Data type: Optional[StdLib::Absolutepath]
Path to the cracklib dictionaries. Default is to use the cracklib default.
Default value: undef
rm_pwquality_conf_d
Data type: Boolean
Remove the /etc/security/pwquality.conf.d directory and all contents.
- This ensures authoritative management of
pwquality
without the ability of users to override our settings directly on the system.
Default value: true
deny
Data type: Integer[0]
The number of failed attempts before PAM denies a user from logging in
Default value: 5
faillock
Data type: Boolean
Enable or disable the use of faillock
Default value: true
display_account_lock
Data type: Boolean
Display to the remote user that their account has been locked
Default value: false
fail_interval
Data type: Integer[0]
Sets the time until the check fails
Default value: 900
homedir_umask
Data type: Simplib::Umask
Sets the file mode creation mask of the user home directories
Default value: '0077'
remember
Data type: Integer[0]
The last N passwords for each user are saved in /etc/security/opasswd
in order to force password change history and keep the user from
alternating between the same password too frequently
Default value: 24
remember_retry
Data type: Integer[0]
Allow this many retries
Default value: 1
remember_for_root
Data type: Boolean
Remember the last $remember
passwords for the root user
Default value: true
even_deny_root
Data type: Boolean
Enforce an account lockout for the root
account
Default value: true
root_unlock_time
Data type: Integer[0]
Allow access after N seconds to root account after failed attempt
- Has no effect if
even_deny_root
is not set
Default value: 60
hash_algorithm
Data type: Pam::HashAlgorithm
The password hashing algorithm to use
Default value: 'sha512'
rounds
Data type: Integer[0]
Set the optional number of rounds of the SHA256
, SHA512
and
Blowfish
password hashing algorithms to N
Default value: 10000
uid
Data type: Integer[0]
Allow user logins for users with UID higher than N
Default value: simplib::lookup('simp_options::uid::min', { 'default_value' => pick(fact('login_defs.uid_min'), 1000) })
unlock_time
Data type: Pam::AccountUnlockTime
Allow acesss after N seconds to user account after failed attempt
Default value: 900
preserve_ac
Data type: Boolean
Keep the original -ac
files around for reference
Default value: false
warn_if_unknown
Data type: Boolean
If you make it to the other
PAM configuration file, then provide a
warning that the login method was uncaught by other PAM stacks
Default value: true
oath
Data type: Boolean
Configures to use pam_oath TOTP in the system-auth pam stack. EXPERIMENTAL: Inherits from simp_options::oath, defaults to false if not found.
- WARNING: pupmod-simp-oath is a dependency of this option. If this is set
to
true
without the oath module, you will be unable to log in locally!
Default value: simplib::lookup('simp_options::oath', { 'default_value' => false })
oath_window
Data type: Integer[0]
Sets the TOTP window (Defined in RFC 6238 section 5.2)
Default value: 1
deny_if_unknown
Data type: Boolean
If true, deny any access to an application that falls all the way through
the PAM stack to other
Default value: true
use_netgroups
Data type: Boolean
Default: false Set PAM up to use NIS netgroups.
Default value: false
use_openshift
Data type: Boolean
Set PAM to work with OpenShift
Default value: false
sssd
Data type: Boolean
Set PAM to work with SSSD
Default value: simplib::lookup('simp_options::sssd', { 'default_value' => false})
tty_audit_users
Data type: Array[String[0]]
The users for which TTY auditing is enabled
- Set to an empty Array to not audit TTY actions for any user
Default value: [ 'root' ]
su_content
Data type: Optional[String]
The content that should be used to fill /etc/pam.d/su
instead of the
templated content
Default value: undef
other_content
Data type: Optional[String]
The content that should be used to fill /etc/pam.d/other
instead of the
templated content
Default value: undef
auth_sections
Data type: Pam::AuthSections
The PAM *-auth
files to manage
- Set to an empty Array to not manage any sections
Default value: [ 'fingerprint', 'system', 'password', 'smartcard' ]
fingerprint_auth_content
Data type: Optional[String]
The content that should be used to fill /etc/pam.d/fingerprint_auth
instead of the templated content
Default value: undef
system_auth_content
Data type: Optional[String]
The content that should be used to fill /etc/pam.d/system_auth
instead
of the templated content
Default value: undef
password_auth_content
Data type: Optional[String]
The content that should be used to fill /etc/pam.d/password_auth
instead of the templated content
Default value: undef
smartcard_auth_content
Data type: Optional[String]
The content that should be used to fill /etc/pam.d/smartcard_auth
instead of the templated content
Default value: undef
enable
Data type: Boolean
If you have included this module but want it to stop managing your
configuration files set this to false
Default value: true
enable_warning
Data type: Boolean
Will issue a warning if this module is included but global catalyst
simp_options::pam
is set to false
Default value: true
enable_separator
Data type: Boolean
Enable a custom list separator. WARNING this setting may break pam_access on some platforms. Use with caution
Default value: true
separator
Data type: String[0]
Separator to use for user and origin lists
Default value: ','
disable_authconfig
Data type: Boolean
Disable authconfig from being used, as it breaks this module's reconfiguration of PAM.
Default value: true
package_ensure
Data type: Simplib::PackageEnsure
Ensure setting for all packages installed by this module
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' })
pam::access
Use pam::access::rule
to manage access.conf
entries and remember
that order matters (first match wins)!
- See also
- access.conf(5)
Parameters
The following parameters are available in the pam::access
class:
default_deny
Data type: Boolean
Add a "default deny" rule as the last match of the rule set
Default value: true
users
Data type: Optional[Hash]
A hash that can be used to create several pam::access::rule resources set in Hiera. Each member of the hash will be a resource (this example is from hiera):
pam::access::users: defaults: origins:
- ALL
permission: '+'
vagrant:
'(simp)':
test:
origins:
- 192.168.0.1/24
baddude:
permission: '-'
Default value: undef
access_file_mode
Data type: Stdlib::Filemode
File mode for /etc/security/access.conf
Default value: '0644'
pam::access::default_deny
Always allow root
locally for safety
pam::config
Configuration class called from pam.
pam::install
Install the required PAM packages
pam::limits
Add entries with pam::limits::rule
- See also
- limits.conf(5)
Parameters
The following parameters are available in the pam::limits
class:
rules
Data type: Optional[Hash]
A Hash that can be used to create pam::limits::rule resources via Hiera.
- The Hash must be formatted suitably for passing directly into
create_resource()
- Remember that order matters:
@example Hiera formatted rules
pam::limits::rules: disable_core_for_user1: domains:
- 'user1'
type: 'hard'
item: 'core'
value: 0
order: 50
disable_core_for_all:
domains:
- '*'
type: 'hard'
item: 'core'
value: 0
order: 100
Default value: undef
pam::wheel
Enable wheel restrictions for su access
- See also
- pam_wheel(8)
Parameters
The following parameters are available in the pam::wheel
class:
wheel_group
Data type: String[1]
What group should be the wheel
equivalent
Default value: 'wheel'
root_only
Data type: Boolean
Only enforce wheel
restrictions when changing to the root
user
Default value: false
use_openshift
Data type: Boolean
Whether or not to configure things in such a way that the openshift
puppet code is compatible
Default value: $pam::use_openshift
content
Data type: Optional[String[1]]
Optional custom content for file
Default value: $pam::su_content
Defined types
pam::access::rule
These entries are the permission:users:origins
sets as defined in
access.conf(5)
.
- See also
- access.conf(5)
Examples
Add administrator group access
pam::access::rule { 'administrators':
permission => '+',
users => ['(administrators)'],
origins => ['ALL'],
order => 1000
}
Add everyone except group bad_guys
pam::access::rule { 'bad_guys':
permission => '+',
users => ['ALL EXCEPT (bad_guys)'],
origins => ['ALL'],
order => 1000
}
Add everyone except the hippopotamus
pam::access::rule { 'but_not_the_hippopotamus':
permission => '+',
users => ['ALL EXCEPT hippopotamus'],
origins => ['ALL'],
order => 1000
}
Allow group auditors from two specific hosts
pam::access::rule { 'auditors_from_trusted_nodes':
permission => '+',
users => ['(auditors)'],
origins => ['1.2.3.4','5.6.7.8'],
order => 1000
}
Parameters
The following parameters are available in the pam::access::rule
defined type:
name
Data type: String
A unique name for the resource
comment
Data type: Optional[String]
A comment to include with this entry
Default value: undef
permission
Data type: Enum['+','-']
If +, grant access. If -, revoke access
Default value: '+'
users
Data type: Array[String]
The users, groups, or netgroups to allow access to the system.
Syntax:
```
user => username
group => (groupname)
netgroup => @netgroup
```
- Entries are not validated so complex expressions are allowed such as
ALL EXCEPT (bad_guys)
origins
Data type: Array[String]
The locations from which users are allowed to login to the system
- See
access.conf(5)
for the full list
order
Data type: Integer[1,9999999999]
The order in which you want this rule to appear
- If you do not specify a order, the rules will be listed in alphanumeric order by name
Default value: 1000
pam::auth
This is only meant to be called via the main pam class. Documentation is identical to that in the pam class.
If you want to change the umask on dynamically created home directories, you'll need to set oddjob::mkhomedir::umask.
Parameters
The following parameters are available in the pam::auth
defined type:
password_check_backend
locale_file
cracklib_enforce_for_root
cracklib_reject_username
cracklib_difok
cracklib_maxrepeat
cracklib_maxsequence
cracklib_maxclassrepeat
cracklib_gecoscheck
cracklib_dcredit
cracklib_ucredit
cracklib_lcredit
cracklib_ocredit
cracklib_minclass
cracklib_minlen
cracklib_retry
oath
oath_window
deny
faillock
display_account_lock
fail_interval
remember
remember_retry
remember_for_root
even_deny_root
root_unlock_time
hash_algorithm
rounds
uid
unlock_time
preserve_ac
use_netgroups
use_openshift
sssd
tty_audit_users
separator
enable_separator
content
password_check_backend
Data type: Pam::PasswordBackends
Default value: $pam::password_check_backend
locale_file
Data type: Optional[Stdlib::Absolutepath]
Default value: $pam::locale_file
cracklib_enforce_for_root
Data type: Boolean
Default value: $pam::cracklib_enforce_for_root
cracklib_reject_username
Data type: Boolean
Default value: $pam::cracklib_reject_username
cracklib_difok
Data type: Optional[Integer[0]]
Default value: $pam::cracklib_difok
cracklib_maxrepeat
Data type: Optional[Integer[0]]
Default value: $pam::cracklib_maxrepeat
cracklib_maxsequence
Data type: Optional[Integer[0]]
Default value: $pam::cracklib_maxsequence
cracklib_maxclassrepeat
Data type: Optional[Integer[0]]
Default value: $pam::cracklib_maxclassrepeat
cracklib_gecoscheck
Data type: Optional[Boolean]
Default value: $pam::cracklib_gecoscheck
cracklib_dcredit
Data type: Optional[Integer]
Default value: $pam::cracklib_dcredit
cracklib_ucredit
Data type: Optional[Integer]
Default value: $pam::cracklib_ucredit
cracklib_lcredit
Data type: Optional[Integer]
Default value: $pam::cracklib_lcredit
cracklib_ocredit
Data type: Optional[Integer]
Default value: $pam::cracklib_ocredit
cracklib_minclass
Data type: Optional[Integer[0]]
Default value: $pam::cracklib_minclass
cracklib_minlen
Data type: Optional[Integer[0]]
Default value: $pam::cracklib_minlen
cracklib_retry
Data type: Integer[0]
Default value: $pam::cracklib_retry
oath
Data type: Boolean
Default value: $pam::oath
oath_window
Data type: Integer[0]
Default value: $pam::oath_window
deny
Data type: Integer[0]
Default value: $pam::deny
faillock
Data type: Boolean
Default value: $pam::faillock
display_account_lock
Data type: Boolean
Default value: $pam::display_account_lock
fail_interval
Data type: Integer[0]
Default value: $pam::fail_interval
remember
Data type: Integer[0]
Default value: $pam::remember
remember_retry
Data type: Integer[0]
Default value: $pam::remember_retry
remember_for_root
Data type: Boolean
Default value: $pam::remember_for_root
even_deny_root
Data type: Boolean
Default value: $pam::even_deny_root
root_unlock_time
Data type: Integer[0]
Default value: $pam::root_unlock_time
hash_algorithm
Data type: Pam::HashAlgorithm
Default value: $pam::hash_algorithm
rounds
Data type: Integer[0]
Default value: $pam::rounds
uid
Data type: Integer[0]
Default value: $pam::uid
unlock_time
Data type: Pam::AccountUnlockTime
Default value: $pam::unlock_time
preserve_ac
Data type: Boolean
Default value: $pam::preserve_ac
use_netgroups
Data type: Boolean
Default value: $pam::use_netgroups
use_openshift
Data type: Boolean
Default value: $pam::use_openshift
sssd
Data type: Boolean
Default value: $pam::sssd
tty_audit_users
Data type: Array[String[0]]
Default value: $pam::tty_audit_users
separator
Data type: String[0]
Default value: $pam::separator
enable_separator
Data type: Boolean
Default value: $pam::enable_separator
content
Data type: Optional[String]
Default value: undef
pam::limits::rule
Be aware that order matters and the LAST item that matches in the
limits.conf
file will take effect.
- See also
- limits.conf(5)
Examples
Enforce hard and soft disable on core dumps
pam::limits::rule { 'limit_core':
domains => ['*'],
type => '-',
item => 'core',
value => 0,
order => 1
}
Only allow 2 administrators to login at once
pam::limits::rule { 'limit_admins':
domains => ['%administrators', '%wheel'],
type => 'hard',
item => 'maxlogins',
value => 2,
order => 1
}
Parameters
The following parameters are available in the pam::limits::rule
defined type:
name
Data type: String
A descriptive name for your resource
domains
Data type: Array[String]
The domains to which these limits should apply
- One entry will be created per domain, in listed order
- See the
<domain>
section oflimits.conf(5)
for details
item
Data type: Pam::Limits::Item
The item
to which these limits should apply
- See the
<item>
section oflimits.conf(5)
for details
value
Data type: Pam::Limits::Value
The value
to apply to the item
and domains
- See the
<item>
section oflimits.conf(5)
for details
type
Data type: Enum['hard','soft','-']
The type
to apply to the item
and domains
- See the
<type>
section oflimits.conf(5)
for details
Default value: '-'
order
Data type: Integer[0]
The order in which this rule should appear
- If you don't specify a order, the rules will be listed in alphanumeric order by name
Default value: 1000
Data types
Pam::AccountUnlockTime
Valid account unlock values
Alias of
Variant[Integer[0], Enum['never']]
Pam::AuthSections
Valid PAM auth
sections
Alias of
Array[Enum[
'fingerprint',
'system',
'password',
'smartcard'
]]
Pam::HashAlgorithm
Valid PAM password hash algorithms
Alias of
Enum['md5', 'bigcrypt', 'sha256', 'sha512', 'blowfish']
Pam::Limits::Item
Valid PAM limits
Alias of
Enum['core', 'data', 'fsize', 'memlock', 'nofile', 'rss', 'stack', 'cpu', 'nproc', 'as', 'maxlogins', 'maxsyslogins', 'priority', 'locks', 'sigpending', 'msgqueue', 'nice', 'rtprio']
Pam::Limits::Value
Valid PAM limit values
Alias of
Variant[Enum['unlimited','infinity'], Integer]
Pam::PasswordBackends
Valid PAM password validation backends
Alias of
Enum['cracklib', 'pwquality']
- Thu Aug 26 2021 Kendall Moore kendall.moore@onyxpoint.com - 6.10.0
- Add pre section content for auth files
- Add extra content for su
- Wed Aug 04 2021 Trevor Vaughan tvaughan@onyxpoint.com - 6.9.1
- Silence unnecessary TTY messages
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.9.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Tue Jun 08 2021 Trevor Vaughan tvaughan@onyxpoint.com - 6.9.0
- Fixed
- Added default Hiera deep merges for
pam::access::users
andpam::limits::rules
based on user feedback
- Added default Hiera deep merges for
- Wed Dec 23 2020 Jeanne Greulich jeannegreulich@onyxpoint.com - 6.8.3-0
- Fixed a bug in the system-auth configuration file in which it did not skip pam_tty_audit if the login did not have a tty. This caused service logins to fail, specifically the gdm service.
- Removed support for EL6.
- Set the quiet parameter when doing pam_listfile lookups in auth.pp so that users don't end up with warnings in the logs that look like authentication failures
- Tue Aug 25 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.8.2-0
- Use the fixed simplib__auditd fact for toggling pam_tty_audit
- Wed Aug 05 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.8.1-0
- Ensure that pam_tty_audit is optional if auditing is not enabled on the system
- Wed May 27 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.8.0-0
- Add the ability to specify pam::limits::rules via Hiera
- Wed Mar 25 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.7.1-0
- Moved the pam_unix.so check before the pam_sss.so check in the password section of the auth files otherwise it returns an "authentication token manipulation" error and local passwords can not be changed.
- Fri Feb 28 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.7.0-0
- Ignore authconfig disable on EL8. Authconfig was replaced with authselect and authselect does not overwrite settings unless you select --force option.
- Tue Dec 24 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.7.0-0
- Add EL8 support
- Remove installation of pam_pkcs11 and fprintd-pam by default since they not actually required for basic functionality
- Update documentation for 'puppet strings'
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 6.7.0-0
- Support puppetlabs/concat 6.x.
- Thu Jun 06 2019 Steven Pritchard steven.pritchard@onypoint.com - 6.6.0-0
- Add v2 compliance_markup data
- Mon Apr 29 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.0-0
- Fix bug where the ending faillock items were not being called due to the 'sufficient' lines on pam_unix and pam_sssd.
- Add option to allow users to disable faillock if desired
- Fix bug where 'authsucc' was not set at the end of the 'auth' section for faillock (SIMP-6306)
- Update all comments for puppet strings
- Converted all templates to EPP for performance
- Fully updated the README
- Tue Apr 16 2019 Zach turtles.be.the.best@gmail.com - 6.5.0-0
- Add totp support through pam_oath
- Fri Mar 15 2019 Nicholas Markowski nicholas.markowski@onyxpoint.com - 6.4.0-0
- Added pam::access::access_file_mode parameter to allow users to manage access.conf file permissions
- Updated lower bound on stdlib to 4.22.0 to add Filemode strong type support
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.3.1-0
- Expanded the upper limit of the concat and stdlib Puppet module versions
- Updated a URL in the README.md
- Thu Oct 04 2018 Zach turtles.be.the.best@gmail.com - 6.3.0-0
- Fix 'faillock' bug in system-auth
- Update badges and contribution guide URL in README.md
- Tue Sep 11 2018 Steven Pritchard steven.pritchard@onyxpoint.com - 6.3.0-0
- Fix *_auth_content pam class parameters
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.3.0-0
- Update Hiera 4 to Hiera 5
- Fri Jul 20 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.0-0
- Added the reading of the system locale settings during the session activation of users.
- Thu Jul 12 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.0-0
- Add support for OEL and Puppet 5
- Mon Apr 30 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.1-0
- Allow users to change the password hash algorithm
- Allow users to enable/disable enforcing password policies for
root
- Update compliance tests to work with inspec profiles and compliance engine enforcement.
- Mon Apr 16 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.1-0
- Set the default cracklib_maxclassrepeat to 3.
- Mon Feb 12 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0
- Update upperbound on puppetlabs/concat version to < 5.0.0
- Fri Feb 09 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.2.0-0
- Update the pam::unlock_time parameter to accept 'never' as a value per the man page and in accordance with the DISA STIG
- Wed Jan 24 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0
- Replace authconfig and authconfig-tui links to a no-op script, instead of removing them. This does not break tools that use authconfig.
- Use simp_options::package_ensure, when available
- Wed Dec 13 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0
- Set the minimum UID allowed onto the system to the default defined in /etc/login.defs or 1000 if not otherwise defined
- Fri Sep 22 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.1.0-0
- Changed password checking from pam_cracklib.so to pam_pwquality.so for EL7
- Fri Sep 22 2017 Chris Tessmer chris.tessmer@onyxpoint.com - 6.1.0-0
- Enable pam_tty_audit for sudo
- Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.4-0
- Add concat dependency to metadata.json
- Update concat dependency in build/rpm_metadata/requires
- Tue May 23 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.3-0
- Fixed docs in pam::limits::rule
- Update puppet requirement in metadata.json
- Wed Apr 05 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.2-0
- fixed puppet strings documentation in access.pp
-
Mon Mar 15 2017 Nicholas Hughes nicholasmhughes@gmail.com - 6.0.1-0
- corrected location of authconfig binaries
-
Mon Feb 13 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.0.0-0
- When using list separator you can't have spaces between identifiers in access.conf if your separator is not a space. It then includes spaces as part of the name so we are removing spaces from the access file. Dylan also added changes that wrap the use of separator in boolean.
- Tue Jan 17 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.0-0
- Added feature to add pam::access::manage resources from hiera
- Thu Jan 12 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0
- Changed the following for the SSG:
- minimum length now set to 15
- Wed Dec 21 2016 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.0.0-0
- corrected error for lookup
- Fixed comments and aligned variables to make it look pretty.
- update simplib version to include new types.
- renamed pam::access::manage to pam::access::rule
- renamed pam::limits::add to pam::limits::rule
- Added strong types and updated Global catalists.
- Removed NSCD logic.
- Wed Nov 30 2016 Nick Miller nick.miller@onyxpoint.com - 5.0.1-0
- Added a generic content option to replace all templated PAM configurations
- Setting use_templates to false will enable them
- Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 5.0.0-0
- update requirement versions
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0
- Updated to compliance_markup version 2
- Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.
- Thu Aug 25 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.5-0
- Update to pam_pwhistory.so to fix local user login failures due to SELinux policy updates affecting /etc/security/opasswd in EL7.
- Mon Aug 15 2016 Nick Miller nick.miller@onyxpoint.com - 4.2.4-0
- Reverted STIG password policy compliance changes
- Fri Aug 05 2016 Nick Markowski nmarkowski@keywcorp.com - 4.2.3-0
- Updated system-auth values to be STIG compliant.
- Thu Jul 07 2016 Liz Nemsick elizabeth.nemsick@uscontracting.us - 4.2.2-0
- Added use of pam_tty_audit in system-auth, password-auth, and fingerprint-auth.
- Updated module to use new rake helper to auto-generate RPM .spec file.
- Fixed bug related to pam::display_account_lock.
- Wed Mar 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.1-0
- Move pam_oddjob_mkhomedir below pam_sssd in the stack due to a odd SELinux-related bug which prevented users from logging into systems via SSH.
- Mon Mar 14 2016 Nick Markowski nmarkowski@keywcorp.com - 4.2.0-0
- Ensure that EL6.7+ uses SSSD over NSCD
- Tue Feb 23 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-14
- Added compliance function support
- Wed Nov 18 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13
- Updated to enable SSSD properly now that most of the major items have been resolved upstream.
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-13
- Migration to simplib and simpcat (lib/ only)
- Tue Oct 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-12
- Removed all calls to the lsb facts and replaced them with 'operatingsystem' facts
- Fri Sep 18 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11
- Moved pam_mkhomedir to before pam_systemd to fix issues with systemd subsystem failures occuring due to a lack of a home directory.
- Sat May 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10
- Slight update to more closely align with the STIG.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9
- Changed puppet-server requirement to puppet
- Thu Oct 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Updated the mode on limits.conf and access.conf to be non-executable.
- Changed the mode on access.conf to be world readable so that the RHEL7 screensaver can unlock properly.
- Wed Oct 01 2014 Trevor Vaughan tvaughan@onxypoint.com - 4.1.0-7
- Added options to the auth configs in PAM to ensure that GDM works properly in RHEL7.
- Thu Sep 04 2014 Adam Yohrling adam.yohrling@onyxpoint.com - 4.1.0-6
- Added optional pam_systemd module to access template. This will only work if present on the system and is required for CentOS/RHEL 7
- Fri Jul 25 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5
- Added oddjob support for creating home directories for setting correct SELinux contexts on created home directories. See: https://bugzilla.redhat.com/show_bug.cgi?id=447096#c3
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4
- Removed MD5 file checksums for FIPS compliance.
- Thu Apr 10 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- Added full support for access.conf and removed groupaccess.conf since it is no longer required. pam::access::manage should now be used instead of pam::groupaccess::modify.
- Renamed pam::access_conf and pam::limits_conf to pam::access and pam::limits respectively.
- Moved pam::limits::add_limit to pam::limits::add
- Mon Feb 10 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2
- Updates to fully support OpenShift.
- Added OpenSCAP support.
- Tue Jan 28 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Added proper support to the wheel class for OpenShift support so that it does not conflict with the base classes from openshift_origin.
- Tue Oct 22 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Converted groupaccess over to using simp_file_line instead of concat.
- Cleaned up the PAM settings quite a bit and now using a single template for all -auth files in /etc/pam.d.
- pam_faillock no longer causes spurious failed logins with sudo.
- Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-7
- Updated all erb templates to properly scope variables.
- Added variables to init.pp to make templates more configurable.
- Wed Oct 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-6
- Use 'versioncmp' for all version comparisons.
- Mon Feb 25 2013 Maintenance - 4.0-5
- Added a call to $::rsync_timeout to the rsync call since it is now required.
- Tue Jul 24 2012 Maintenance - 4.0.0-4
- Added maxclassrepeat=3 and gecoscheck to the cracklib line.
- Removed the *credit items from the cracklib line. We have minclass=3 which is good enough and having the rest in there was confusing.
- Wed Jun 13 2012 Maintenance - 4.0.0-3
- Fixed a bug where the other *-auth files in pam.d were not updated to handle faillock properly.
- Wed May 16 2012 Maintenance - 4.0.0-2
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance - 4.0.0-1
- Improved test stubs.
- Fri Feb 10 2012 Maintenance - 4.0.0-0
- Updated the PAM template to handle faillog as the new default in RHEL6.
- Added tests for verifying that a user account lockout happens after 5 tries, can be unlocked, and functions properly after that.
- Tue Dec 20 2011 Maintenance - 2.0.0-5
- Updated the spec file to not require a separate file list.
- Added a line to allow the local 'wheel' group to get to su and bypass checking the alternately set group. This allows the alternate group to be in LDAP and the local group to be able to su when LDAP is down or an emergency user is local.
- Thu Oct 27 2011 Maintenance - 2.0.0-4
- Added the new 'auth' portions of pam.d and removed everything except for 'other' from the rsync segment of pam.d.
- Mon Oct 10 2011 Maintenance - 2.0.0-3
- Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
- Updated to work around the issue where SSSD can't update shadow fields in LDAP.
- Tue Jun 07 2011 Maintenance - 2.0.0-2
- Rearranged items in system-auth so that fewer erroneous errors would be thrown on login. You'll still get them if logging in as a local user. Red Hat is aware of the issue.
- Fixed this module for the case where $use_sssd does not exist.
- Default password length is now 14
- Removed nullok to prevent all blank password usage
- Added support for wheel in 'su' via pam::wheel
- Set pam_lastlog
- Tue Apr 05 2011 Maintenance - 2.0.0-1
- Added support to system-auth for SSSD.
- Updated to use rsync native type
- Updated system-auth to enforce a stronger default password set.
- This needs to be templated but not for 2.0.0-Beta.
- Updated to use concat_build and concat_fragment types
- Tue Jan 11 2011 Maintenance - 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Mon Jan 10 2011 Maintenance - 1.0-4
- Updated the PAM configuration to fix an issue where pam_unix.so was set to default=ignore. This is definitely not what you want.
- Thu Nov 04 2010 Maintenance - 1.0-3
- pam_tally2 still wasn't properly taking effect. Should be corrected.
- This update adds the ability to modify the delay after a failed login via PAM. FAIL_DELAY by itself doesn't do anything without the addition of pam_faildelay.so this item was added to the default PAM config.
- Tue Oct 26 2010 Maintenance - 1.0-2
- Converting all spec files to check for directories prior to copy.
- Tue Aug 10 2010 Maintenance - 1.0-1
- Rearranged the pam_tally2 items in system-auth.erb to ensure that account lockouts are taking effect properly.
- Fri Jun 04 2010 Maintenance - 1.0-0
- Modified the system-auth.erb file to:
- Get rid of session messages in /var/log/secure when cron runs.
- Ensure that cron can run without having a user in the groupaccess.conf file.
- Skip pam_ldap if pam_unix succeeds.
- Code refactor and update
- Added 'Tidy' statements to match the rest of the multi-build patterns.
- Fixed a problem with pam_succeed_if.so uid=0 causing auid to be set to -1. Changed to user = root.
- Changed the pam_mkhomedir call to be 'optional' instead of 'required'. This allows users to login even if their home directory can't be created.
- Fri Feb 05 2010 Maintenance - 0.1-10
- Fixed some incorrect settings with pam_cracklib.so and added in some new checking functionality for repeated characters and username matching.
- Removed the necessity of the rootaccess file. This does mean that root can su to any user but completely prevents root lockouts.
Dependencies
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- simp/oddjob (>= 2.0.0 < 3.0.0)
- simp/simplib (>= 4.4.1 < 5.0.0)
pupmod-simp-pam - A Puppet Module for managing PAM -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.