diff --git a/CHANGELOG b/CHANGELOG index 2f8be4f..c0d454c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,8 @@ +* Mon Nov 04 2024 Mike Riddle - 7.3.0 +- "root_unlock_time" will no longer be included in faillock.conf if "even_deny_root" is set to false +- Added nullok back as a parameter for completeness, however, users are warned not to use it unless + they fully understand the implication of having users without passwords + * Tue Oct 29 2024 Mike Riddle - 7.2.2 - Fixed pam auth files getting mangled when using cracklib as the pwbackend diff --git a/manifests/auth.pp b/manifests/auth.pp index a6049ef..601f385 100644 --- a/manifests/auth.pp +++ b/manifests/auth.pp @@ -29,6 +29,7 @@ # @param cracklib_minclass # @param cracklib_minlen # @param cracklib_retry +# @param nullok # @param oath # @param oath_window # @param deny @@ -79,6 +80,7 @@ Optional[Integer[0]] $cracklib_minclass = $pam::cracklib_minclass, Optional[Integer[0]] $cracklib_minlen = $pam::cracklib_minlen, Integer[0] $cracklib_retry = $pam::cracklib_retry, + Boolean $nullok = $pam::nullok, Integer[0] $deny = $pam::deny, Boolean $faillock = $pam::faillock, Boolean $manage_faillock_conf = $pam::manage_faillock_conf, @@ -201,6 +203,7 @@ cracklib_minclass => $cracklib_minclass, cracklib_minlen => $cracklib_minlen, cracklib_retry => $_cracklib_retry, + nullok => $nullok, deny => $deny, faillock => $faillock, faillock_log_dir => $faillock_log_dir, diff --git a/manifests/init.pp b/manifests/init.pp index 834b2ea..f4ed14a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -121,6 +121,11 @@ # performed using the cracklib library. This option will be ignored # unless the OS major version is higher than 7. # +# @param nullok +# If true, blank passwords will be allowed for users. DO NOT set this to true +# unless you and your organization are willing to accept the risks of having +# accounts with blank passwords. +# # @param rm_pwquality_conf_d # Remove the /etc/security/pwquality.conf.d directory and all contents. # @@ -345,6 +350,7 @@ Optional[Array[String[1],1]] $cracklib_badwords = undef, Optional[StdLib::Absolutepath] $cracklib_dictpath = undef, Integer[0] $dictcheck = 1, + Boolean $nullok = false, Boolean $rm_pwquality_conf_d = true, Boolean $oath = simplib::lookup('simp_options::oath', { 'default_value' => false }), Integer[0] $oath_window = 1, diff --git a/metadata.json b/metadata.json index 452b99d..043f170 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-pam", - "version": "7.2.2", + "version": "7.3.0", "author": "SIMP Team", "summary": "A SIMP puppet module for managing pam", "license": "Apache-2.0", diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index b7f116f..250d031 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -83,6 +83,19 @@ EOM } + let(:no_even_deny_root_faillock_conf){ + <<~EOM + # This file is generated by Puppet + # Any changes made to it will be overwritten. + # + audit + silent + deny=5 + fail_interval=900 + unlock_time=900 + EOM + } + let(:all_params_faillock_conf){ <<~EOM # This file is generated by Puppet @@ -436,6 +449,18 @@ end end + context 'with managing faillock.conf with even_deny_root set to false' do + let(:params){{ :manage_faillock_conf => true, :even_deny_root => false }} + + it {is_expected.to compile.with_all_deps} + if (os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] <= '7') or + (os_facts[:os][:name] == "Amazon" and os_facts[:os][:release][:major] <= '2022') + it {is_expected.to_not contain_file('/etc/security/faillock.conf')} + else + it {is_expected.to contain_file('/etc/security/faillock.conf').with_content( no_even_deny_root_faillock_conf )} + end + end + context 'with managing faillock.conf with all non-default parameters' do let(:params){{ :manage_faillock_conf => true, diff --git a/spec/defines/auth_spec.rb b/spec/defines/auth_spec.rb index 26fb3fb..a13026a 100644 --- a/spec/defines/auth_spec.rb +++ b/spec/defines/auth_spec.rb @@ -343,6 +343,26 @@ def get_expected(filename) it_should_behave_like "a pam.d config file generator" it { is_expected.to contain_file(filename).with_content(file_content) } end + + context 'Generate file with when nullok == true' do + let(:params){{ + :nullok => true, + }} + let(:pw_backend) { 'pwquality' } + let(:title){ 'system' } + let(:filename){ "/etc/pam.d/system-auth" } + let(:el_version){ + if Integer(os_facts[:os][:release][:major]) <= 7 + 'el7' + else + 'el8' + end + } + let(:file_content) { get_expected("#{pw_backend}-system-#{el_version}-auth_nullok") } + + it_should_behave_like "a pam.d config file generator" + it { is_expected.to contain_file(filename).with_content(file_content) } + end end end end diff --git a/spec/expected/auth_spec/pwquality-system-el7-auth_nullok b/spec/expected/auth_spec/pwquality-system-el7-auth_nullok new file mode 100644 index 0000000..8323e54 --- /dev/null +++ b/spec/expected/auth_spec/pwquality-system-el7-auth_nullok @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_pwquality.so retry=3 enforce_for_root reject_username +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so nullok sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/spec/expected/auth_spec/pwquality-system-el8-auth_nullok b/spec/expected/auth_spec/pwquality-system-el8-auth_nullok new file mode 100644 index 0000000..64e164d --- /dev/null +++ b/spec/expected/auth_spec/pwquality-system-el8-auth_nullok @@ -0,0 +1,41 @@ +#%PAM-1.0 +# This file managed by Puppet +# User changes will be lost! + +# SIMP defined auth content +auth optional pam_faildelay.so +auth required pam_env.so +auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60 +auth [success=1 default=ignore] pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60 +auth requisite pam_succeed_if.so uid >= 1000 quiet +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so broken_shadow +account [success=2 default=ignore] pam_succeed_if.so service = crond quiet +account sufficient pam_succeed_if.so uid < 1000 quiet +account requisite pam_access.so listsep=, nodefgroup +account required pam_permit.so + +password requisite pam_pwquality.so +password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root +password sufficient pam_unix.so nullok sha512 rounds=10000 shadow try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session sufficient pam_succeed_if.so service = gdm-launch-environment quiet +session sufficient pam_succeed_if.so service in crond quiet use_uid +# Check if session has a tty before running pam_tty_audit +session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet +# auditd disabled: pam_tty_audit set to optional so that all logins do not fail +session optional pam_tty_audit.so disable=* enable=root +session optional pam_env.so readenv=1 envfile=/etc/locale.conf +session sufficient pam_succeed_if.so user = root quiet +session requisite pam_access.so listsep=, nodefgroup +session required pam_unix.so +session optional pam_oddjob_mkhomedir.so silent +session required pam_lastlog.so showfailed diff --git a/templates/etc/pam.d/auth.epp b/templates/etc/pam.d/auth.epp index f3955c7..b017da5 100644 --- a/templates/etc/pam.d/auth.epp +++ b/templates/etc/pam.d/auth.epp @@ -17,6 +17,7 @@ Optional[Integer[0]] $cracklib_minclass, Optional[Integer[0]] $cracklib_minlen, Variant[Boolean, Integer[0]] $cracklib_retry, + Boolean $nullok, Integer[0] $deny, Boolean $faillock, Boolean $manage_faillock_conf, @@ -277,7 +278,14 @@ account required pam_permit.so $_pam_pwhistory = "password required pam_pwhistory.so use_authtok remember=${remember} retry=${remember_retry} file=${remember_file}${_remember_debug}${_remember_for_root}" -%> <% } -%> -<% $_pam_unix = "password sufficient pam_unix.so ${hash_algorithm} rounds=${rounds} shadow try_first_pass use_authtok" -%> +<% + if $nullok { + $_nullok = 'nullok ' + } else { + $_nullok = '' + } +-%> +<% $_pam_unix = "password sufficient pam_unix.so ${_nullok}${hash_algorithm} rounds=${rounds} shadow try_first_pass use_authtok" -%> <% if $sssd { -%> <%= $_pam_pwhistory %> <%= $_pam_unix %> diff --git a/templates/etc/security/faillock.conf.epp b/templates/etc/security/faillock.conf.epp index 8a21e82..9c46e0b 100644 --- a/templates/etc/security/faillock.conf.epp +++ b/templates/etc/security/faillock.conf.epp @@ -45,7 +45,7 @@ unlock_time=<%= $unlock_time %> <% if $even_deny_root { -%> even_deny_root <% } -%> -<% if $root_unlock_time { -%> +<% if $root_unlock_time and $even_deny_root { -%> root_unlock_time=<%= $root_unlock_time %> <% } -%> <% if $admin_group { -%>