Merge pull request #17 from jordiprats/master

improved CIS support

CHANGELOG.md

@@ -1,5 +1,13 @@
 # CHANGELOG
 
+## 0.1.14
+
+* improved CIS support by setting an arbitrary option order
+
+## 0.1.13
+
+* changed default settings for **pam::lockout**
+
 ## 0.1.12
 
 * allow empty securetty file

README.md

@@ -21,13 +21,39 @@ PAM modules, /etc/security/limits.conf and /etc/securetty management
 
 ## Module Description
 
-If applicable, this section should have a brief description of the technology
-the module integrates with and what that integration enables. This section
-should answer the questions: "What does this module *do*?" and "Why would I use
-it?"
+### pam::lockout
 
-If your module has a range of functionality (installation, configuration,
-management, etc.) this is the time to mention it.
+CIS compliance using pam_faillock for CentOS 6 and 7:
+
+```
+# cat /etc/pam.d/password-auth
+auth        required       pam_faillock.so preauth audit silent deny=5 unlock_time=900
+auth        include        password-auth-ac
+auth        [default=die]  pam_faillock.so authfail audit deny=5 unlock_time=900
+auth        sufficient     pam_faillock.so authsucc audit deny=5 unlock_time=900
+
+account     required       pam_faillock.so
+account     include        password-auth-ac
+
+password    include        password-auth-ac
+
+session     include        password-auth-ac
+```
+
+```
+# cat /etc/pam.d/system-auth
+auth        required       pam_faillock.so preauth audit silent deny=5 unlock_time=900
+auth        include        system-auth-ac
+auth        [default=die]  pam_faillock.so authfail audit deny=5 unlock_time=900
+auth        sufficient     pam_faillock.so authsucc audit deny=5 unlock_time=900
+
+account     required       pam_faillock.so
+account     include        system-auth-ac
+
+password    include        system-auth-ac
+
+session     include        system-auth-ac
+```
 
 ## Setup
 

manifests/lockout.pp

@@ -4,17 +4,18 @@
 # pam_tally2
 # http://myexperienceswithunix.blogspot.com.es/2016/09/locking-user-accounts-with-pam-faillock.html
 #
-class pam::lockout(
+class pam::lockout (
                       $manage_package        = true,
                       $package_ensure        = 'installed',
                       $manage_service        = true,
                       $manage_docker_service = true,
                       $service_ensure        = 'running',
                       $service_enable        = true,
                       $even_deny_root        = false,
-                      $unlock_time           = '600',
-                      $deny_failed           = '3',
-                      $silent                = true,
+                      $unlock_time           = '900',
+                      $deny_failed           = '5',
+                      $silent_preauth        = true,
+                      $silent_authfail       = false,
                       $user_whitelist        = undef,
                     ) inherits pam::params{
 

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "eyp-pam",
-  "version": "0.1.12",
+  "version": "0.1.14",
   "author": "eyp",
   "summary": "PAM modules, /etc/security/limits.conf and /etc/securetty management",
   "license": "Apache-2.0",

templates/lockout/faillock/password.erb

@@ -1,9 +1,10 @@
 <% if defined?(@user_whitelist) -%>
 auth [success=1 default=ignore] pam_succeed_if.so user in <%= @user_whitelist.join(':') %>
 <% end -%>
-auth        required       pam_faillock.so preauth <% if @silent %>silent<% end %> audit deny=<%= @deny_failed %> <% if @even_deny_root %>even_deny_root<% end %> unlock_time=<%= @unlock_time %>
+auth        required       pam_faillock.so preauth audit<% if @silent_preauth %> silent<% end %> deny=<%= @deny_failed %><% if @even_deny_root %> even_deny_root<% end %> unlock_time=<%= @unlock_time %>
 auth        include        password-auth-ac
-auth        [default=die]  pam_faillock.so authfail <% if @silent %>silent<% end %> audit deny=<%= @deny_failed %> <% if @even_deny_root %>even_deny_root<% end %> unlock_time=<%= @unlock_time %>
+auth        [default=die]  pam_faillock.so authfail audit<% if @silent_authfail %> silent<% end %> deny=<%= @deny_failed %><% if @even_deny_root %> even_deny_root<% end %> unlock_time=<%= @unlock_time %>
+auth        sufficient     pam_faillock.so authsucc audit deny=<%= @deny_failed %> unlock_time=<%= @unlock_time %>
 
 account     required       pam_faillock.so
 account     include        password-auth-ac

templates/lockout/faillock/systemauth.erb

@@ -1,9 +1,10 @@
 <% if defined?(@user_whitelist) -%>
 auth [success=1 default=ignore] pam_succeed_if.so user in <%= @user_whitelist.join(':') %>
 <% end -%>
-auth        required       pam_faillock.so preauth <% if @silent %>silent<% end %> audit deny=<%= @deny_failed %> <% if @even_deny_root %>even_deny_root<% end %> unlock_time=<%= @unlock_time %>
+auth        required       pam_faillock.so preauth audit<% if @silent_preauth %> silent<% end %> deny=<%= @deny_failed %><% if @even_deny_root %> even_deny_root<% end %> unlock_time=<%= @unlock_time %>
 auth        include        system-auth-ac
-auth        [default=die]  pam_faillock.so authfail <% if @silent %>silent<% end %> audit deny=<%= @deny_failed %> <% if @even_deny_root %>even_deny_root<% end %> unlock_time=<%= @unlock_time %>
+auth        [default=die]  pam_faillock.so authfail audit deny=<%= @deny_failed %><% if @silent_authfail %> silent<% end %><% if @even_deny_root %> even_deny_root<% end %> unlock_time=<%= @unlock_time %>
+auth        sufficient     pam_faillock.so authsucc audit deny=<%= @deny_failed %> unlock_time=<%= @unlock_time %>
 
 account     required       pam_faillock.so
 account     include        system-auth-ac