diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cf1f9e..29d8675 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # CHANGELOG +## 0.1.14 + +* improved CIS support by setting an arbitrary option order + +## 0.1.13 + +* changed default settings for **pam::lockout** + ## 0.1.12 * allow empty securetty file diff --git a/README.md b/README.md index 89ccb4b..6b16071 100644 --- a/README.md +++ b/README.md @@ -21,13 +21,39 @@ PAM modules, /etc/security/limits.conf and /etc/securetty management ## Module Description -If applicable, this section should have a brief description of the technology -the module integrates with and what that integration enables. This section -should answer the questions: "What does this module *do*?" and "Why would I use -it?" +### pam::lockout -If your module has a range of functionality (installation, configuration, -management, etc.) this is the time to mention it. +CIS compliance using pam_faillock for CentOS 6 and 7: + +``` +# cat /etc/pam.d/password-auth +auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 +auth include password-auth-ac +auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 +auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 + +account required pam_faillock.so +account include password-auth-ac + +password include password-auth-ac + +session include password-auth-ac +``` + +``` +# cat /etc/pam.d/system-auth +auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 +auth include system-auth-ac +auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 +auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 + +account required pam_faillock.so +account include system-auth-ac + +password include system-auth-ac + +session include system-auth-ac +``` ## Setup diff --git a/manifests/lockout.pp b/manifests/lockout.pp index 4315a0b..51d7e5a 100644 --- a/manifests/lockout.pp +++ b/manifests/lockout.pp @@ -4,7 +4,7 @@ # pam_tally2 # http://myexperienceswithunix.blogspot.com.es/2016/09/locking-user-accounts-with-pam-faillock.html # -class pam::lockout( +class pam::lockout ( $manage_package = true, $package_ensure = 'installed', $manage_service = true, @@ -12,9 +12,10 @@ $service_ensure = 'running', $service_enable = true, $even_deny_root = false, - $unlock_time = '600', - $deny_failed = '3', - $silent = true, + $unlock_time = '900', + $deny_failed = '5', + $silent_preauth = true, + $silent_authfail = false, $user_whitelist = undef, ) inherits pam::params{ diff --git a/metadata.json b/metadata.json index 60543ec..28b80a1 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "eyp-pam", - "version": "0.1.12", + "version": "0.1.14", "author": "eyp", "summary": "PAM modules, /etc/security/limits.conf and /etc/securetty management", "license": "Apache-2.0", diff --git a/templates/lockout/faillock/password.erb b/templates/lockout/faillock/password.erb index 30e81e9..64489bf 100644 --- a/templates/lockout/faillock/password.erb +++ b/templates/lockout/faillock/password.erb @@ -1,9 +1,10 @@ <% if defined?(@user_whitelist) -%> auth [success=1 default=ignore] pam_succeed_if.so user in <%= @user_whitelist.join(':') %> <% end -%> -auth required pam_faillock.so preauth <% if @silent %>silent<% end %> audit deny=<%= @deny_failed %> <% if @even_deny_root %>even_deny_root<% end %> unlock_time=<%= @unlock_time %> +auth required pam_faillock.so preauth audit<% if @silent_preauth %> silent<% end %> deny=<%= @deny_failed %><% if @even_deny_root %> even_deny_root<% end %> unlock_time=<%= @unlock_time %> auth include password-auth-ac -auth [default=die] pam_faillock.so authfail <% if @silent %>silent<% end %> audit deny=<%= @deny_failed %> <% if @even_deny_root %>even_deny_root<% end %> unlock_time=<%= @unlock_time %> +auth [default=die] pam_faillock.so authfail audit<% if @silent_authfail %> silent<% end %> deny=<%= @deny_failed %><% if @even_deny_root %> even_deny_root<% end %> unlock_time=<%= @unlock_time %> +auth sufficient pam_faillock.so authsucc audit deny=<%= @deny_failed %> unlock_time=<%= @unlock_time %> account required pam_faillock.so account include password-auth-ac diff --git a/templates/lockout/faillock/systemauth.erb b/templates/lockout/faillock/systemauth.erb index 119c6d4..a16f653 100644 --- a/templates/lockout/faillock/systemauth.erb +++ b/templates/lockout/faillock/systemauth.erb @@ -1,9 +1,10 @@ <% if defined?(@user_whitelist) -%> auth [success=1 default=ignore] pam_succeed_if.so user in <%= @user_whitelist.join(':') %> <% end -%> -auth required pam_faillock.so preauth <% if @silent %>silent<% end %> audit deny=<%= @deny_failed %> <% if @even_deny_root %>even_deny_root<% end %> unlock_time=<%= @unlock_time %> +auth required pam_faillock.so preauth audit<% if @silent_preauth %> silent<% end %> deny=<%= @deny_failed %><% if @even_deny_root %> even_deny_root<% end %> unlock_time=<%= @unlock_time %> auth include system-auth-ac -auth [default=die] pam_faillock.so authfail <% if @silent %>silent<% end %> audit deny=<%= @deny_failed %> <% if @even_deny_root %>even_deny_root<% end %> unlock_time=<%= @unlock_time %> +auth [default=die] pam_faillock.so authfail audit deny=<%= @deny_failed %><% if @silent_authfail %> silent<% end %><% if @even_deny_root %> even_deny_root<% end %> unlock_time=<%= @unlock_time %> +auth sufficient pam_faillock.so authsucc audit deny=<%= @deny_failed %> unlock_time=<%= @unlock_time %> account required pam_faillock.so account include system-auth-ac