From 8282d31c95b5a0b086276583037755a9cd73c28c Mon Sep 17 00:00:00 2001
From: Jordi Prats <jordi.prats@gmail.com>
Date: Mon, 3 Feb 2020 12:38:51 +0100
Subject: [PATCH 1/7] todo

---
 examples/lockout.pp         | 1 +
 manifests/lockout/config.pp | 4 ++++
 2 files changed, 5 insertions(+)
 create mode 100644 examples/lockout.pp

diff --git a/examples/lockout.pp b/examples/lockout.pp
new file mode 100644
index 0000000..67d74ed
--- /dev/null
+++ b/examples/lockout.pp
@@ -0,0 +1 @@
+class { 'pam::lockout': }
diff --git a/manifests/lockout/config.pp b/manifests/lockout/config.pp
index 367c807..29a1da0 100644
--- a/manifests/lockout/config.pp
+++ b/manifests/lockout/config.pp
@@ -45,6 +45,10 @@
         }
       }
     }
+    'tally2':
+    {
+      fail('TODO')
+    }
     default:
     {
       fail("${pam::params::pam_lockout} currently not implemented")

From 8ff16e1a0d5bbae9d2f2e0cd3668b5cd8ca18a3f Mon Sep 17 00:00:00 2001
From: Jordi Prats <jordi.prats@gmail.com>
Date: Tue, 11 Feb 2020 14:41:17 +0100
Subject: [PATCH 2/7] lockout

---
 manifests/lockout/config.pp  | 6 +++++-
 manifests/lockout/install.pp | 3 +++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/manifests/lockout/config.pp b/manifests/lockout/config.pp
index 29a1da0..f022683 100644
--- a/manifests/lockout/config.pp
+++ b/manifests/lockout/config.pp
@@ -47,7 +47,11 @@
     }
     'tally2':
     {
-      fail('TODO')
+      # sed 's/\(^account.*pam_unix\.so.*$\)/\naccount required pam_tally2.so\n\n\1\n/'
+      exec { 'update commond account':
+        command => "sed 's/\\(^account.*pam_unix\\.so.*$\\)/\\naccount required pam_tally2.so\\n\\n\\1\\n/' -i /etc/pam.d/common-account",
+        unless  => "grep -P 'account required pam_tally2.so'",
+      }
     }
     default:
     {
diff --git a/manifests/lockout/install.pp b/manifests/lockout/install.pp
index c5da1a5..a5e9bee 100644
--- a/manifests/lockout/install.pp
+++ b/manifests/lockout/install.pp
@@ -5,6 +5,9 @@
     'faillock':
     {
     }
+    'tally2':
+    {
+    }
     default:
     {
       fail("${pam::params::pam_lockout} currently not implemented")

From 0f7ec92d23d18d02fce2626f8bd6c2d5c16c06a4 Mon Sep 17 00:00:00 2001
From: Jordi Prats <jordi.prats@gmail.com>
Date: Tue, 11 Feb 2020 14:43:26 +0100
Subject: [PATCH 3/7] grep grep

---
 manifests/lockout/config.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/lockout/config.pp b/manifests/lockout/config.pp
index f022683..92598d9 100644
--- a/manifests/lockout/config.pp
+++ b/manifests/lockout/config.pp
@@ -50,7 +50,7 @@
       # sed 's/\(^account.*pam_unix\.so.*$\)/\naccount required pam_tally2.so\n\n\1\n/'
       exec { 'update commond account':
         command => "sed 's/\\(^account.*pam_unix\\.so.*$\\)/\\naccount required pam_tally2.so\\n\\n\\1\\n/' -i /etc/pam.d/common-account",
-        unless  => "grep -P 'account required pam_tally2.so'",
+        unless  => "grep -P 'account required pam_tally2.so' /etc/pam.d/common-account",
       }
     }
     default:

From 0f32edf8c3ac148e97b8c690465b6b61b204c0b2 Mon Sep 17 00:00:00 2001
From: Jordi Prats <jordi.prats@gmail.com>
Date: Tue, 11 Feb 2020 14:54:49 +0100
Subject: [PATCH 4/7] lockout

---
 manifests/lockout/config.pp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/manifests/lockout/config.pp b/manifests/lockout/config.pp
index 92598d9..7c53a55 100644
--- a/manifests/lockout/config.pp
+++ b/manifests/lockout/config.pp
@@ -48,9 +48,15 @@
     'tally2':
     {
       # sed 's/\(^account.*pam_unix\.so.*$\)/\naccount required pam_tally2.so\n\n\1\n/'
-      exec { 'update commond account':
+      exec { 'update common account':
         command => "sed 's/\\(^account.*pam_unix\\.so.*$\\)/\\naccount required pam_tally2.so\\n\\n\\1\\n/' -i /etc/pam.d/common-account",
         unless  => "grep -P 'account required pam_tally2.so' /etc/pam.d/common-account",
+
+      # /etc/pam.d/common-auth
+      exec { 'update common auth':
+        command => "sed 's/\\(^auth.*pam_unix\\.so.*$\\)/auth required pam_tally2.so deny=${pam::lockout::deny_failed} unlock_time=${pam::lockout::unlock_time}\\n\\n\\1/' -i /etc/pam.d/common-auth",
+        unless  => "grep -E 'auth required pam_tally2.so deny=${pam::lockout::deny_failed} unlock_time=${pam::lockout::unlock_time}' /etc/pam.d/common-auth",
+      }
       }
     }
     default:

From 663aef2c2412730d99c3302fff536178aa6771d1 Mon Sep 17 00:00:00 2001
From: Jordi Prats <jordi.prats@gmail.com>
Date: Tue, 11 Feb 2020 14:56:18 +0100
Subject: [PATCH 5/7] lint

---
 manifests/lockout/config.pp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/manifests/lockout/config.pp b/manifests/lockout/config.pp
index 7c53a55..40cde04 100644
--- a/manifests/lockout/config.pp
+++ b/manifests/lockout/config.pp
@@ -51,13 +51,13 @@
       exec { 'update common account':
         command => "sed 's/\\(^account.*pam_unix\\.so.*$\\)/\\naccount required pam_tally2.so\\n\\n\\1\\n/' -i /etc/pam.d/common-account",
         unless  => "grep -P 'account required pam_tally2.so' /etc/pam.d/common-account",
-
+      }
+      
       # /etc/pam.d/common-auth
       exec { 'update common auth':
         command => "sed 's/\\(^auth.*pam_unix\\.so.*$\\)/auth required pam_tally2.so deny=${pam::lockout::deny_failed} unlock_time=${pam::lockout::unlock_time}\\n\\n\\1/' -i /etc/pam.d/common-auth",
         unless  => "grep -E 'auth required pam_tally2.so deny=${pam::lockout::deny_failed} unlock_time=${pam::lockout::unlock_time}' /etc/pam.d/common-auth",
       }
-      }
     }
     default:
     {

From adeab68970b8c17127e95a462c188d4ffb724fe4 Mon Sep 17 00:00:00 2001
From: Jordi Prats <jordi.prats@gmail.com>
Date: Tue, 11 Feb 2020 17:21:20 +0100
Subject: [PATCH 6/7] demo cis

---
 CHANGELOG.md         |  5 +++++
 examples/cis_demo.pp | 13 +++++++++++++
 metadata.json        |  2 +-
 3 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 examples/cis_demo.pp

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7cba4d2..e4c6d6b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # CHANGELOG
 
+## 0.1.24
+
+* **pam::lockout**
+  - added support for **Ubuntu 18.04**
+
 ## 0.1.23
 
 * Added support for **RHEL 8**
diff --git a/examples/cis_demo.pp b/examples/cis_demo.pp
new file mode 100644
index 0000000..2166619
--- /dev/null
+++ b/examples/cis_demo.pp
@@ -0,0 +1,13 @@
+class { 'pam::lockout': }
+
+class { 'pam::wheel': }
+
+class { 'pam::lockout': }
+
+class { 'pam::cracklib':
+  minlen => '7',
+}
+
+class { 'pam::unix':
+  remember => '10',
+}
diff --git a/metadata.json b/metadata.json
index a1377c3..cc6bb37 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "eyp-pam",
-  "version": "0.1.23",
+  "version": "0.1.24",
   "author": "eyp",
   "summary": "PAM modules, /etc/security/limits.conf and /etc/securetty management",
   "license": "Apache-2.0",

From f52ab386bb9a1e489d2616209c6f39361630929e Mon Sep 17 00:00:00 2001
From: Jordi Prats <jordi.prats@gmail.com>
Date: Tue, 11 Feb 2020 17:23:27 +0100
Subject: [PATCH 7/7] oops

---
 examples/cis_demo.pp | 2 --
 1 file changed, 2 deletions(-)

diff --git a/examples/cis_demo.pp b/examples/cis_demo.pp
index 2166619..6c8ddac 100644
--- a/examples/cis_demo.pp
+++ b/examples/cis_demo.pp
@@ -2,8 +2,6 @@
 
 class { 'pam::wheel': }
 
-class { 'pam::lockout': }
-
 class { 'pam::cracklib':
   minlen => '7',
 }