-
Notifications
You must be signed in to change notification settings - Fork 134
/
Copy pathpam.rb
140 lines (119 loc) · 4.09 KB
/
pam.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# encoding: utf-8
#
# Cookbook Name: os-hardening
# Recipe: pam.rb
#
# Copyright 2012, Dominik Richter
# Copyright 2014, Deutsche Telekom AG
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# remove ccreds if not necessary
package 'pam-ccreds' do
package_name node['os-hardening']['packages']['pam_ccreds']
action :remove
end
case node['platform_family']
# do pam config for ubuntu
when 'debian'
passwdqc_path = '/usr/share/pam-configs/passwdqc'
tally2_path = '/usr/share/pam-configs/tally2'
# See NSA 2.3.3.1.2
if node['os-hardening']['auth']['pam']['passwdqc']['enable']
# remove pam_cracklib, because it does not play nice wiht passwdqc
package 'pam-cracklib' do
package_name node['os-hardening']['packages']['pam_cracklib']
action :remove
end
# get the package for strong password checking
package 'pam-passwdqc' do
package_name node['os-hardening']['packages']['pam_passwdqc']
end
# configure passwdqc via central module:
template passwdqc_path do
source 'pam_passwdqc.erb'
cookbook node['os-hardening']['auth']['pam']['passwdqc']['template_cookbook']
mode 0640
owner 'root'
group 'root'
end
# deactivate passwdqc
else
# delete passwdqc file on ubuntu and debian
file passwdqc_path do
action :delete
end
# make sure the package is not on the system,
# if this feature is not wanted
package 'pam-passwdqc' do
package_name node['os-hardening']['packages']['pam_passwdqc']
action :remove
end
end
# configure tally2
if node['os-hardening']['auth']['retries'] > 0
# tally2 is needed for pam
package 'libpam-modules'
template tally2_path do
source 'pam_tally2.erb'
cookbook node['os-hardening']['auth']['pam']['tally2']['template_cookbook']
mode 0640
owner 'root'
group 'root'
end
else
file tally2_path do
action :delete
end
end
execute 'update-pam' do
command 'pam-auth-update --package'
end
# do config for rhel-family
when 'rhel', 'fedora'
# we do not allow to use authconfig, because it does not use the /etc/sysconfig/authconfig as a basis
# therefore we edit /etc/pam.d/system-auth-ac/
# @see http://serverfault.com/questions/292406/puppet-configuration-using-augeas-fails-if-combined-with-notify
if node['platform_version'].to_f < 7 && node['platform'] != 'amazon'
# remove pam_cracklib, because it does not play nice with passwdqc in versions less than 7
package 'pam-cracklib' do
package_name node['os-hardening']['packages']['pam_cracklib']
action node['os-hardening']['auth']['pam']['passwdqc']['enable'] ? :remove : :nothing
end
package 'pam-passwdqc' do
package_name node['os-hardening']['packages']['pam_passwdqc']
action node['os-hardening']['auth']['pam']['passwdqc']['enable'] ? :install : :remove
end
else
# In RH-family distros > 7, 'pam_pwquality' obsoletes both pam_cracklib and pam_passwdqc
# See https://linux.web.cern.ch/linux/rhel/releasenotes/RELEASE-NOTES-7.0-x86_64/
package 'pam_pwquality' do
package_name node['os-hardening']['packages']['pam_pwquality']
end
end
# configure passwdqc and tally via central system-auth confic:
template '/etc/pam.d/system-auth-ac' do
source 'rhel_system_auth.erb'
cookbook node['os-hardening']['auth']['pam']['system-auth']['template_cookbook']
mode 0640
owner 'root'
group 'root'
end
# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template '/etc/libuser.conf' do
source 'rhel_libuser.conf.erb'
mode 0640
owner 'root'
group 'root'
end
end