Skip to content

Latest commit

 

History

History
1710 lines (959 loc) · 40.6 KB

REFERENCE.md

File metadata and controls

1710 lines (959 loc) · 40.6 KB

Reference

Table of Contents

Classes

  • pam: Ensure that reasonable PAM security options are applied.
  • pam::access: Set up /etc/security/access.conf with a default to allow root to login locally.
  • pam::access::default_deny: Add a "default deny" rule to pam_access
  • pam::config: Configuration class called from pam.
  • pam::install: Install the required PAM packages
  • pam::limits: Set up /etc/security/limits.conf
  • pam::wheel: Enable wheel restrictions for su access

Defined types

  • pam::access::rule: Set up entries in /etc/security/access.conf
  • pam::auth: Set up the various -auth files in /etc/pam.d.
  • pam::limits::rule: domain type item value resource limiting sets as defined in limits.conf(5).

Data types

Classes

pam

It also takes into account the global SIMP settings for LDAP and SSSD.

Many options are exposed here that may affect a large number of lower-level PAM module settings. This is done to provide continuity across the PAM stack where possible.

Parameters

The following parameters are available in the pam class:

password_check_backend

Data type: Pam::PasswordBackends

The password checking library to use

  • The default is based on the OS being targeted and is pulled from module data
locale_file

Data type: Optional[Stdlib::Absolutepath]

The path to the locale configuration file on the system

  • Explicitly set to undef to disable

Default value: undef

cracklib_difok

Data type: Integer[0]

The number of character changes between the old password and the new password that are enough to accept the new password

Default value: 4

cracklib_maxrepeat

Data type: Integer[0]

Reject passwords which contain more than this many of the same consecutive characters

Default value: 2

cracklib_maxsequence

Data type: Integer[0]

Reject passwords which contain monotonic character sequences longer than this

  • The default is 0 which means that this check is disabled. Examples of such sequence are 12345 or fedcb

  • Most such passwords will not pass the simplicity check unless the sequence is only a minor part of the password

Default value: 4

cracklib_maxclassrepeat

Data type: Integer[0]

Reject passwords which contain more than this many consecutive characters of the same class

  • Character classes include:
    • Upper Case
    • Lower Case
    • Digit
    • Special Character

Default value: 3

cracklib_gecoscheck

Data type: Boolean

Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password

Default value: true

cracklib_enforce_for_root

Data type: Boolean

Enforce all password check settings for the root user

Default value: true

cracklib_dcredit

Data type: Integer

The required credit for having digits in the new password

  • For Positive Integers: If you have less than or N digits, each digit will count +1 towards meeting the current minlen value

  • For Negative Integers: The minimum number of digits that must be met for a new password

Default value: -1

cracklib_ucredit

Data type: Integer

The required credit for having upper case letters in the new password

  • For Positive Integers: If you have less than or N characters , each character will count +1 towards meeting the current minlen value

  • For Negative Integers: The minimum number of characters that must be met for a new password

Default value: -1

cracklib_lcredit

Data type: Integer

The required credit for having lower case letters in the new password

  • For Positive Integers: If you have less than or N characters , each character will count +1 towards meeting the current minlen value

  • For Negative Integers: The minimum number of characters that must be met for a new password

Default value: -1

cracklib_ocredit

Data type: Integer

The required credit for having special characters in the new password

  • For Positive Integers: If you have less than or N characters , each character will count +1 towards meeting the current minlen value

  • For Negative Integers: The minimum number of characters that must be met for a new password

Default value: -1

cracklib_minclass

Data type: Integer[0]

The minimum number of required classes for the new password

  • The four classes are digits, upper and lower letters and other characters

  • The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required.

Default value: 3

cracklib_minlen

Data type: Integer[0]

The minimum acceptable size for the new password (plus one if credits are not disabled)

Default value: 15

cracklib_reject_username

Data type: Boolean

Don't let the username be used in password

Default value: true

cracklib_retry

Data type: Integer[0]

Prompt user at most N times before returning with error

Default value: 3

cracklib_badwords

Data type: Optional[Array[String[1],1]]

Array of words that must not be contained in the password. These are additional words to the cracklib dictionary check.

Default value: undef

cracklib_dictpath

Data type: Optional[StdLib::Absolutepath]

Path to the cracklib dictionaries. Default is to use the cracklib default.

Default value: undef

dictcheck

Data type: Integer[0]

If nonzero, check whether the password (with possible modifications) matches a word in a dictionary. Currently the dictionary check is performed using the cracklib library. This option will be ignored unless the OS major version is higher than 7.

Default value: 1

rm_pwquality_conf_d

Data type: Boolean

Remove the /etc/security/pwquality.conf.d directory and all contents.

  • This ensures authoritative management of pwquality without the ability of users to override our settings directly on the system.

Default value: true

deny

Data type: Integer[0]

The number of failed attempts before PAM denies a user from logging in.

Default value: 5

faillock

Data type: Boolean

Enable or disable the use of faillock

Default value: true

display_account_lock

Data type: Boolean

Display to the remote user that their account has been locked.

Default value: false

fail_interval

Data type: Integer[0]

Sets the time until the check fails.

Default value: 900

homedir_umask

Data type: Simplib::Umask

Sets the file mode creation mask of the user home directories

Default value: '0077'

manage_pwhistory_conf

Data type: Boolean

If true, password history settings will be managed inside of /etc/security/pwhistory.conf instead of inline in the pam auth files. This parameter will be ignored if the host is EL 7.

Default value: false

remember

Data type: Integer[0]

The last N passwords for each user are saved in $remember_file in order to force password change history and keep the user from alternating between the same password too frequently

Default value: 24

remember_retry

Data type: Integer[0]

Allow this many retries

Default value: 1

remember_for_root

Data type: Boolean

Remember the last $remember passwords for the root user.

Default value: true

remember_file

Data type: StdLib::Absolutepath

The location for user's remembered passwords to be saved.

Default value: '/etc/security/opasswd'

remember_debug

Data type: Boolean

If true, turn on debugging for pwhistory to syslog.

Default value: false

even_deny_root

Data type: Boolean

Enforce an account lockout for the root account.

Default value: true

root_unlock_time

Data type: Integer[0]

Allow access after N seconds to root account after failed attempt.

  • Has no effect if even_deny_root is not set

Default value: 60

hash_algorithm

Data type: Pam::HashAlgorithm

The password hashing algorithm to use

Default value: 'sha512'

rounds

Data type: Integer[0]

Set the optional number of rounds of the SHA256, SHA512 and Blowfish password hashing algorithms to N

Default value: 10000

uid

Data type: Integer[0]

Allow user logins for users with UID higher than N

Default value: simplib::lookup('simp_options::uid::min', { 'default_value' => pick(fact('login_defs.uid_min'), 1000) })

unlock_time

Data type: Pam::AccountUnlockTime

Allow acesss after N seconds to user account after failed attempt.

Default value: 900

preserve_ac

Data type: Boolean

Keep the original -ac files around for reference

Default value: false

warn_if_unknown

Data type: Boolean

If you make it to the other PAM configuration file, then provide a warning that the login method was uncaught by other PAM stacks

Default value: true

oath

Data type: Boolean

Configures to use pam_oath TOTP in the system-auth pam stack. EXPERIMENTAL: Inherits from simp_options::oath, defaults to false if not found.

  • WARNING: pupmod-simp-oath is a dependency of this option. If this is set to true without the oath module, you will be unable to log in locally!

Default value: simplib::lookup('simp_options::oath', { 'default_value' => false })

oath_window

Data type: Integer[0]

Sets the TOTP window (Defined in RFC 6238 section 5.2)

Default value: 1

deny_if_unknown

Data type: Boolean

If true, deny any access to an application that falls all the way through the PAM stack to other

Default value: true

use_netgroups

Data type: Boolean

Default: false Set PAM up to use NIS netgroups.

Default value: false

use_openshift

Data type: Boolean

Set PAM to work with OpenShift

Default value: false

sssd

Data type: Boolean

Set PAM to work with SSSD

Default value: simplib::lookup('simp_options::sssd', { 'default_value' => false })

tty_audit_users

Data type: Array[String[0]]

The users for which TTY auditing is enabled

  • Set to an empty Array to not audit TTY actions for any user

Default value: ['root']

su_content_extra

Data type: Optional[Array[String]]

User-specified content to be added to /etc/pam.d/su in addition to the rest of the templated content

Default value: undef

su_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/su instead of the templated content

Default value: undef

other_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/other instead of the templated content

Default value: undef

auth_sections

Data type: Pam::AuthSections

The PAM *-auth files to manage

  • Set to an empty Array to not manage any sections

Default value: ['fingerprint', 'system', 'password', 'smartcard']

cert_auth

Data type: Optional[Enum['try','require']]

If set, should choose either 'require' or 'try' to set 'require_cert_auth' or 'try_cert_auth' in the auth files

Default value: undef

inactive

Data type: Optional[Integer]

If set, the number of days before a user can be inactive on a system before their account becomes locked

Default value: undef

auth_content_pre

Data type: Optional[Array[String]]

Content to prepend to the auth configs in addition to templated content

  • Set to an empty Array to not prepend any default content

Default value: undef

fingerprint_auth_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/fingerprint_auth instead of the templated content

Default value: undef

system_auth_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/system_auth instead of the templated content

Default value: undef

password_auth_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/password_auth instead of the templated content

Default value: undef

smartcard_auth_content

Data type: Optional[String]

The content that should be used to fill /etc/pam.d/smartcard_auth instead of the templated content

Default value: undef

enable

Data type: Boolean

If you have included this module but want it to stop managing your configuration files set this to false

Default value: true

enable_warning

Data type: Boolean

Will issue a warning if this module is included but global catalyst simp_options::pam is set to false

Default value: true

enable_separator

Data type: Boolean

Enable a custom list separator. WARNING this setting may break pam_access on some platforms. Use with caution

Default value: true

separator

Data type: String[0]

Separator to use for user and origin lists

Default value: ','

disable_authconfig

Data type: Boolean

Disable authconfig from being used, as it breaks this module's reconfiguration of PAM.

Default value: true

use_authselect

Data type: Boolean

If true, the files created in this module will be created in a simp directory and authselect will simply include the files created under that new directory. In short, if this value is true, the files will be created the same way, they will just live under a different directory and be included by the original files

Default value: simplib::lookup('simp_options::authselect', { 'default_value' => false })

auth_basedir

Data type: Optional[StdLib::Absolutepath]

The directory in which the auth files will be created

Default value: undef

package_ensure

Data type: Simplib::PackageEnsure

Ensure setting for all packages installed by this module

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' })

manage_faillock_conf

Data type: Boolean

If true, the faillock parameters will be managed within /etc/security/faillock.conf instead of inline in the auth files. This parameter will be ignored on el7 and earlier systems.

Default value: false

faillock_log_dir

Data type: Optional[Stdlib::Absolutepath]

The directory where the user files with the failure records are kept.

Default value: undef

faillock_audit

Data type: Boolean

If true, log the user name into the system log if the user is not found.

Default value: true

faillock_no_log_info

Data type: Boolean

If true, don't log informative messages via syslog.

Default value: false

faillock_local_users_only

Data type: Boolean

If true, only track failed user authentications attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.

Default value: false

faillock_nodelay

Data type: Boolean

If true, don't enforce a delay after authentication failures.

Default value: false

faillock_admin_group

Data type: Optional[String]

If a group name is specified with this option, members of the group will be handled by this module the same as the root account.

Default value: undef

pam::access

Use pam::access::rule to manage access.conf entries and remember that order matters (first match wins)!

  • See also
    • access.conf(5)

Parameters

The following parameters are available in the pam::access class:

default_deny

Data type: Boolean

Add a "default deny" rule as the last match of the rule set

Default value: true

users

Data type: Optional[Hash]

A hash that can be used to create several pam::access::rule resources set in Hiera. Each member of the hash will be a resource (this example is from hiera):

pam::access::users: defaults: origins: - ALL permission: '+' vagrant: '(simp)': test: origins: - 192.168.0.1/24 baddude: permission: '-'

Default value: undef

access_file_mode

Data type: Stdlib::Filemode

File mode for /etc/security/access.conf

Default value: '0644'

pam::access::default_deny

Always allow root locally for safety

pam::config

Configuration class called from pam.

pam::install

Install the required PAM packages

pam::limits

Add entries with pam::limits::rule

  • See also
    • limits.conf(5)

Parameters

The following parameters are available in the pam::limits class:

rules

Data type: Optional[Hash]

A Hash that can be used to create pam::limits::rule resources via Hiera.

  • The Hash must be formatted suitably for passing directly into create_resource()
  • Remember that order matters:

@example Hiera formatted rules

pam::limits::rules: disable_core_for_user1: domains: - 'user1' type: 'hard' item: 'core' value: 0 order: 50 disable_core_for_all: domains: - '*' type: 'hard' item: 'core' value: 0 order: 100

Default value: undef

pam::wheel

Enable wheel restrictions for su access

  • See also
    • pam_wheel(8)

Parameters

The following parameters are available in the pam::wheel class:

wheel_group

Data type: String[1]

What group should be the wheel equivalent

Default value: 'wheel'

root_only

Data type: Boolean

Only enforce wheel restrictions when changing to the root user

Default value: false

use_openshift

Data type: Boolean

Whether or not to configure things in such a way that the openshift puppet code is compatible

Default value: $pam::use_openshift

su_content_extra

Data type: Optional[Array[String]]

User-specified content added after rootok but before further templated content

Default value: $pam::su_content_extra

content

Data type: Optional[String[1]]

Optional custom content for file

Default value: $pam::su_content

Defined types

pam::access::rule

These entries are the permission:users:origins sets as defined in access.conf(5).

  • See also
    • access.conf(5)

Examples

Add administrator group access
pam::access::rule { 'administrators':
  permission => '+',
  users      => ['(administrators)'],
  origins    => ['ALL'],
  order      => 1000
}
Add everyone except group bad_guys
pam::access::rule { 'bad_guys':
  permission => '+',
  users      => ['ALL EXCEPT (bad_guys)'],
  origins    => ['ALL'],
  order      => 1000
}
Add everyone except the hippopotamus
pam::access::rule { 'but_not_the_hippopotamus':
  permission => '+',
  users      => ['ALL EXCEPT hippopotamus'],
  origins    => ['ALL'],
  order      => 1000
}
Allow group auditors from two specific hosts
pam::access::rule { 'auditors_from_trusted_nodes':
  permission => '+',
  users      => ['(auditors)'],
  origins    => ['1.2.3.4','5.6.7.8'],
  order      => 1000
}

Parameters

The following parameters are available in the pam::access::rule defined type:

name

Data type: String

A unique name for the resource

comment

Data type: Optional[String]

A comment to include with this entry

Default value: undef

permission

Data type: Enum['+','-']

If +, grant access. If -, revoke access

Default value: '+'

users

Data type: Array[String]

The users, groups, or netgroups to allow access to the system.

Syntax: user => username group => (groupname) netgroup => @netgroup

  • Entries are not validated so complex expressions are allowed such as ALL EXCEPT (bad_guys)
origins

Data type: Array[String]

The locations from which users are allowed to login to the system

  • See access.conf(5) for the full list
order

Data type: Integer[1,9999999999]

The order in which you want this rule to appear

  • If you do not specify a order, the rules will be listed in alphanumeric order by name

Default value: 1000

pam::auth

This is only meant to be called via the main pam class. Documentation is identical to that in the pam class.

If you want to change the umask on dynamically created home directories, you'll need to set oddjob::mkhomedir::umask.

Parameters

The following parameters are available in the pam::auth defined type:

password_check_backend

Data type: Pam::PasswordBackends

Default value: $pam::password_check_backend

locale_file

Data type: Optional[Stdlib::Absolutepath]

Default value: $pam::locale_file

auth_content_pre

Data type: Optional[Array[String]]

Default value: $pam::auth_content_pre

manage_faillock_conf

Data type: Boolean

Default value: $pam::manage_faillock_conf

faillock_audit

Data type: Boolean

Default value: $pam::faillock_audit

faillock_no_log_info

Data type: Boolean

Default value: $pam::faillock_no_log_info

faillock_local_users_only

Data type: Boolean

Default value: $pam::faillock_local_users_only

faillock_nodelay

Data type: Boolean

Default value: $pam::faillock_nodelay

faillock_admin_group

Data type: Optional[String]

Default value: $pam::faillock_admin_group

cracklib_enforce_for_root

Data type: Boolean

Default value: $pam::cracklib_enforce_for_root

cracklib_reject_username

Data type: Boolean

Default value: $pam::cracklib_reject_username

cracklib_difok

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_difok

cracklib_maxrepeat

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_maxrepeat

cracklib_maxsequence

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_maxsequence

cracklib_maxclassrepeat

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_maxclassrepeat

cracklib_gecoscheck

Data type: Optional[Boolean]

Default value: $pam::cracklib_gecoscheck

cracklib_dcredit

Data type: Optional[Integer]

Default value: $pam::cracklib_dcredit

cracklib_ucredit

Data type: Optional[Integer]

Default value: $pam::cracklib_ucredit

cracklib_lcredit

Data type: Optional[Integer]

Default value: $pam::cracklib_lcredit

cracklib_ocredit

Data type: Optional[Integer]

Default value: $pam::cracklib_ocredit

cracklib_minclass

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_minclass

cracklib_minlen

Data type: Optional[Integer[0]]

Default value: $pam::cracklib_minlen

cracklib_retry

Data type: Integer[0]

Default value: $pam::cracklib_retry

oath

Data type: Boolean

Default value: $pam::oath

oath_window

Data type: Integer[0]

Default value: $pam::oath_window

deny

Data type: Integer[0]

Default value: $pam::deny

faillock

Data type: Boolean

Default value: $pam::faillock

faillock_log_dir

Data type: Optional[Stdlib::Absolutepath]

Default value: $pam::faillock_log_dir

display_account_lock

Data type: Boolean

Default value: $pam::display_account_lock

fail_interval

Data type: Integer[0]

Default value: $pam::fail_interval

manage_pwhistory_conf

Data type: Boolean

Default value: $pam::manage_pwhistory_conf

remember_debug

Data type: Boolean

Default value: $pam::remember_debug

remember

Data type: Integer[0]

Default value: $pam::remember

remember_retry

Data type: Integer[0]

Default value: $pam::remember_retry

remember_for_root

Data type: Boolean

Default value: $pam::remember_for_root

remember_file

Data type: Stdlib::Absolutepath

Default value: $pam::remember_file

even_deny_root

Data type: Boolean

Default value: $pam::even_deny_root

root_unlock_time

Data type: Integer[0]

Default value: $pam::root_unlock_time

hash_algorithm

Data type: Pam::HashAlgorithm

Default value: $pam::hash_algorithm

rounds

Data type: Integer[0]

Default value: $pam::rounds

uid

Data type: Integer[0]

Default value: $pam::uid

unlock_time

Data type: Pam::AccountUnlockTime

Default value: $pam::unlock_time

preserve_ac

Data type: Boolean

Default value: $pam::preserve_ac

use_netgroups

Data type: Boolean

Default value: $pam::use_netgroups

use_openshift

Data type: Boolean

Default value: $pam::use_openshift

sssd

Data type: Boolean

Default value: $pam::sssd

tty_audit_users

Data type: Array[String[0]]

Default value: $pam::tty_audit_users

separator

Data type: String[0]

Default value: $pam::separator

enable_separator

Data type: Boolean

Default value: $pam::enable_separator

inactive

Data type: Optional[Integer]

Default value: $pam::inactive

cert_auth

Data type: Optional[Enum['try','require']]

Default value: $pam::cert_auth

content

Data type: Optional[String]

Default value: undef

pam::limits::rule

Be aware that order matters and the LAST item that matches in the limits.conf file will take effect.

  • See also
    • limits.conf(5)

Examples

Enforce hard and soft disable on core dumps
pam::limits::rule { 'limit_core':
  domains => ['*'],
  type    => '-',
  item    => 'core',
  value   => 0,
  order   => 1
}
Only allow 2 administrators to login at once
pam::limits::rule { 'limit_admins':
  domains => ['%administrators', '%wheel'],
  type    => 'hard',
  item    => 'maxlogins',
  value   => 2,
  order   => 1
}

Parameters

The following parameters are available in the pam::limits::rule defined type:

name

Data type: String

A descriptive name for your resource

domains

Data type: Array[String]

The domains to which these limits should apply

  • One entry will be created per domain, in listed order
  • See the <domain> section of limits.conf(5) for details
item

Data type: Pam::Limits::Item

The item to which these limits should apply

  • See the <item> section of limits.conf(5) for details
value

Data type: Pam::Limits::Value

The value to apply to the item and domains

  • See the <item> section of limits.conf(5) for details
type

Data type: Enum['hard','soft','-']

The type to apply to the item and domains

  • See the <type> section of limits.conf(5) for details

Default value: '-'

order

Data type: Integer[0]

The order in which this rule should appear

  • If you don't specify a order, the rules will be listed in alphanumeric order by name

Default value: 1000

Data types

Pam::AccountUnlockTime

Valid account unlock values

Alias of Variant[Integer[0], Enum['never']]

Pam::AuthSections

Valid PAM auth sections

Alias of

Array[Enum[
  'fingerprint',
  'system',
  'password',
  'smartcard'
]]

Pam::HashAlgorithm

Valid PAM password hash algorithms

Alias of Enum['md5', 'bigcrypt', 'sha256', 'sha512', 'blowfish']

Pam::Limits::Item

Valid PAM limits

Alias of Enum['core', 'data', 'fsize', 'memlock', 'nofile', 'rss', 'stack', 'cpu', 'nproc', 'as', 'maxlogins', 'maxsyslogins', 'priority', 'locks', 'sigpending', 'msgqueue', 'nice', 'rtprio']

Pam::Limits::Value

Valid PAM limit values

Alias of Variant[Enum['unlimited','infinity'], Integer]

Pam::PasswordBackends

Valid PAM password validation backends

Alias of Enum['cracklib', 'pwquality']