pam
PAM modules, /etc/security/limits.conf and /etc/securetty management
Version information
released May 27th 2020
This version is compatible with:
- Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 3.8.0
- , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'eyp-pam', '0.1.24'
Learn more about managing modules with a PuppetfileDocumentation
eyp/pam — version 0.1.24 May 27th 2020
pam
Table of Contents
Overview
PAM modules, /etc/security/limits.conf and /etc/securetty management
Module Description
PAM module management for RHEL and derivatives, partial support for Ubuntu
pam::lockout
CIS compliance using pam_faillock for CentOS 6 and 7:
# cat /etc/pam.d/password-auth
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth include password-auth-ac
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
account required pam_faillock.so
account include password-auth-ac
password include password-auth-ac
session include password-auth-ac
# cat /etc/pam.d/system-auth
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth include system-auth-ac
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
account required pam_faillock.so
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac
Setup
What pam affects
- /etc/security/limits.conf
- system-auth config (/etc/pam.d)
Setup Requirements
This module requires pluginsync enabled
Beginning with pam
limits
class { "limits": }
limits::limit { "nofile *":
domain => "*",
item => 'nofile',
value => '123456',
}
limits::limit { "nproc *":
domain => "*",
item => 'nproc',
value => '123456',
}
This will generate the following entries:
* - nofile 123456
* - nproc 123456
Usage
Put the classes, types, and resources for customizing, configuring, and doing the fancy stuff with your module here.
Reference
defines
pam::limit
All items support the values -1, unlimited or infinity indicating no limit, except for priority and nice.
- domain: user, %group or * (means all)
- type: soft, hard or - (means both)
- item: can be one of the following:
- core - limits the core file size (KB)
- data - max data size (KB)
- fsize - maximum filesize (KB)
- memlock - max locked-in-memory address space (KB)
- nofile - max number of open files
- rss - max resident set size (KB)
- stack - max stack size (KB)
- cpu - max CPU time (MIN)
- nproc - max number of processes
- as - address space limit (KB)
- maxlogins - max number of logins for this user
- maxsyslogins - max number of logins on the system
- priority - the priority to run user process with
- locks - max number of file locks the user can hold
- sigpending - max number of pending signals
- msgqueue - max memory used by POSIX message queues (bytes)
- nice - max nice priority allowed to raise to values: [-20, 19]
- rtprio - max realtime priority
- chroot - change root to directory (Debian-specific)
- value: value for item
Limitations
- Partial Ubuntu support
Development
We are pushing to have acceptance testing in place, so any new feature should have some test to check both presence and absence of any feature
TODO
- improve Ubuntu support
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Added some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request
CHANGELOG
0.1.24
- pam::lockout
- added support for Ubuntu 18.04
0.1.23
- Added support for RHEL 8
0.1.22
- dropped descriptions for cracklib facts
0.1.21
- Added support for Ubuntu to pam::unix
0.1.20
- renamed cracklib facts to pam_cracklib
0.1.19
- added support for Ubuntu 16.04 and 18.04 to pam::cracklib using libpam-pwquality
0.1.18
- Added support for SLES 12.4
0.1.17
- Added flag to disable security/limits.conf management: pam::manage_security_limits
- Updated medatata for SLES
0.1.16
- added ensure to pam::securetty
- basic Ubuntu 18.04 support
0.1.15
- added ensure to pam::ttyaudit
0.1.14
- improved CIS support by setting an arbitrary option order
0.1.13
- changed default settings for pam::lockout
0.1.12
- allow empty securetty file
0.1.11
- added pam::securetty
0.1.10
- moved audit::tty to pam::ttyaudit
0.1.9
- updated module dependencies
0.1.8
- fixed dependency for pam::unix
0.1.7
- added remember to pam::unix
0.1.6
- added pam::wheel
0.1.5
- added user_whitelist to disable account locking for a given set of users
0.1.4
- fixed ubuntu restrictions
0.1.3
- pam::lockout for centos6 and centos7 implemented using pam_faillock
0.1.2
- bugfix limits
0.1.1
- merged eyp-limits to this module
0.1.0
- initial release
Dependencies
- puppetlabs/stdlib (>= 1.0.0 < 9.9.9)
- puppetlabs/concat (>= 1.2.3 < 9.9.9)
- eyp/eyplib (>= 0.1.0 < 0.2.0)