Forge Home

pam

PAM modules, /etc/security/limits.conf and /etc/securetty management

jordi prats

eyp

8,381 downloads

1,271 latest version

5.0 quality score

Version information

  • 0.1.24 (latest)
  • 0.1.21
  • 0.1.9
  • 0.1.7
released May 27th 2020
This version is compatible with:
  • Puppet Enterprise 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 3.8.0
  • RedHat
    ,
    CentOS
    ,
    Scientific
    ,
    OEL
    ,
    OracleLinux
    ,
    Ubuntu
    ,
    SLES

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this declaration to your Puppetfile:

mod 'eyp-pam', '0.1.24'
Learn more about managing modules with a Puppetfile

Add this module to a Bolt project:

bolt module add eyp-pam
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install eyp-pam --version 0.1.24

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

eyp/pam — version 0.1.24 May 27th 2020

pam

Table of Contents

  1. Overview
  2. Module Description
  3. Setup
  4. Usage
  5. Reference
  6. Limitations
  7. Development

Overview

PAM modules, /etc/security/limits.conf and /etc/securetty management

Module Description

PAM module management for RHEL and derivatives, partial support for Ubuntu

pam::lockout

CIS compliance using pam_faillock for CentOS 6 and 7:

# cat /etc/pam.d/password-auth
auth        required       pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth        include        password-auth-ac
auth        [default=die]  pam_faillock.so authfail audit deny=5 unlock_time=900
auth        sufficient     pam_faillock.so authsucc audit deny=5 unlock_time=900

account     required       pam_faillock.so
account     include        password-auth-ac

password    include        password-auth-ac

session     include        password-auth-ac
# cat /etc/pam.d/system-auth
auth        required       pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth        include        system-auth-ac
auth        [default=die]  pam_faillock.so authfail audit deny=5 unlock_time=900
auth        sufficient     pam_faillock.so authsucc audit deny=5 unlock_time=900

account     required       pam_faillock.so
account     include        system-auth-ac

password    include        system-auth-ac

session     include        system-auth-ac

Setup

What pam affects

  • /etc/security/limits.conf
  • system-auth config (/etc/pam.d)

Setup Requirements

This module requires pluginsync enabled

Beginning with pam

limits

class { "limits": }

limits::limit { "nofile *":
  domain => "*",
  item => 'nofile',
  value => '123456',
}

limits::limit { "nproc *":
  domain => "*",
  item => 'nproc',
  value => '123456',
}

This will generate the following entries:

* - nofile 123456
* - nproc 123456

Usage

Put the classes, types, and resources for customizing, configuring, and doing the fancy stuff with your module here.

Reference

defines

pam::limit

All items support the values -1, unlimited or infinity indicating no limit, except for priority and nice.

  • domain: user, %group or * (means all)
  • type: soft, hard or - (means both)
  • item: can be one of the following:
  • core - limits the core file size (KB)
  • data - max data size (KB)
  • fsize - maximum filesize (KB)
  • memlock - max locked-in-memory address space (KB)
  • nofile - max number of open files
  • rss - max resident set size (KB)
  • stack - max stack size (KB)
  • cpu - max CPU time (MIN)
  • nproc - max number of processes
  • as - address space limit (KB)
  • maxlogins - max number of logins for this user
  • maxsyslogins - max number of logins on the system
  • priority - the priority to run user process with
  • locks - max number of file locks the user can hold
  • sigpending - max number of pending signals
  • msgqueue - max memory used by POSIX message queues (bytes)
  • nice - max nice priority allowed to raise to values: [-20, 19]
  • rtprio - max realtime priority
  • chroot - change root to directory (Debian-specific)
  • value: value for item

Limitations

  • Partial Ubuntu support

Development

We are pushing to have acceptance testing in place, so any new feature should have some test to check both presence and absence of any feature

TODO

  • improve Ubuntu support

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Added some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request