Version information
released Jun 28th 2018
This version is compatible with:
- Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 4.7.0 < 5.0.0
- ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-pam', '6.2.1'
Learn more about managing modules with a PuppetfileDocumentation
simp/pam — version 6.2.1 Jun 28th 2018
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide and visit our developer wiki.
Work in Progress
Please excuse us as we transition this code into the public domain.
Downloads, discussion, and patches are still welcome!
- Mon Apr 30 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.1-0
- Allow users to change the password hash algorithm
- Allow users to enable/disable enforcing password policies for
root
- Update compliance tests to work with inspec profiles and compliance engine enforcement.
- Mon Apr 16 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.1-0
- Set the default cracklib_maxclassrepeat to 3.
- Mon Feb 12 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0
- Update upperbound on puppetlabs/concat version to < 5.0.0
- Fri Feb 09 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.2.0-0
- Update the pam::unlock_time parameter to accept 'never' as a value per the man page and in accordance with the DISA STIG
- Wed Jan 24 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0-0
- Replace authconfig and authconfig-tui links to a no-op script, instead of removing them. This does not break tools that use authconfig.
- Use simp_options::package_ensure, when available
- Wed Dec 13 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0-0
- Set the minimum UID allowed onto the system to the default defined in /etc/login.defs or 1000 if not otherwise defined
- Fri Sep 22 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.1.0-0
- Changed password checking from pam_cracklib.so to pam_pwquality.so for EL7
- Fri Sep 22 2017 Chris Tessmer chris.tessmer@onyxpoint.com - 6.1.0-0
- Enable pam_tty_audit for sudo
- Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.4-0
- Add concat dependency to metadata.json
- Update concat dependency in build/rpm_metadata/requires
- Tue May 23 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.3-0
- Fixed docs in pam::limits::rule
- Update puppet requirement in metadata.json
- Wed Apr 05 2017 Liz Nemsick lnemsick.simp@gmail.com - 6.0.2-0
- fixed puppet strings documentation in access.pp
-
Mon Mar 15 2017 Nicholas Hughes nicholasmhughes@gmail.com - 6.0.1-0
- corrected location of authconfig binaries
-
Mon Feb 13 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.0.0-0
- When using list separator you can't have spaces between identifiers in access.conf if your separator is not a space. It then includes spaces as part of the name so we are removing spaces from the access file. Dylan also added changes that wrap the use of separator in boolean.
- Tue Jan 17 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.0-0
- Added feature to add pam::access::manage resources from hiera
- Thu Jan 12 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0
- Changed the following for the SSG:
- minimum length now set to 15
- Wed Dec 21 2016 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.0.0-0
- corrected error for lookup
- Fixed comments and aligned variables to make it look pretty.
- update simplib version to include new types.
- renamed pam::access::manage to pam::access::rule
- renamed pam::limits::add to pam::limits::rule
- Added strong types and updated Global catalists.
- Removed NSCD logic.
- Wed Nov 30 2016 Nick Miller nick.miller@onyxpoint.com - 5.0.1-0
- Added a generic content option to replace all templated PAM configurations
- Setting use_templates to false will enable them
- Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 5.0.0-0
- update requirement versions
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0
- Updated to compliance_markup version 2
- Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.
- Thu Aug 25 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.5-0
- Update to pam_pwhistory.so to fix local user login failures due to SELinux policy updates affecting /etc/security/opasswd in EL7.
- Mon Aug 15 2016 Nick Miller nick.miller@onyxpoint.com - 4.2.4-0
- Reverted STIG password policy compliance changes
- Fri Aug 05 2016 Nick Markowski nmarkowski@keywcorp.com - 4.2.3-0
- Updated system-auth values to be STIG compliant.
- Thu Jul 07 2016 Liz Nemsick elizabeth.nemsick@uscontracting.us - 4.2.2-0
- Added use of pam_tty_audit in system-auth, password-auth, and fingerprint-auth.
- Updated module to use new rake helper to auto-generate RPM .spec file.
- Fixed bug related to pam::display_account_lock.
- Wed Mar 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.1-0
- Move pam_oddjob_mkhomedir below pam_sssd in the stack due to a odd SELinux-related bug which prevented users from logging into systems via SSH.
- Mon Mar 14 2016 Nick Markowski nmarkowski@keywcorp.com - 4.2.0-0
- Ensure that EL6.7+ uses SSSD over NSCD
- Tue Feb 23 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-14
- Added compliance function support
- Wed Nov 18 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13
- Updated to enable SSSD properly now that most of the major items have been resolved upstream.
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-13
- Migration to simplib and simpcat (lib/ only)
- Tue Oct 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-12
- Removed all calls to the lsb facts and replaced them with 'operatingsystem' facts
- Fri Sep 18 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-11
- Moved pam_mkhomedir to before pam_systemd to fix issues with systemd subsystem failures occuring due to a lack of a home directory.
- Sat May 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10
- Slight update to more closely align with the STIG.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9
- Changed puppet-server requirement to puppet
- Thu Oct 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Updated the mode on limits.conf and access.conf to be non-executable.
- Changed the mode on access.conf to be world readable so that the RHEL7 screensaver can unlock properly.
- Wed Oct 01 2014 Trevor Vaughan tvaughan@onxypoint.com - 4.1.0-7
- Added options to the auth configs in PAM to ensure that GDM works properly in RHEL7.
- Thu Sep 04 2014 Adam Yohrling adam.yohrling@onyxpoint.com - 4.1.0-6
- Added optional pam_systemd module to access template. This will only work if present on the system and is required for CentOS/RHEL 7
- Fri Jul 25 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-5
- Added oddjob support for creating home directories for setting correct SELinux contexts on created home directories. See: https://bugzilla.redhat.com/show_bug.cgi?id=447096#c3
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4
- Removed MD5 file checksums for FIPS compliance.
- Thu Apr 10 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- Added full support for access.conf and removed groupaccess.conf since it is no longer required. pam::access::manage should now be used instead of pam::groupaccess::modify.
- Renamed pam::access_conf and pam::limits_conf to pam::access and pam::limits respectively.
- Moved pam::limits::add_limit to pam::limits::add
- Mon Feb 10 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2
- Updates to fully support OpenShift.
- Added OpenSCAP support.
- Tue Jan 28 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Added proper support to the wheel class for OpenShift support so that it does not conflict with the base classes from openshift_origin.
- Tue Oct 22 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Converted groupaccess over to using simp_file_line instead of concat.
- Cleaned up the PAM settings quite a bit and now using a single template for all -auth files in /etc/pam.d.
- pam_faillock no longer causes spurious failed logins with sudo.
- Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-7
- Updated all erb templates to properly scope variables.
- Added variables to init.pp to make templates more configurable.
- Wed Oct 02 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-6
- Use 'versioncmp' for all version comparisons.
- Mon Feb 25 2013 Maintenance - 4.0-5
- Added a call to $::rsync_timeout to the rsync call since it is now required.
- Tue Jul 24 2012 Maintenance - 4.0.0-4
- Added maxclassrepeat=3 and gecoscheck to the cracklib line.
- Removed the *credit items from the cracklib line. We have minclass=3 which is good enough and having the rest in there was confusing.
- Wed Jun 13 2012 Maintenance - 4.0.0-3
- Fixed a bug where the other *-auth files in pam.d were not updated to handle faillock properly.
- Wed May 16 2012 Maintenance - 4.0.0-2
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance - 4.0.0-1
- Improved test stubs.
- Fri Feb 10 2012 Maintenance - 4.0.0-0
- Updated the PAM template to handle faillog as the new default in RHEL6.
- Added tests for verifying that a user account lockout happens after 5 tries, can be unlocked, and functions properly after that.
- Tue Dec 20 2011 Maintenance - 2.0.0-5
- Updated the spec file to not require a separate file list.
- Added a line to allow the local 'wheel' group to get to su and bypass checking the alternately set group. This allows the alternate group to be in LDAP and the local group to be able to su when LDAP is down or an emergency user is local.
- Thu Oct 27 2011 Maintenance - 2.0.0-4
- Added the new 'auth' portions of pam.d and removed everything except for 'other' from the rsync segment of pam.d.
- Mon Oct 10 2011 Maintenance - 2.0.0-3
- Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
- Updated to work around the issue where SSSD can't update shadow fields in LDAP.
- Tue Jun 07 2011 Maintenance - 2.0.0-2
- Rearranged items in system-auth so that fewer erroneous errors would be thrown on login. You'll still get them if logging in as a local user. Red Hat is aware of the issue.
- Fixed this module for the case where $use_sssd does not exist.
- Default password length is now 14
- Removed nullok to prevent all blank password usage
- Added support for wheel in 'su' via pam::wheel
- Set pam_lastlog
- Tue Apr 05 2011 Maintenance - 2.0.0-1
- Added support to system-auth for SSSD.
- Updated to use rsync native type
- Updated system-auth to enforce a stronger default password set.
- This needs to be templated but not for 2.0.0-Beta.
- Updated to use concat_build and concat_fragment types
- Tue Jan 11 2011 Maintenance - 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Mon Jan 10 2011 Maintenance - 1.0-4
- Updated the PAM configuration to fix an issue where pam_unix.so was set to default=ignore. This is definitely not what you want.
- Thu Nov 04 2010 Maintenance - 1.0-3
- pam_tally2 still wasn't properly taking effect. Should be corrected.
- This update adds the ability to modify the delay after a failed login via PAM. FAIL_DELAY by itself doesn't do anything without the addition of pam_faildelay.so this item was added to the default PAM config.
- Tue Oct 26 2010 Maintenance - 1.0-2
- Converting all spec files to check for directories prior to copy.
- Tue Aug 10 2010 Maintenance - 1.0-1
- Rearranged the pam_tally2 items in system-auth.erb to ensure that account lockouts are taking effect properly.
- Fri Jun 04 2010 Maintenance - 1.0-0
- Modified the system-auth.erb file to:
- Get rid of session messages in /var/log/secure when cron runs.
- Ensure that cron can run without having a user in the groupaccess.conf file.
- Skip pam_ldap if pam_unix succeeds.
- Code refactor and update
- Added 'Tidy' statements to match the rest of the multi-build patterns.
- Fixed a problem with pam_succeed_if.so uid=0 causing auid to be set to -1. Changed to user = root.
- Changed the pam_mkhomedir call to be 'optional' instead of 'required'. This allows users to login even if their home directory can't be created.
- Fri Feb 05 2010 Maintenance - 0.1-10
- Fixed some incorrect settings with pam_cracklib.so and added in some new checking functionality for repeated characters and username matching.
- Removed the necessity of the rootaccess file. This does mean that root can su to any user but completely prevents root lockouts.
Dependencies
- puppetlabs/concat (>= 2.2.0 < 5.0.0)
- puppetlabs/stdlib (>= 4.13.1 < 5.0.0)
- simp/oddjob (>= 2.0.0 < 3.0.0)
- simp/simplib (>= 3.9.0 < 4.0.0)
pupmod-simp-pam - A Puppet Module for managing PAM -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.