(SIMP-2946) Change pam_cracklib to pam_pwquality (#48)

* Changed pam_cracklib.so to pam_pwquality.so in EL7 pam.d files * Add /etc/security/pwquality.conf file * Fixed some puppet strings information SIMP-3761 #close SIMP-3762 #close SIMP-2946 #close
simp · Sep 26, 2017 · 411f10f · 411f10f
1 parent 7f151ca
commit 411f10f
Show file tree

Hide file tree

Showing 55 changed files with 1,065 additions and 160 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,6 @@
+* Fri Sep 22 2017 Jeanne Greulich <[email protected]> - 6.1.0-0
+- Changed password checking from pam_cracklib.so to pam_pwquality.so for EL7
+
 * Fri Sep 22 2017 Chris Tessmer <[email protected]> - 6.1.0-0
 - Enable pam_tty_audit for sudo
 
@@ -150,52 +153,43 @@
 * Wed Oct 02 2013 Trevor Vaughan <[email protected]> - 4.0.0-6
 - Use 'versioncmp' for all version comparisons.
 
-* Mon Feb 25 2013 Maintenance
-4.0-5
+* Mon Feb 25 2013 Maintenance - 4.0-5
 - Added a call to $::rsync_timeout to the rsync call since it is now required.
 
-* Tue Jul 24 2012 Maintenance
-4.0.0-4
+* Tue Jul 24 2012 Maintenance - 4.0.0-4
 - Added maxclassrepeat=3 and gecoscheck to the cracklib line.
 - Removed the *credit items from the cracklib line. We have minclass=3 which is
   good enough and having the rest in there was confusing.
 
-* Wed Jun 13 2012 Maintenance
-4.0.0-3
+* Wed Jun 13 2012 Maintenance - 4.0.0-3
 - Fixed a bug where the other *-auth files in pam.d were not updated to handle
   faillock properly.
 
-* Wed May 16 2012 Maintenance
-4.0.0-2
+* Wed May 16 2012 Maintenance - 4.0.0-2
 - Moved mit-tests to /usr/share/simp...
 - Updated pp files to better meet Puppet's recommended style guide.
 
-* Fri Mar 02 2012 Maintenance
-4.0.0-1
+* Fri Mar 02 2012 Maintenance - 4.0.0-1
 - Improved test stubs.
 
-* Fri Feb 10 2012 Maintenance
-4.0.0-0
+* Fri Feb 10 2012 Maintenance - 4.0.0-0
 - Updated the PAM template to handle faillog as the new default in
   RHEL6.
 - Added tests for verifying that a user account lockout happens after 5 tries,
   can be unlocked, and functions properly after that.
 
-* Tue Dec 20 2011 Maintenance
-2.0.0-5
+* Tue Dec 20 2011 Maintenance - 2.0.0-5
 - Updated the spec file to not require a separate file list.
 - Added a line to allow the local 'wheel' group to get to su and bypass
   checking the alternately set group. This allows the alternate group to be in
   LDAP and the local group to be able to su when LDAP is down or an emergency
   user is local.
 
-* Thu Oct 27 2011 Maintenance
-2.0.0-4
+* Thu Oct 27 2011 Maintenance - 2.0.0-4
 - Added the new 'auth' portions of pam.d and removed everything except for
   'other' from the rsync segment of pam.d.
 
-* Mon Oct 10 2011 Maintenance
-2.0.0-3
+* Mon Oct 10 2011 Maintenance - 2.0.0-3
 - Updated to put quotes around everything that need it in a comparison
   statement so that puppet > 2.5 doesn't explode with an undef error.
 - Updated to work around the issue where SSSD can't update shadow fields in
@@ -234,13 +228,11 @@
 * Tue Oct 26 2010 Maintenance - 1.0-2
 - Converting all spec files to check for directories prior to copy.
 
-* Tue Aug 10 2010 Maintenance
-1.0-1
+* Tue Aug 10 2010 Maintenance - 1.0-1
 - Rearranged the pam_tally2 items in system-auth.erb to ensure that account
   lockouts are taking effect properly.
 
-* Fri Jun 04 2010 Maintenance
-1.0-0
+* Fri Jun 04 2010 Maintenance - 1.0-0
 - Modified the system-auth.erb file to:
   - Get rid of session messages in /var/log/secure when cron runs.
   - Ensure that cron can run without having a user in the groupaccess.conf file.
@@ -251,8 +243,7 @@
 - Changed the pam_mkhomedir call to be 'optional' instead of 'required'. This
   allows users to login even if their home directory can't be created.
 
-* Fri Feb 05 2010 Maintenance
-0.1-10
+* Fri Feb 05 2010 Maintenance - 0.1-10
 - Fixed some incorrect settings with pam_cracklib.so and added in some new
   checking functionality for repeated characters and username matching.
 - Removed the necessity of the rootaccess file. This does mean that root can su

diff --git a/build/rpm_metadata/requires b/build/rpm_metadata/requires
@@ -1,9 +1,10 @@
-Obsoletes: pupmod-pam-test >= 0.0.1
-Requires: pupmod-puppetlabs-concat < 4.0.0-0
-Requires: pupmod-puppetlabs-concat >= 2.2.0-0
-Requires: pupmod-puppetlabs-stdlib < 5.0.0-0
-Requires: pupmod-puppetlabs-stdlib >= 4.13.1-0
-Requires: pupmod-simp-oddjob < 3.0.0-0
-Requires: pupmod-simp-oddjob >= 2.0.0-0
-Requires: pupmod-simp-simplib < 4.0.0-0
-Requires: pupmod-simp-simplib >= 3.1.0-0
+Requires: pupmod-puppetlabs-concat >= 2.2.0
+Requires: pupmod-puppetlabs-concat < 4.0.0
+Requires: pupmod-puppetlabs-stdlib >= 4.13.1
+Requires: pupmod-puppetlabs-stdlib < 5.0.0
+Requires: pupmod-simp-oddjob >= 2.0.0
+Requires: pupmod-simp-oddjob < 3.0.0
+Requires: pupmod-simp-simpcat >= 6.0.0
+Requires: pupmod-simp-simpcat < 7.0.0
+Requires: pupmod-simp-simplib >= 3.1.0
+Requires: pupmod-simp-simplib < 4.0.0
diff --git a/data/common.yaml b/data/common.yaml
@@ -0,0 +1,2 @@
+---
+pam::password_check_backend: 'cracklib'
diff --git a/data/os/RedHat-6.yaml b/data/os/RedHat-6.yaml
@@ -0,0 +1,2 @@
+---
+pam::password_check_backend: 'cracklib'
diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml
@@ -0,0 +1,2 @@
+---
+pam::password_check_backend: 'pwquality'
diff --git a/hiera.yaml b/hiera.yaml
@@ -0,0 +1,16 @@
+---
+version: 4
+datadir: data
+hierarchy:
+  - name: "OSFamily + Release"
+    backend: "yaml"
+    path: "os/%{facts.osfamily}-%{facts.operatingsystemmajrelease}"
+  - name: "OSFamily"
+    backend: "yaml"
+    path: "os/%{facts.osfamily}"
+  - name: "Kernel"
+    backend: "yaml"
+    path: "os/%{facts.kernel}"
+  - name: "Common"
+    backend: "yaml"
+    path: "common"
diff --git a/manifests/access/rule.pp b/manifests/access/rule.pp
@@ -37,7 +37,7 @@
 #     order      => 1000
 #   }
 #
-# @aaram name [String]
+# @param name [String]
 #   A unique name for the resource
 #
 # @param comment
@@ -46,7 +46,7 @@
 # @param permission
 #   If +, grant access. If -, revoke access
 #
-# users
+# @param users
 #   The users, groups, or netgroups to allow access to the system.
 #
 #   Syntax:

diff --git a/manifests/auth.pp b/manifests/auth.pp
@@ -22,6 +22,7 @@
 # @param cracklib_retry
 # @param deny
 # @param display_account_lock
+# @param enable_separator
 # @param fail_interval
 # @param remember
 # @param remember_retry
@@ -33,43 +34,45 @@
 # @param preserve_ac
 # @param use_netgroups
 # @param use_openshift
+# @param separator
 # @param sssd
 # @param tty_audit_users
 # @param content
 #
 define pam::auth (
-  Integer          $cracklib_difok            = $::pam::cracklib_difok,
-  Integer          $cracklib_maxrepeat        = $::pam::cracklib_maxrepeat,
-  Integer          $cracklib_maxsequence      = $::pam::cracklib_maxsequence,
-  Integer          $cracklib_maxclassrepeat   = $::pam::cracklib_maxclassrepeat,
-  Boolean          $cracklib_reject_username  = $::pam::cracklib_reject_username,
-  Boolean          $cracklib_gecoscheck       = $::pam::cracklib_gecoscheck,
-  Boolean          $cracklib_enforce_for_root = $::pam::cracklib_enforce_for_root,
-  Integer          $cracklib_dcredit          = $::pam::cracklib_dcredit,
-  Integer          $cracklib_ucredit          = $::pam::cracklib_ucredit,
-  Integer          $cracklib_lcredit          = $::pam::cracklib_lcredit,
-  Integer          $cracklib_ocredit          = $::pam::cracklib_ocredit,
-  Integer          $cracklib_minclass         = $::pam::cracklib_minclass,
-  Integer          $cracklib_minlen           = $::pam::cracklib_minlen,
-  Integer          $cracklib_retry            = $::pam::cracklib_retry,
-  Integer          $deny                      = $::pam::deny,
-  Boolean          $display_account_lock      = $::pam::display_account_lock,
-  Integer          $fail_interval             = $::pam::fail_interval,
-  Integer          $remember                  = $::pam::remember,
-  Integer          $remember_retry            = $::pam::remember_retry,
-  Boolean          $remember_for_root         = $::pam::remember_for_root,
-  Integer          $root_unlock_time          = $::pam::root_unlock_time,
-  Integer          $rounds                    = $::pam::rounds,
-  Integer          $uid                       = $::pam::uid,
-  Integer          $unlock_time               = $::pam::unlock_time,
-  Boolean          $preserve_ac               = $::pam::preserve_ac,
-  Boolean          $use_netgroups             = $::pam::use_netgroups,
-  Boolean          $use_openshift             = $::pam::use_openshift,
-  Boolean          $sssd                      = $::pam::sssd,
-  Array[String]    $tty_audit_users           = $::pam::tty_audit_users,
-  String           $separator                 = $::pam::separator,
-  Boolean          $enable_separator          = $::pam::enable_separator,
-  Optional[String] $content                   = undef
+  Pam::PasswordBackends $password_check_backend    = $::pam::password_check_backend,
+  Boolean               $cracklib_enforce_for_root = $::pam::cracklib_enforce_for_root,
+  Boolean               $cracklib_reject_username  = $::pam::cracklib_reject_username,
+  Integer               $cracklib_retry            = $::pam::cracklib_retry,
+  Optional[Integer]     $cracklib_difok            = $::pam::cracklib_difok,
+  Optional[Integer]     $cracklib_maxrepeat        = $::pam::cracklib_maxrepeat,
+  Optional[Integer]     $cracklib_maxsequence      = $::pam::cracklib_maxsequence,
+  Optional[Integer]     $cracklib_maxclassrepeat   = $::pam::cracklib_maxclassrepeat,
+  Optional[Boolean]     $cracklib_gecoscheck       = $::pam::cracklib_gecoscheck,
+  Optional[Integer]     $cracklib_dcredit          = $::pam::cracklib_dcredit,
+  Optional[Integer]     $cracklib_ucredit          = $::pam::cracklib_ucredit,
+  Optional[Integer]     $cracklib_lcredit          = $::pam::cracklib_lcredit,
+  Optional[Integer]     $cracklib_ocredit          = $::pam::cracklib_ocredit,
+  Optional[Integer]     $cracklib_minclass         = $::pam::cracklib_minclass,
+  Optional[Integer]     $cracklib_minlen           = $::pam::cracklib_minlen,
+  Integer               $deny                      = $::pam::deny,
+  Boolean               $display_account_lock      = $::pam::display_account_lock,
+  Integer               $fail_interval             = $::pam::fail_interval,
+  Integer               $remember                  = $::pam::remember,
+  Integer               $remember_retry            = $::pam::remember_retry,
+  Boolean               $remember_for_root         = $::pam::remember_for_root,
+  Integer               $root_unlock_time          = $::pam::root_unlock_time,
+  Integer               $rounds                    = $::pam::rounds,
+  Integer               $uid                       = $::pam::uid,
+  Integer               $unlock_time               = $::pam::unlock_time,
+  Boolean               $preserve_ac               = $::pam::preserve_ac,
+  Boolean               $use_netgroups             = $::pam::use_netgroups,
+  Boolean               $use_openshift             = $::pam::use_openshift,
+  Boolean               $sssd                      = $::pam::sssd,
+  Array[String]         $tty_audit_users           = $::pam::tty_audit_users,
+  String                $separator                 = $::pam::separator,
+  Boolean               $enable_separator          = $::pam::enable_separator,
+  Optional[String]      $content                   = undef
 ) {
   include '::oddjob::mkhomedir'