Skip to content

Commit

Permalink
Allow specifying an alternate cookbook name for PAM templates
Browse files Browse the repository at this point in the history
  • Loading branch information
eyespies committed Feb 21, 2018
1 parent 531eba2 commit 1abdf54
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 0 deletions.
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,12 @@ It will not:
true if you want to use strong password checking in PAM using passwdqc
* `['os-hardening']['auth']['pam']['passwdqc']['options'] = "min=disabled,disabled,16,12,8"`
set to any option line (as a string) that you want to pass to passwdqc
* `['os-hardening']['auth']['pam']['passwdqc']['template_cookbook'] = 'os-hardening'`
set to the name of the cookbook from which the template is obtained for the `/usr/share/pam-configs/passwdqc` file
* `['os-hardening']['auth']['pam']['tally2']['template_cookbook'] = 'os-hardening'`
set to the name of the cookbook from which the template is obtained for the `/usr/share/pam-configs/tally2` file
* `['os-hardening']['auth']['pam']['system-auth']['template_cookbook'] = 'os-hardening'`
set to the name of the cookbook from which the template is obtained for the `/etc/pam.d/system-auth-ac` file
* `['os-hardening']['security']['users']['allow'] = []`
list of things, that a user is allowed to do. May contain: `change_user`
* `['os-hardening']['security']['kernel']['enable_module_loading'] = true`
Expand Down
3 changes: 3 additions & 0 deletions attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,9 @@
default['os-hardening']['auth']['pam']['passwdqc']['options'] = 'min=disabled,disabled,16,12,8'
default['os-hardening']['auth']['pam']['cracklib']['options'] = 'try_first_pass retry=3 type='
default['os-hardening']['auth']['pam']['pwquality']['options'] = 'try_first_pass retry=3 type='
default['os-hardening']['auth']['pam']['tally2']['template_cookbook'] = 'os-hardening'
default['os-hardening']['auth']['pam']['passwdqc']['template_cookbook'] = 'os-hardening'
default['os-hardening']['auth']['pam']['system-auth']['template_cookbook'] = 'os-hardening'
default['os-hardening']['auth']['root_ttys'] = %w[console tty1 tty2 tty3 tty4 tty5 tty6]
default['os-hardening']['auth']['uid_min'] = 1000
default['os-hardening']['auth']['gid_min'] = 1000
Expand Down
3 changes: 3 additions & 0 deletions recipes/pam.rb
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
# configure passwdqc via central module:
template passwdqc_path do
source 'pam_passwdqc.erb'
cookbook node['os-hardening']['auth']['pam']['passwdqc']['template_cookbook']
mode 0640
owner 'root'
group 'root'
Expand Down Expand Up @@ -78,6 +79,7 @@

template tally2_path do
source 'pam_tally2.erb'
cookbook node['os-hardening']['auth']['pam']['tally2']['template_cookbook']
mode 0640
owner 'root'
group 'root'
Expand Down Expand Up @@ -122,6 +124,7 @@
# configure passwdqc and tally via central system-auth confic:
template '/etc/pam.d/system-auth-ac' do
source 'rhel_system_auth.erb'
cookbook node['os-hardening']['auth']['pam']['system-auth']['template_cookbook']
mode 0640
owner 'root'
group 'root'
Expand Down

0 comments on commit 1abdf54

Please sign in to comment.