From 1abdf54ce2dce7a4eb89325eb9e8e55212ee412f Mon Sep 17 00:00:00 2001 From: Justin Spies Date: Fri, 16 Feb 2018 01:00:44 -0500 Subject: [PATCH] Allow specifying an alternate cookbook name for PAM templates --- README.md | 6 ++++++ attributes/default.rb | 3 +++ recipes/pam.rb | 3 +++ 3 files changed, 12 insertions(+) diff --git a/README.md b/README.md index 098d2bce..0acc116b 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,12 @@ It will not: true if you want to use strong password checking in PAM using passwdqc * `['os-hardening']['auth']['pam']['passwdqc']['options'] = "min=disabled,disabled,16,12,8"` set to any option line (as a string) that you want to pass to passwdqc +* `['os-hardening']['auth']['pam']['passwdqc']['template_cookbook'] = 'os-hardening'` + set to the name of the cookbook from which the template is obtained for the `/usr/share/pam-configs/passwdqc` file +* `['os-hardening']['auth']['pam']['tally2']['template_cookbook'] = 'os-hardening'` + set to the name of the cookbook from which the template is obtained for the `/usr/share/pam-configs/tally2` file +* `['os-hardening']['auth']['pam']['system-auth']['template_cookbook'] = 'os-hardening'` + set to the name of the cookbook from which the template is obtained for the `/etc/pam.d/system-auth-ac` file * `['os-hardening']['security']['users']['allow'] = []` list of things, that a user is allowed to do. May contain: `change_user` * `['os-hardening']['security']['kernel']['enable_module_loading'] = true` diff --git a/attributes/default.rb b/attributes/default.rb index e2d4b7f0..857a22d3 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -76,6 +76,9 @@ default['os-hardening']['auth']['pam']['passwdqc']['options'] = 'min=disabled,disabled,16,12,8' default['os-hardening']['auth']['pam']['cracklib']['options'] = 'try_first_pass retry=3 type=' default['os-hardening']['auth']['pam']['pwquality']['options'] = 'try_first_pass retry=3 type=' +default['os-hardening']['auth']['pam']['tally2']['template_cookbook'] = 'os-hardening' +default['os-hardening']['auth']['pam']['passwdqc']['template_cookbook'] = 'os-hardening' +default['os-hardening']['auth']['pam']['system-auth']['template_cookbook'] = 'os-hardening' default['os-hardening']['auth']['root_ttys'] = %w[console tty1 tty2 tty3 tty4 tty5 tty6] default['os-hardening']['auth']['uid_min'] = 1000 default['os-hardening']['auth']['gid_min'] = 1000 diff --git a/recipes/pam.rb b/recipes/pam.rb index b88b674d..dce11b2b 100644 --- a/recipes/pam.rb +++ b/recipes/pam.rb @@ -50,6 +50,7 @@ # configure passwdqc via central module: template passwdqc_path do source 'pam_passwdqc.erb' + cookbook node['os-hardening']['auth']['pam']['passwdqc']['template_cookbook'] mode 0640 owner 'root' group 'root' @@ -78,6 +79,7 @@ template tally2_path do source 'pam_tally2.erb' + cookbook node['os-hardening']['auth']['pam']['tally2']['template_cookbook'] mode 0640 owner 'root' group 'root' @@ -122,6 +124,7 @@ # configure passwdqc and tally via central system-auth confic: template '/etc/pam.d/system-auth-ac' do source 'rhel_system_auth.erb' + cookbook node['os-hardening']['auth']['pam']['system-auth']['template_cookbook'] mode 0640 owner 'root' group 'root'