(simp#140) Added parameters to control /etc/security/faillock.conf

Fixes simp#140

CHANGELOG

@@ -1,3 +1,6 @@
+* Mon Dec 18 2023 Mike Riddle <mike@sicura.us> - 6.16.0
+- Added functionality to control /etc/security/faillock.conf
+
 * Mon Oct 23 2023 Steven Pritchard <steve@sicura.us> - 6.15.0
 - [puppetsync] Add EL9 support
 

manifests/config.pp

@@ -116,16 +116,39 @@
     }
   }
 
-  if ($pam::faillock_log_dir) {
-    file { $pam::faillock_log_dir:
-      ensure   => 'dir',
-      owner    => 'root',
-      group    => 'root',
-      mode     => '0750',
-      seluser  => 'system_u',
-      selrole  => 'object_r',
-      seltype  => 'faillog_t',
-      selrange => 's0',
+  if ($pam::manage_faillock_conf) {
+    if ($pam::faillock_dir) {
+      file { $pam::faillock_dir:
+        ensure   => 'directory',
+        owner    => 'root',
+        group    => 'root',
+        mode     => '0750',
+        seluser  => 'system_u',
+        selrole  => 'object_r',
+        seltype  => 'faillog_t',
+        selrange => 's0',
+      }
+    }
+
+    file { '/etc/security/faillock.conf':
+      ensure  => 'file',
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => epp("${module_name}/etc/security/faillock.conf.epp", {
+          dir              => $pam::faillock_dir,
+          audit            => $pam::faillock_audit,
+          silent           => $pam::faillock_silent,
+          no_log_info      => $pam::faillock_no_log_info,
+          local_users_only => $pam::faillock_local_users_only,
+          nodelay          => $pam::faillock_nodelay,
+          deny             => $pam::faillock_deny,
+          fail_interval    => $pam::faillock_fail_interval,
+          unlock_time      => $pam::faillock_unlock_time,
+          even_deny_root   => $pam::faillock_even_deny_root,
+          root_unlock_time => $pam::faillock_root_unlock_time,
+          admin_group      => $pam::faillock_admin_group
+      }),
     }
   }
 

manifests/init.pp

@@ -133,9 +133,6 @@
 # @param faillock
 #   Enable or disable the use of ``faillock``
 #
-# @param faillock_log_dir
-#   The location in which to log failed login attempts and account lockouts
-#
 # @param display_account_lock
 #   Display to the remote user that their account has been locked
 #
@@ -282,6 +279,49 @@
 # @param package_ensure
 #   Ensure setting for all packages installed by this module
 #
+# @param manage_faillock_conf
+#   If true, this module will manage all of the contents of faillock.conf
+#
+# @param faillock_dir
+#   The directory where the user files with the failure records are kept
+#
+# @param faillock_audit
+#   If true, log the user name into the system log if the user is not found
+#
+# @param faillock_silent
+#   If true, don't print informative messages to the user upon login attempt
+#
+# @param faillock_no_log_info
+#   If true, don't log informative messages via syslog
+#
+# @param faillock_local_users_only
+#   If true, only track failed user authentications attempts for local users in
+#   /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users
+#
+# @param faillock_nodelay
+#   If true, don't enforce a delay after authentication failures
+#
+# @param faillock_deny
+#   Deny access if the number of consecutive authentication failures for this user
+#   during the recent interval exceeds what this parameter is set to
+#
+# @param faillock_fail_interval
+#   The length of the interval during which the consecutive authentication failures
+#   must happen for the user account lock out in seconds
+#
+# @param faillock_unlock_time
+#   The access will be re-enabled after specified number of seconds after the lock out
+#
+# @param faillock_even_deny_root
+#   If true, root account can become locked as well as regular accounts
+#
+# @param faillock_root_unlock_time
+#   Allow access after specified number of seconds to root account after the account is locked
+#
+# @param faillock_admin_group
+#   If a group name is specified with this option, members of the group will be handled by
+#   this module the same as the root account
+#
 # @author https://github.com/simp/pupmod-simp-pam/graphs/contributors
 #
 class pam (
@@ -310,7 +350,6 @@
   Integer[0]                     $oath_window               = 1,
   Integer[0]                     $deny                      = 5,
   Boolean                        $faillock                  = true,
-  Optional[Stdlib::Absolutepath] $faillock_log_dir          = undef,
   Boolean                        $display_account_lock      = false,
   Simplib::Umask                 $homedir_umask             = '0077',
   Integer[0]                     $remember                  = 24,
@@ -346,7 +385,20 @@
   Boolean                        $enable_warning            = true,
   Boolean                        $disable_authconfig        = true,
   Boolean                        $use_authselect            = simplib::lookup('simp_options::authselect', { 'default_value' => false }),
-  Simplib::PackageEnsure         $package_ensure            = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' })
+  Simplib::PackageEnsure         $package_ensure            = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' }),
+  Boolean                        $manage_faillock_conf      = false,
+  Optional[Stdlib::Absolutepath] $faillock_dir              = undef,
+  Boolean                        $faillock_audit            = false,
+  Boolean                        $faillock_silent           = false,
+  Boolean                        $faillock_no_log_info      = false,
+  Boolean                        $faillock_local_users_only = false,
+  Boolean                        $faillock_nodelay          = false,
+  Optional[Integer[0]]           $faillock_deny             = undef,
+  Optional[Integer[0]]           $faillock_fail_interval    = undef,
+  Optional[Integer[0]]           $faillock_unlock_time      = undef,
+  Boolean                        $faillock_even_deny_root   = false,
+  Optional[Integer[0]]           $faillock_root_unlock_time = undef,
+  Optional[String]               $faillock_admin_group      = undef
 ) {
   if simplib::lookup('simp_options::pam', { 'default_value' => true }) {
     if $enable {

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "simp-pam",
-  "version": "6.15.0",
+  "version": "6.16.0",
   "author": "SIMP Team",
   "summary": "A SIMP puppet module for managing pam",
   "license": "Apache-2.0",

spec/classes/config_spec.rb

@@ -64,6 +64,34 @@
     EOM
   }
 
+  let(:default_faillock_conf){
+    <<~EOM
+    # This file is generated by Puppet
+    # Any changes made to it will be overwritten.
+    #
+    EOM
+  }
+
+  let(:all_params_faillock_conf){
+    <<~EOM
+    # This file is generated by Puppet
+    # Any changes made to it will be overwritten.
+    #
+    dir=/var/log/faillock
+    audit
+    silent
+    no_log_info
+    local_users_only
+    nodelay
+    deny=4
+    fail_interval=1200
+    unlock_time=180
+    even_deny_root
+    root_unlock_time=60
+    admin_group=wheel
+    EOM
+  }
+
   on_supported_os.each do |os, os_facts|
     context "on #{os}" do
       let(:facts) do
@@ -325,11 +353,6 @@
           }
         end
 
-        context 'with faillock_log_dir set' do
-          let(:params){{ :faillock_log_dir => '/var/log/faillock' }}
-          it { is_expected.to contain_file('/var/log/faillock') }
-        end
-
         context 'no warn_if_unknown = false' do
           let(:params){{ :warn_if_unknown => false }}
           it { is_expected.to contain_file('/etc/pam.d/other').with_content(<<~EOM
@@ -363,6 +386,34 @@
         it { is_expected.to_not contain_pam__auth('password') }
         it { is_expected.to_not contain_pam__auth('smartcard') }
       end
+
+      context 'with managing faillock.conf with default parameters' do
+        let(:params){{ :manage_faillock_conf => true}}
+
+        it {is_expected.to compile.with_all_deps}
+        it {is_expected.to contain_file('/etc/security/faillock.conf').with_content( default_faillock_conf )}
+      end
+
+      context 'with managing faillock.conf with all non-default parameters' do
+        let(:params){{ 
+          :manage_faillock_conf => true,
+          :faillock_dir => '/var/log/faillock',
+          :faillock_audit => true,
+          :faillock_silent => true,
+          :faillock_no_log_info => true,
+          :faillock_local_users_only => true,
+          :faillock_nodelay => true,
+          :faillock_deny => 4,
+          :faillock_fail_interval => 1200,
+          :faillock_unlock_time => 180,
+          :faillock_even_deny_root => true,
+          :faillock_root_unlock_time => 60,
+          :faillock_admin_group => 'wheel'
+        }}
+
+        it {is_expected.to compile.with_all_deps}
+        it {is_expected.to contain_file('/etc/security/faillock.conf').with_content( all_params_faillock_conf )}
+      end
     end
   end
 end

spec/classes/init_spec.rb

@@ -39,6 +39,13 @@
         it { is_expected.to contain_package('pam').with_ensure('latest') }
         it { is_expected.to contain_package('libpwquality').with_ensure('latest') }
       end
+
+      context 'with manage_faillock_conf=true' do
+        let(:params) {{ :manage_faillock_conf => true }}
+
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_file('/etc/security/faillock.conf') }
+      end
     end
   end
 end

templates/etc/security/faillock.conf.epp

@@ -0,0 +1,53 @@
+<%-|
+  Optional[Stdlib::Absolutepath] $dir,
+  Boolean $audit,
+  Boolean $silent,
+  Boolean $no_log_info,
+  Boolean $local_users_only,
+  Boolean $nodelay,
+  Optional[Integer[0]] $deny,
+  Optional[Integer[0]] $fail_interval,
+  Optional[Integer[0]] $unlock_time,
+  Boolean $even_deny_root,
+  Optional[Integer[0]] $root_unlock_time,
+  Optional[String] $admin_group
+|-%>
+# This file is generated by Puppet
+# Any changes made to it will be overwritten.
+#
+<% if $dir  { -%>
+dir=<%= $dir %>
+<% } -%>
+<% if $audit  { -%>
+audit
+<% } -%>
+<% if $silent  { -%>
+silent
+<% } -%>
+<% if $no_log_info  { -%>
+no_log_info
+<% } -%>
+<% if $local_users_only  { -%>
+local_users_only
+<% } -%>
+<% if $nodelay  { -%>
+nodelay
+<% } -%>
+<% if $deny  { -%>
+deny=<%= $deny %>
+<% } -%>
+<% if $fail_interval  { -%>
+fail_interval=<%= $fail_interval %>
+<% } -%>
+<% if $unlock_time  { -%>
+unlock_time=<%= $unlock_time %>
+<% } -%>
+<% if $even_deny_root  { -%>
+even_deny_root
+<% } -%>
+<% if $root_unlock_time  { -%>
+root_unlock_time=<%= $root_unlock_time %>
+<% } -%>
+<% if $admin_group  { -%>
+admin_group=<%= $admin_group %>
+<% } -%>