-
Notifications
You must be signed in to change notification settings - Fork 22
/
CHANGELOG
436 lines (334 loc) · 18.5 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
* Mon Nov 25 2024 Steven Pritchard <steve@sicura-us> - 7.3.1
- Fix use of legacy facts
* Mon Nov 04 2024 Mike Riddle <mike@sicura.us> - 7.3.0
- "root_unlock_time" will no longer be included in faillock.conf if "even_deny_root" is set to false
- Added nullok back as a parameter for completeness, however, users are warned not to use it unless
they fully understand the implication of having users without passwords
* Tue Oct 29 2024 Mike Riddle <mike@sicura.us> - 7.2.2
- Fixed pam auth files getting mangled when using cracklib as the pwbackend
* Tue Oct 22 2024 Steven Pritchard <steve@sicura.us> - 7.2.1
- Fix trailing whitespace in filenames and content
* Fri Sep 13 2024 Steven Pritchard <steve@sicura.us> - 7.2.0
- [puppetsync] Update module dependencies to support simp-iptables 7.x
* Tue Apr 09 2024 Mike Riddle <mike@sicura.us> - 7.1.0
- Added the cert_auth parameter
- Added the inactive parameter
* Wed Jan 31 2024 Mike Riddle <mike@sicura.us> - 7.0.0
- Added functionality to control /etc/security/pwhistory.conf
- Fixed logic that would cause certain functionality to break on Amazon Linux 2022 and above
* Mon Jan 29 2024 Mike Riddle <mike@sicura.us> - 6.16.0
- Added functionality to control /etc/security/faillock.conf
* Wed Jan 17 2024 Richard Gardner <rick@sicura.us> - 6.15.1
- Updated hiera.yaml facts to support puppet 8
* Mon Oct 23 2023 Steven Pritchard <steve@sicura.us> - 6.15.0
- [puppetsync] Add EL9 support
* Wed Oct 11 2023 Steven Pritchard <steve@sicura.us> - 6.14.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
* Wed Aug 23 2023 Steven Pritchard <steve@sicura.us> - 6.13.0
- Add AlmaLinux 8 support
* Mon Jun 12 2023 Chris Tessmer <chris.tessmer@onyxpoint.com> - 6.12.0
- Add RockyLinux 8 support
* Tue May 30 2023 Mike Riddle <mike@sicura.us> - 6.11.3
- Added support for use of this module with authselect enabled
* Thu Dec 15 2022 Chris Tessmer <chris.tessmer@onyxpoint.com> - 6.11.2
- Accomodate 'retry =' patch with EL versions earlier than 8.4
* Tue Dec 06 2022 Kevin Harrington <3482852+ke5C2Fin@users.noreply.github.com> - 6.11.2
- Add 'retry =' to /etc/security/pwquality.conf per STIG RHEL-08-020104
* Wed Apr 13 2022 Mike Riddle <mike@sicura.us> - 6.11.1
- Fix bug that failed when setting faillock_log_dir parameter
* Mon Mar 28 2022 Mike Riddle <mike@sicura.us> - 6.11.0
- Add dictcheck parameter to pwquality
- Add faillock_log_file parameter
* Sun Mar 20 2022 Trevor Vaughan <trevor@sicura.us> - 6.10.1
- Support Amazon Linux 2
* Thu Aug 26 2021 Kendall Moore <kendall.moore@onyxpoint.com> - 6.10.0
- Add pre section content for auth files
- Add extra content for su
* Wed Aug 04 2021 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.9.1
- Silence unnecessary TTY messages
* Wed Jun 16 2021 Chris Tessmer <chris.tessmer@onyxpoint.com> - 6.9.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
* Tue Jun 08 2021 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.9.0
- Fixed
- Added default Hiera deep merges for `pam::access::users` and
`pam::limits::rules` based on user feedback
* Wed Dec 23 2020 Jeanne Greulich <jeannegreulich@onyxpoint.com> - 6.8.3-0
- Fixed a bug in the system-auth configuration file in which it did not skip
pam_tty_audit if the login did not have a tty. This caused service logins to fail,
specifically the gdm service.
- Removed support for EL6.
- Set the quiet parameter when doing pam_listfile lookups in auth.pp so that users
don't end up with warnings in the logs that look like authentication failures
* Tue Aug 25 2020 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.8.2-0
- Use the fixed simplib__auditd fact for toggling pam_tty_audit
* Wed Aug 05 2020 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.8.1-0
- Ensure that pam_tty_audit is optional if auditing is not enabled on the system
* Wed May 27 2020 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.8.0-0
- Add the ability to specify pam::limits::rules via Hiera
* Wed Mar 25 2020 Jeanne Greulich <jeanne.greulich@onyxpoint.com> - 6.7.1-0
- Moved the pam_unix.so check before the pam_sss.so check in the password
section of the auth files otherwise it returns an "authentication token
manipulation" error and local passwords can not be changed.
* Fri Feb 28 2020 Jeanne Greulich <jeanne.greulich@onyxpoint.com> - 6.7.0-0
- Ignore authconfig disable on EL8. Authconfig was replaced with authselect
and authselect does not overwrite settings unless you select --force
option.
* Tue Dec 24 2019 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.7.0-0
- Add EL8 support
- Remove installation of pam_pkcs11 and fprintd-pam by default since they not
actually required for basic functionality
- Update documentation for 'puppet strings'
* Fri Aug 02 2019 Robert Vincent <pillarsdotnet@gmail.com> - 6.7.0-0
- Support puppetlabs/concat 6.x.
* Thu Jun 06 2019 Steven Pritchard <steven.pritchard@onypoint.com> - 6.6.0-0
- Add v2 compliance_markup data
* Mon Apr 29 2019 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.5.0-0
- Fix bug where the ending faillock items were not being called due to the
'sufficient' lines on pam_unix and pam_sssd.
- Add option to allow users to disable faillock if desired
- Fix bug where 'authsucc' was not set at the end of the 'auth' section for
faillock (SIMP-6306)
- Update all comments for puppet strings
- Converted all templates to EPP for performance
- Fully updated the README
* Tue Apr 16 2019 Zach <turtles.be.the.best@gmail.com> - 6.5.0-0
- Add totp support through pam_oath
* Fri Mar 15 2019 Nicholas Markowski <nicholas.markowski@onyxpoint.com> - 6.4.0-0
- Added pam::access::access_file_mode parameter to allow users to manage
access.conf file permissions
- Updated lower bound on stdlib to 4.22.0 to add Filemode strong type support
* Mon Mar 04 2019 Liz Nemsick <lnemsick.simp@gmail.com> - 6.3.1-0
- Expanded the upper limit of the concat and stdlib Puppet module versions
- Updated a URL in the README.md
* Thu Oct 04 2018 Zach <turtles.be.the.best@gmail.com> - 6.3.0-0
- Fix 'faillock' bug in system-auth
- Update badges and contribution guide URL in README.md
* Tue Sep 11 2018 Steven Pritchard <steven.pritchard@onyxpoint.com> - 6.3.0-0
- Fix *_auth_content pam class parameters
* Fri Sep 07 2018 Liz Nemsick <lnemsick.simp@gmail.com> - 6.3.0-0
- Update Hiera 4 to Hiera 5
* Fri Jul 20 2018 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.3.0-0
- Added the reading of the system locale settings during the session activation
of users.
* Thu Jul 12 2018 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.3.0-0
- Add support for OEL and Puppet 5
* Mon Apr 30 2018 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.2.1-0
- Allow users to change the password hash algorithm
- Allow users to enable/disable enforcing password policies for `root`
- Update compliance tests to work with inspec profiles and compliance engine
enforcement.
* Mon Apr 16 2018 Liz Nemsick <lnemsick.simp@gmail.com> - 6.2.1-0
- Set the default cracklib_maxclassrepeat to 3.
* Mon Feb 12 2018 Liz Nemsick <lnemsick.simp@gmail.com> - 6.2.0-0
- Update upperbound on puppetlabs/concat version to < 5.0.0
* Fri Feb 09 2018 Adam Yohrling <adam.yohrling@onyxpoint.com> - 6.2.0-0
- Update the pam::unlock_time parameter to accept 'never' as a value per the
man page and in accordance with the DISA STIG
* Wed Jan 24 2018 Liz Nemsick <lnemsick.simp@gmail.com> - 6.2.0-0
- Replace authconfig and authconfig-tui links to a no-op script, instead
of removing them. This does not break tools that use authconfig.
- Use simp_options::package_ensure, when available
* Wed Dec 13 2017 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.2.0-0
- Set the minimum UID allowed onto the system to the default defined in
/etc/login.defs or 1000 if not otherwise defined
* Fri Sep 22 2017 Jeanne Greulich <jeanne.greulich@onyxpoint.com> - 6.1.0-0
- Changed password checking from pam_cracklib.so to pam_pwquality.so for EL7
* Fri Sep 22 2017 Chris Tessmer <chris.tessmer@onyxpoint.com> - 6.1.0-0
- Enable pam_tty_audit for sudo
* Fri Aug 18 2017 Liz Nemsick <lnemsick.simp@gmail.com> - 6.0.4-0
- Add concat dependency to metadata.json
- Update concat dependency in build/rpm_metadata/requires
* Tue May 23 2017 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.0.3-0
- Fixed docs in pam::limits::rule
- Update puppet requirement in metadata.json
* Wed Apr 05 2017 Liz Nemsick <lnemsick.simp@gmail.com> - 6.0.2-0
- fixed puppet strings documentation in access.pp
* Mon Mar 15 2017 Nicholas Hughes <nicholasmhughes@gmail.com> - 6.0.1-0
- corrected location of authconfig binaries
* Mon Feb 13 2017 Jeanne Greulich <jeanne.greulich@onyxpoint.com> - 6.0.0-0
- When using list separator you can't have spaces between
identifiers in access.conf if your separator is not a space.
It then includes spaces as part of the name so we are removing spaces
from the access file. Dylan also added changes that wrap the use
of separator in boolean.
* Tue Jan 17 2017 Nick Miller <nick.miller@onyxpoint.com> - 6.0.0-0
- Added feature to add pam::access::manage resources from hiera
* Thu Jan 12 2017 Trevor Vaughan <tvaughan@onyxpoint.com> - 6.0.0-0
- Changed the following for the SSG:
- minimum length now set to 15
* Wed Dec 21 2016 Jeanne Greulich <jeanne.greulich@onyxpoint.com> - 6.0.0-0
- corrected error for lookup
- Fixed comments and aligned variables to make it look pretty.
- update simplib version to include new types.
- renamed pam::access::manage to pam::access::rule
- renamed pam::limits::add to pam::limits::rule
- Added strong types and updated Global catalists.
- Removed NSCD logic.
* Wed Nov 30 2016 Nick Miller <nick.miller@onyxpoint.com> - 5.0.1-0
- Added a generic content option to replace all templated PAM configurations
- Setting use_templates to false will enable them
* Wed Nov 23 2016 Jeanne Greulich <jgreulich.simp@onyxpoint.com> - 5.0.0-0
- update requirement versions
* Mon Nov 21 2016 Chris Tessmer <chris.tessmer@onyxpoint.com> - 5.0.0-0
- Updated to compliance_markup version 2
* Fri Sep 30 2016 Trevor Vaughan <tvaughan@onyxpoint.com> - 5.0.0-0
- Updated to use the version of 'simpcat' that does not conflict with
'puppetlabs/concat'.
* Thu Aug 25 2016 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.5-0
- Update to pam_pwhistory.so to fix local user login failures due to SELinux
policy updates affecting /etc/security/opasswd in EL7.
* Mon Aug 15 2016 Nick Miller <nick.miller@onyxpoint.com> - 4.2.4-0
- Reverted STIG password policy compliance changes
* Fri Aug 05 2016 Nick Markowski <nmarkowski@keywcorp.com> - 4.2.3-0
- Updated system-auth values to be STIG compliant.
* Thu Jul 07 2016 Liz Nemsick <elizabeth.nemsick@uscontracting.us> - 4.2.2-0
- Added use of pam_tty_audit in system-auth, password-auth, and fingerprint-auth.
- Updated module to use new rake helper to auto-generate RPM .spec file.
- Fixed bug related to pam::display_account_lock.
* Wed Mar 30 2016 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.2.1-0
- Move pam_oddjob_mkhomedir below pam_sssd in the stack due to a odd
SELinux-related bug which prevented users from logging into systems via SSH.
* Mon Mar 14 2016 Nick Markowski <nmarkowski@keywcorp.com> - 4.2.0-0
- Ensure that EL6.7+ uses SSSD over NSCD
* Tue Feb 23 2016 Ralph Wright <ralph.wright@onyxpoint.com> - 4.1.0-14
- Added compliance function support
* Wed Nov 18 2015 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-13
- Updated to enable SSSD properly now that most of the major items have been
resolved upstream.
* Mon Nov 09 2015 Chris Tessmer <chris.tessmer@onypoint.com> - 4.1.0-13
- Migration to simplib and simpcat (lib/ only)
* Tue Oct 27 2015 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-12
- Removed all calls to the lsb* facts and replaced them with 'operatingsystem*'
facts
* Fri Sep 18 2015 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-11
- Moved pam_mkhomedir to before pam_systemd to fix issues with systemd
subsystem failures occuring due to a lack of a home directory.
* Sat May 16 2015 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-10
- Slight update to more closely align with the STIG.
* Fri Jan 16 2015 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-9
- Changed puppet-server requirement to puppet
* Thu Oct 02 2014 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-8
- Updated the mode on limits.conf and access.conf to be
non-executable.
- Changed the mode on access.conf to be world readable so that the
RHEL7 screensaver can unlock properly.
* Wed Oct 01 2014 Trevor Vaughan <tvaughan@onxypoint.com> - 4.1.0-7
- Added options to the auth configs in PAM to ensure that GDM works
properly in RHEL7.
* Thu Sep 04 2014 Adam Yohrling <adam.yohrling@onyxpoint.com> - 4.1.0-6
- Added optional pam_systemd module to access template. This will
only work if present on the system and is required for CentOS/RHEL 7
* Fri Jul 25 2014 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-5
- Added oddjob support for creating home directories for setting
correct SELinux contexts on created home directories.
See: https://bugzilla.redhat.com/show_bug.cgi?id=447096#c3
* Sun Jun 22 2014 Kendall Moore <kmoore@keywcorp.com> - 4.1.0-4
- Removed MD5 file checksums for FIPS compliance.
* Thu Apr 10 2014 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-3
- Added full support for access.conf and removed groupaccess.conf
since it is no longer required. pam::access::manage should now be
used instead of pam::groupaccess::modify.
- Renamed pam::access_conf and pam::limits_conf to pam::access and
pam::limits respectively.
- Moved pam::limits::add_limit to pam::limits::add
* Mon Feb 10 2014 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-2
- Updates to fully support OpenShift.
- Added OpenSCAP support.
* Tue Jan 28 2014 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-1
- Added proper support to the wheel class for OpenShift support so that
it does not conflict with the base classes from openshift_origin.
* Tue Oct 22 2013 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.1.0-0
- Converted groupaccess over to using simp_file_line instead of
concat.
- Cleaned up the PAM settings quite a bit and now using a single
template for all -auth files in /etc/pam.d.
- pam_faillock no longer causes spurious failed logins with sudo.
* Mon Oct 07 2013 Kendall Moore <kmoore@keywcorp.com> - 4.0.0-7
- Updated all erb templates to properly scope variables.
- Added variables to init.pp to make templates more configurable.
* Wed Oct 02 2013 Trevor Vaughan <tvaughan@onyxpoint.com> - 4.0.0-6
- Use 'versioncmp' for all version comparisons.
* Mon Feb 25 2013 Maintenance - 4.0-5
- Added a call to $::rsync_timeout to the rsync call since it is now required.
* Tue Jul 24 2012 Maintenance - 4.0.0-4
- Added maxclassrepeat=3 and gecoscheck to the cracklib line.
- Removed the *credit items from the cracklib line. We have minclass=3 which is
good enough and having the rest in there was confusing.
* Wed Jun 13 2012 Maintenance - 4.0.0-3
- Fixed a bug where the other *-auth files in pam.d were not updated to handle
faillock properly.
* Wed May 16 2012 Maintenance - 4.0.0-2
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
* Fri Mar 02 2012 Maintenance - 4.0.0-1
- Improved test stubs.
* Fri Feb 10 2012 Maintenance - 4.0.0-0
- Updated the PAM template to handle faillog as the new default in
RHEL6.
- Added tests for verifying that a user account lockout happens after 5 tries,
can be unlocked, and functions properly after that.
* Tue Dec 20 2011 Maintenance - 2.0.0-5
- Updated the spec file to not require a separate file list.
- Added a line to allow the local 'wheel' group to get to su and bypass
checking the alternately set group. This allows the alternate group to be in
LDAP and the local group to be able to su when LDAP is down or an emergency
user is local.
* Thu Oct 27 2011 Maintenance - 2.0.0-4
- Added the new 'auth' portions of pam.d and removed everything except for
'other' from the rsync segment of pam.d.
* Mon Oct 10 2011 Maintenance - 2.0.0-3
- Updated to put quotes around everything that need it in a comparison
statement so that puppet > 2.5 doesn't explode with an undef error.
- Updated to work around the issue where SSSD can't update shadow fields in
LDAP.
* Tue Jun 07 2011 Maintenance - 2.0.0-2
- Rearranged items in system-auth so that fewer erroneous errors would be
thrown on login. You'll still get them if logging in as a local user. Red Hat
is aware of the issue.
- Fixed this module for the case where $use_sssd does not exist.
- Default password length is now 14
- Removed nullok to prevent all blank password usage
- Added support for wheel in 'su' via pam::wheel
- Set pam_lastlog
* Tue Apr 05 2011 Maintenance - 2.0.0-1
- Added support to system-auth for SSSD.
- Updated to use rsync native type
- Updated system-auth to enforce a stronger default password set.
- This needs to be templated but not for 2.0.0-Beta.
- Updated to use concat_build and concat_fragment types
* Tue Jan 11 2011 Maintenance - 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
* Mon Jan 10 2011 Maintenance - 1.0-4
- Updated the PAM configuration to fix an issue where pam_unix.so was set to
default=ignore. This is definitely not what you want.
* Thu Nov 04 2010 Maintenance - 1.0-3
- pam_tally2 still wasn't properly taking effect. Should be corrected.
- This update adds the ability to modify the delay after a failed login via
PAM. FAIL_DELAY by itself doesn't do anything without the addition of
pam_faildelay.so this item was added to the default PAM config.
* Tue Oct 26 2010 Maintenance - 1.0-2
- Converting all spec files to check for directories prior to copy.
* Tue Aug 10 2010 Maintenance - 1.0-1
- Rearranged the pam_tally2 items in system-auth.erb to ensure that account
lockouts are taking effect properly.
* Fri Jun 04 2010 Maintenance - 1.0-0
- Modified the system-auth.erb file to:
- Get rid of session messages in /var/log/secure when cron runs.
- Ensure that cron can run without having a user in the groupaccess.conf file.
- Skip pam_ldap if pam_unix succeeds.
- Code refactor and update
- Added 'Tidy' statements to match the rest of the multi-build patterns.
- Fixed a problem with pam_succeed_if.so uid=0 causing auid to be set to -1. Changed to user = root.
- Changed the pam_mkhomedir call to be 'optional' instead of 'required'. This
allows users to login even if their home directory can't be created.
* Fri Feb 05 2010 Maintenance - 0.1-10
- Fixed some incorrect settings with pam_cracklib.so and added in some new
checking functionality for repeated characters and username matching.
- Removed the necessity of the rootaccess file. This does mean that root can su
to any user but completely prevents root lockouts.