Refactored changes so that existing variables can be re-used and new …

…ones can be used inline in the auth files

REFERENCE.md

@@ -104,17 +104,11 @@ The following parameters are available in the `pam` class:
 * [`auth_basedir`](#-pam--auth_basedir)
 * [`package_ensure`](#-pam--package_ensure)
 * [`manage_faillock_conf`](#-pam--manage_faillock_conf)
-* [`faillock_dir`](#-pam--faillock_dir)
+* [`faillock_log_dir`](#-pam--faillock_log_dir)
 * [`faillock_audit`](#-pam--faillock_audit)
-* [`faillock_silent`](#-pam--faillock_silent)
 * [`faillock_no_log_info`](#-pam--faillock_no_log_info)
 * [`faillock_local_users_only`](#-pam--faillock_local_users_only)
 * [`faillock_nodelay`](#-pam--faillock_nodelay)
-* [`faillock_deny`](#-pam--faillock_deny)
-* [`faillock_fail_interval`](#-pam--faillock_fail_interval)
-* [`faillock_unlock_time`](#-pam--faillock_unlock_time)
-* [`faillock_even_deny_root`](#-pam--faillock_even_deny_root)
-* [`faillock_root_unlock_time`](#-pam--faillock_root_unlock_time)
 * [`faillock_admin_group`](#-pam--faillock_admin_group)
 
 ##### <a name="-pam--password_check_backend"></a>`password_check_backend`
@@ -341,7 +335,6 @@ Default value: `true`
 Data type: `Integer[0]`
 
 The number of failed attempts before PAM denies a user from logging in.
-This parameter is ignored if manage_faillock_conf is set to true.
 
 Default value: `5`
 
@@ -358,7 +351,6 @@ Default value: `true`
 Data type: `Boolean`
 
 Display to the remote user that their account has been locked.
-This parameter is ignored if manage_faillock_conf is set to true.
 
 Default value: `false`
 
@@ -367,7 +359,6 @@ Default value: `false`
 Data type: `Integer[0]`
 
 Sets the time until the check fails.
-This parameter is ignored if manage_faillock_conf is set to true.
 
 Default value: `900`
 
@@ -410,7 +401,6 @@ Default value: `true`
 Data type: `Boolean`
 
 Enforce an account lockout for the ``root`` account.
-This parameter is ignored if manage_faillock_conf is set to true.
 
 Default value: `true`
 
@@ -419,7 +409,6 @@ Default value: `true`
 Data type: `Integer[0]`
 
 Allow access after N seconds to root account after failed attempt.
-This parameter is ignored if manage_faillock_conf is set to true.
 
 * Has no effect if ``even_deny_root`` is not set
 
@@ -455,7 +444,6 @@ Default value: `simplib::lookup('simp_options::uid::min', { 'default_value' => p
 Data type: `Pam::AccountUnlockTime`
 
 Allow acesss after N seconds to user account after failed attempt.
-This parameter is ignored if manage_faillock_conf is set to true.
 
 Default value: `900`
 
@@ -700,17 +688,16 @@ Default value: `simplib::lookup('simp_options::package_ensure', { 'default_value
 
 Data type: `Boolean`
 
-If true, this module will manage all of the contents of faillock.conf
+If true, the faillock parameters will be managed within /etc/security/faillock.conf
+instead of inline in the auth files. This parameter will be ignored on el7 and earlier systems.
 
 Default value: `false`
 
-##### <a name="-pam--faillock_dir"></a>`faillock_dir`
+##### <a name="-pam--faillock_log_dir"></a>`faillock_log_dir`
 
 Data type: `Optional[Stdlib::Absolutepath]`
 
 The directory where the user files with the failure records are kept.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
 
 Default value: `undef`
 
@@ -719,28 +706,14 @@ Default value: `undef`
 Data type: `Boolean`
 
 If true, log the user name into the system log if the user is not found.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
 
-Default value: `false`
-
-##### <a name="-pam--faillock_silent"></a>`faillock_silent`
-
-Data type: `Boolean`
-
-If true, don't print informative messages to the user upon login attempt.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
-
-Default value: `false`
+Default value: `true`
 
 ##### <a name="-pam--faillock_no_log_info"></a>`faillock_no_log_info`
 
 Data type: `Boolean`
 
 If true, don't log informative messages via syslog.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
 
 Default value: `false`
 
@@ -750,8 +723,6 @@ Data type: `Boolean`
 
 If true, only track failed user authentications attempts for local users in
 /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
 
 Default value: `false`
 
@@ -760,71 +731,15 @@ Default value: `false`
 Data type: `Boolean`
 
 If true, don't enforce a delay after authentication failures.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
 
 Default value: `false`
 
-##### <a name="-pam--faillock_deny"></a>`faillock_deny`
-
-Data type: `Optional[Integer[0]]`
-
-Deny access if the number of consecutive authentication failures for this user
-during the recent interval exceeds what this parameter is set to.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
-
-Default value: `undef`
-
-##### <a name="-pam--faillock_fail_interval"></a>`faillock_fail_interval`
-
-Data type: `Optional[Integer[0]]`
-
-The length of the interval during which the consecutive authentication failures
-must happen for the user account lock out in seconds.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
-
-Default value: `undef`
-
-##### <a name="-pam--faillock_unlock_time"></a>`faillock_unlock_time`
-
-Data type: `Optional[Integer[0]]`
-
-The access will be re-enabled after specified number of seconds after the lock out.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
-
-Default value: `undef`
-
-##### <a name="-pam--faillock_even_deny_root"></a>`faillock_even_deny_root`
-
-Data type: `Boolean`
-
-If true, root account can become locked as well as regular accounts.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
-
-Default value: `false`
-
-##### <a name="-pam--faillock_root_unlock_time"></a>`faillock_root_unlock_time`
-
-Data type: `Optional[Integer[0]]`
-
-Allow access after specified number of seconds to root account after the account is locked.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
-
-Default value: `undef`
-
 ##### <a name="-pam--faillock_admin_group"></a>`faillock_admin_group`
 
 Data type: `Optional[String]`
 
 If a group name is specified with this option, members of the group will be handled by
 this module the same as the root account.
-Note that this parameter will be ignored on el7 and earlier systems
-and if manage_faillock_conf is set to false.
 
 Default value: `undef`
 
@@ -1135,6 +1050,11 @@ The following parameters are available in the `pam::auth` defined type:
 * [`locale_file`](#-pam--auth--locale_file)
 * [`auth_content_pre`](#-pam--auth--auth_content_pre)
 * [`manage_faillock_conf`](#-pam--auth--manage_faillock_conf)
+* [`faillock_audit`](#-pam--auth--faillock_audit)
+* [`faillock_no_log_info`](#-pam--auth--faillock_no_log_info)
+* [`faillock_local_users_only`](#-pam--auth--faillock_local_users_only)
+* [`faillock_nodelay`](#-pam--auth--faillock_nodelay)
+* [`faillock_admin_group`](#-pam--auth--faillock_admin_group)
 * [`cracklib_enforce_for_root`](#-pam--auth--cracklib_enforce_for_root)
 * [`cracklib_reject_username`](#-pam--auth--cracklib_reject_username)
 * [`cracklib_difok`](#-pam--auth--cracklib_difok)
@@ -1206,6 +1126,46 @@ Data type: `Boolean`
 
 Default value: `$pam::manage_faillock_conf`
 
+##### <a name="-pam--auth--faillock_audit"></a>`faillock_audit`
+
+Data type: `Boolean`
+
+
+
+Default value: `$pam::faillock_audit`
+
+##### <a name="-pam--auth--faillock_no_log_info"></a>`faillock_no_log_info`
+
+Data type: `Boolean`
+
+
+
+Default value: `$pam::faillock_no_log_info`
+
+##### <a name="-pam--auth--faillock_local_users_only"></a>`faillock_local_users_only`
+
+Data type: `Boolean`
+
+
+
+Default value: `$pam::faillock_local_users_only`
+
+##### <a name="-pam--auth--faillock_nodelay"></a>`faillock_nodelay`
+
+Data type: `Boolean`
+
+
+
+Default value: `$pam::faillock_nodelay`
+
+##### <a name="-pam--auth--faillock_admin_group"></a>`faillock_admin_group`
+
+Data type: `Optional[String]`
+
+
+
+Default value: `$pam::faillock_admin_group`
+
 ##### <a name="-pam--auth--cracklib_enforce_for_root"></a>`cracklib_enforce_for_root`
 
 Data type: `Boolean`
@@ -1356,7 +1316,7 @@ Data type: `Optional[Stdlib::Absolutepath]`
 
 
 
-Default value: `undef`
+Default value: `$pam::faillock_log_dir`
 
 ##### <a name="-pam--auth--display_account_lock"></a>`display_account_lock`
 

manifests/auth.pp

@@ -10,6 +10,11 @@
 # @param locale_file
 # @param auth_content_pre
 # @param manage_faillock_conf
+# @param faillock_audit
+# @param faillock_no_log_info
+# @param faillock_local_users_only
+# @param faillock_nodelay
+# @param faillock_admin_group
 # @param cracklib_enforce_for_root
 # @param cracklib_reject_username
 # @param cracklib_difok
@@ -55,7 +60,6 @@
   Pam::PasswordBackends          $password_check_backend    = $pam::password_check_backend,
   Optional[Stdlib::Absolutepath] $locale_file               = $pam::locale_file,
   Optional[Array[String]]        $auth_content_pre          = $pam::auth_content_pre,
-  Boolean                        $manage_faillock_conf      = $pam::manage_faillock_conf,
   Boolean                        $cracklib_enforce_for_root = $pam::cracklib_enforce_for_root,
   Boolean                        $cracklib_reject_username  = $pam::cracklib_reject_username,
   Optional[Integer[0]]           $cracklib_difok            = $pam::cracklib_difok,
@@ -72,7 +76,13 @@
   Integer[0]                     $cracklib_retry            = $pam::cracklib_retry,
   Integer[0]                     $deny                      = $pam::deny,
   Boolean                        $faillock                  = $pam::faillock,
-  Optional[Stdlib::Absolutepath] $faillock_log_dir          = undef,
+  Boolean                        $manage_faillock_conf      = $pam::manage_faillock_conf,
+  Optional[Stdlib::Absolutepath] $faillock_log_dir          = $pam::faillock_log_dir,
+  Boolean                        $faillock_audit            = $pam::faillock_audit,
+  Boolean                        $faillock_no_log_info      = $pam::faillock_no_log_info,
+  Boolean                        $faillock_local_users_only = $pam::faillock_local_users_only,
+  Boolean                        $faillock_nodelay          = $pam::faillock_nodelay,
+  Optional[String]               $faillock_admin_group      = $pam::faillock_admin_group,
   Boolean                        $display_account_lock      = $pam::display_account_lock,
   Integer[0]                     $fail_interval             = $pam::fail_interval,
   Integer[0]                     $remember                  = $pam::remember,
@@ -163,6 +173,11 @@
           deny                      => $deny,
           faillock                  => $faillock,
           faillock_log_dir          => $faillock_log_dir,
+          faillock_audit            => $faillock_audit,
+          faillock_no_log_info      => $faillock_no_log_info,
+          faillock_local_users_only => $faillock_local_users_only,
+          faillock_nodelay          => $faillock_nodelay,
+          faillock_admin_group      => $faillock_admin_group,
           display_account_lock      => $display_account_lock,
           fail_interval             => $fail_interval,
           remember                  => $remember,

manifests/config.pp

@@ -118,8 +118,8 @@
 
   # EL 7 doesn't utilize faillock.conf
   if ($facts['os']['release']['major'] > '7') and ($pam::manage_faillock_conf) {
-    if ($pam::faillock_dir) {
-      file { $pam::faillock_dir:
+    if ($pam::faillock_log_dir) {
+      file { $pam::faillock_log_dir:
         ensure   => 'directory',
         owner    => 'root',
         group    => 'root',
@@ -137,17 +137,17 @@
       group   => 'root',
       mode    => '0644',
       content => epp("${module_name}/etc/security/faillock.conf.epp", {
-          dir              => $pam::faillock_dir,
+          dir              => $pam::faillock_log_dir,
           audit            => $pam::faillock_audit,
-          silent           => $pam::faillock_silent,
+          silent           => !$pam::display_account_lock,
           no_log_info      => $pam::faillock_no_log_info,
           local_users_only => $pam::faillock_local_users_only,
           nodelay          => $pam::faillock_nodelay,
-          deny             => $pam::faillock_deny,
-          fail_interval    => $pam::faillock_fail_interval,
-          unlock_time      => $pam::faillock_unlock_time,
-          even_deny_root   => $pam::faillock_even_deny_root,
-          root_unlock_time => $pam::faillock_root_unlock_time,
+          deny             => $pam::deny,
+          fail_interval    => $pam::fail_interval,
+          unlock_time      => $pam::unlock_time,
+          even_deny_root   => $pam::even_deny_root,
+          root_unlock_time => $pam::root_unlock_time,
           admin_group      => $pam::faillock_admin_group
       }),
     }