Skip to content

Commit

Permalink
Merge pull request #38 from ghoneycutt/add_nonfile_fragments
Browse files Browse the repository at this point in the history 
Add nonfile fragments
  • Loading branch information
@ghoneycutt
ghoneycutt committed Nov 7, 2013
2 parents 4e91ce6 + 3b291a9 commit 756eb3e
Show file tree
Hide file tree
Showing 7 changed files with 439 additions and 39 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,4 @@ doc/
metadata.json
coverage/
spec/fixtures/modules/*
Gemfile.lock
42 changes: 41 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@ Array of users allowed to log in.

- *Default*: root

limits_fragments
----------------
Hash of fragments to pass to pam::limits::fragments

- *Default*: undef

package_name
------------
Array of packages providing the pam functionality. If undef, parameter is set based on the OS version.
Expand Down Expand Up @@ -295,12 +301,17 @@ Path to limits.d directory
Places a fragment in $limits_d_dir directory

## Parameters for `pam::limits::fragment`
Source or list **must** be set.

source
------
String - Path to the fragment file, such as 'puppet:///modules/pam/limits.nproc'

- *Required*
- *Default*: 'UNSET'

list
----
Array of lines to add to the fragment file

===

Expand All @@ -327,3 +338,32 @@ content
-------
Content of the PAM file for the service

===

# Hiera example for limits_fragments
<pre>
pam::limits_fragments:
custom:
list:
- '* soft nofile 2048'
- '* hard nofile 8192'
- '* soft as 3145728'
- '* hard as 4194304'
- '* hard maxlogins 300'
- '* soft cpu 720'
- '* hard cpu 1440'
</pre>

This would create /etc/security/limits.d/custom.conf with content
<pre>
# This file is being maintained by Puppet.
# DO NOT EDIT
* soft nofile 2048
* hard nofile 8192
* soft as 3145728
* hard as 4194304
* hard maxlogins 300
* soft cpu 720
* hard cpu 1440
</pre>

164 changes: 129 additions & 35 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,11 @@
#
class pam (
$allowed_users = 'root',
$ensure_vas = 'absent',
$package_name = undef,
$pam_conf_file = '/etc/pam.conf',
$services = undef,
$limits_fragments = undef,
$pam_d_login_oracle_options = 'UNSET',
$pam_d_login_path = '/etc/pam.d/login',
$pam_d_login_owner = 'root',
Expand Down Expand Up @@ -38,6 +40,7 @@
$system_auth_ac_account_lines = undef,
$system_auth_ac_password_lines = undef,
$system_auth_ac_session_lines = undef,
$vas_major_version = '4',
) {

include nsswitch
Expand All @@ -51,48 +54,135 @@
$default_package_name = [ 'pam',
'util-linux' ]

$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_unix.so nullok try_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']

$default_pam_account_lines = [ 'account required pam_unix.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password requisite pam_cracklib.so try_first_pass retry=3',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']
if $ensure_vas == 'present' {
case $vas_major_version {
'3': {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass store_creds',
'auth requisite pam_vas3.so echo_return',
'auth sufficient pam_unix.so nullok try_first_pass use_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']
}
'4': {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass',
'auth requisite pam_vas3.so echo_return',
'auth sufficient pam_unix.so nullok try_first_pass use_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']
}
default: {
fail("Pam is only supported with vas_major_version 3 or 4. Your vas_major_version is <${vas_major_version}>.")
}
}

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_unix.so']
$default_pam_account_lines = [ 'account sufficient pam_vas3.so',
'account requisite pam_vas3.so echo_return',
'account required pam_unix.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password sufficient pam_vas3.so',
'password requisite pam_vas3.so echo_return',
'password requisite pam_cracklib.so try_first_pass retry=3 type=',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_vas3.so show_lockout_msg',
'session requisite pam_vas3.so echo_return',
'session required pam_unix.so']
} else {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_unix.so nullok try_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']

$default_pam_account_lines = [ 'account required pam_unix.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password requisite pam_cracklib.so try_first_pass retry=3',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_unix.so']
}
}
'6': {
$default_pam_d_login_template = 'pam/login.el6.erb'
$default_pam_d_sshd_template = 'pam/sshd.el6.erb'
$default_package_name = 'pam'

$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_fprintd.so',
'auth sufficient pam_unix.so nullok try_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']

$default_pam_account_lines = [ 'account required pam_unix.so',
'account sufficient pam_localuser.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password requisite pam_cracklib.so try_first_pass retry=3 type=',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_unix.so']
if $ensure_vas == 'present' {
case $vas_major_version {
'3': {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass store_creds',
'auth requisite pam_vas3.so echo_return',
'auth sufficient pam_unix.so nullok try_first_pass use_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']
}
'4': {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass',
'auth requisite pam_vas3.so echo_return',
'auth sufficient pam_unix.so nullok try_first_pass use_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']
}
default: {
fail("Pam is only supported with vas_major_version 3 or 4. Your vas_major_version is <${vas_major_version}>.")
}
}

$default_pam_account_lines = [ 'account sufficient pam_vas3.so',
'account requisite pam_vas3.so echo_return',
'account required pam_unix.so',
'account sufficient pam_localuser.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password sufficient pam_vas3.so',
'password requisite pam_vas3.so echo_return',
'password requisite pam_cracklib.so try_first_pass retry=3 type=',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_vas3.so show_lockout_msg',
'session requisite pam_vas3.so echo_return',
'session required pam_unix.so']
} else {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_fprintd.so',
'auth sufficient pam_unix.so nullok try_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']

$default_pam_account_lines = [ 'account required pam_unix.so',
'account sufficient pam_localuser.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password requisite pam_cracklib.so try_first_pass retry=3 type=',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_unix.so']
}
}
default: {
fail("Pam is only supported on EL 5 and 6. Your lsbmajdistrelease is identified as <${::lsbmajdistrelease}>.")
Expand Down Expand Up @@ -316,6 +406,10 @@
create_resources('pam::service',$services)
}

if $limits_fragments != undef {
create_resources('pam::limits::fragment',$limits_fragments)
}

case $::osfamily {
'redhat', 'suse', 'debian': {

Expand Down
26 changes: 24 additions & 2 deletions manifests/limits/fragment.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,37 @@
# Places a fragment in $limits_d_dir directory
#
define pam::limits::fragment (
$source,
$source = 'UNSET',
$list = undef,
) {

include pam
include pam::limits

# must specify source or list
if $source == 'UNSET' and $list == undef {
fail('pam::limits::fragment must specify source or list.')
}

# list takes priority if you specify both
if $list == undef {
$source_real = $source
} else {
$source_real = undef
}

# use the template if a list is provided
if $list == undef {
$content = undef
} else {
validate_array($list)
$content = template('pam/limits_fragment.erb')
}

file { "${pam::limits::limits_d_dir}/${name}.conf":
ensure => file,
source => $source,
source => $source_real,
content => $content,
owner => 'root',
group => 'root',
mode => '0644',
Expand Down
Loading

0 comments on commit 756eb3e

Please sign in to comment.