voxpupuli / puppet-augeasproviders_pam Goto Github PK

Augeas-based PAM type and provider for Puppet

License: Other

Shell 4.36% Ruby 95.64%

augeas augeasproviders puppet puppet-module puppet-resources configuration configuration-management configuration-files pam hacktoberfest

puppet-augeasproviders_pam's Introduction

pam: type/provider for PAM files for Puppet

This module provides a new type/provider for Puppet to read and modify PAM config files using the Augeas configuration library.

The advantage of using Augeas over the default Puppet parsedfile implementations is that Augeas will go to great lengths to preserve file formatting and comments, while also failing safely when needed.

This provider will hide all of the Augeas commands etc., you don't need to know anything about Augeas to make use of it.

Requirements

Ensure both Augeas and ruby-augeas 0.3.0+ bindings are installed and working as normal.

See Puppet/Augeas pre-requisites.

Installing

On Puppet 2.7.14+, the module can be installed easily (documentation):

puppet module install puppet/augeasproviders_pam

You may see an error similar to this on Puppet 2.x (#13858):

Error 400 on SERVER: Puppet::Parser::AST::Resource failed with error ArgumentError: Invalid resource type `pam` at ...

Ensure the module is present in your puppetmaster's own environment (it doesn't have to use it) and that the master has pluginsync enabled. Run the agent on the puppetmaster to cause the custom types to be synced to its local libdir (puppet master --configprint libdir) and then restart the puppetmaster so it loads them.

Compatibility

Puppet versions

Minimum of Puppet 2.7.

Augeas versions

Augeas Versions	0.10.0	1.0.0	1.1.0	1.2.0
PROVIDERS
pam	yes	yes	yes	yes

Documentation and examples

Type documentation can be generated with puppet doc -r type or viewed on the Puppet Forge page.

manage simple entry

pam { "Set sss entry to system-auth auth":
  ensure    => present,
  service   => 'system-auth',
  type      => 'auth',
  control   => 'sufficient',
  module    => 'pam_sss.so',
  arguments => 'use_first_pass',
  position  => 'before module pam_deny.so',
}

manage same entry but with Augeas xpath

pam { "Set sss entry to system-auth auth":
  ensure    => present,
  service   => 'system-auth',
  type      => 'auth',
  control   => 'sufficient',
  module    => 'pam_sss.so',
  arguments => 'use_first_pass',
  position  => 'before *[type="auth" and module="pam_deny.so"]',
}

delete entry

pam { "Remove sss auth entry from system-auth":
  ensure  => absent,
  service => 'system-auth',
  type    => 'auth',
  module  => 'pam_sss.so',
}

delete all references to module in file

pam { "Remove all pam_sss.so from system-auth":
  ensure  => absent,
  service => 'system-auth',
  module  => 'pam_sss.so',
}

manage entry in another pam service

pam { "Set cracklib limits in password-auth":
  ensure    => present,
  service   => 'password-auth',
  type      => 'password',
  module    => 'pam_cracklib.so',
  arguments => ['try_first_pass','retry=3', 'minlen=10'],
}

manage entry like previous but in classic pam.conf

pam { "Set cracklib limits in password-auth":
  ensure    => present,
  service   => 'password-auth',
  type      => 'password',
  module    => 'pam_cracklib.so',
  arguments => ['try_first_pass','retry=3', 'minlen=10'],
  target    => '/etc/pam.conf',
}

allow multiple entries with same control value

pam { "Set invalid login 3 times deny in password-auth -fail":
  ensure           => present,
  service          => 'password-auth',
  type             => 'auth',
  control          => '[default=die]',
  control_is_param => true,
  module           => 'pam_faillock.so',
  arguments        => ['authfail','deny=3','unlock_time=604800','fail_interval=900'],
}

Issues

Please file any issues or suggestions on GitHub.

puppet-augeasproviders_pam's People

Contributors

Stargazers

Watchers

Forkers

overholw mmarod simp logicminds asasfu jaklein-ncsu pearcec neatnerdprime unibonn dpomnean pillarsdotnet kenyon bastelfreak koendierckx golflimaechoecho vchepkov statenspensjonskasse

puppet-augeasproviders_pam's Issues

including augeasproviders_pam doesnt include in catalog

in my init.pp

include augeasproviders_pam

pam { "(6.3.3) - Set cracklib limits in password-auth":
ensure => present,
service => 'password-auth',
type => 'password',
module => 'pam_cracklib.so',
arguments => ['try_first_pass','retry=3', 'minlen=14'],
}

output:

[root@rhel7 bin]# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, Could not find class ::augeasproviders_pam for rhel7 at /etc/puppetlabs/code/environments/production/modules/cis_rhel7/manifests/init.pp:14:3 on node rhel7
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

I restarted PE server after installing this module (PE 4.3)

redcarpet version specified in Gemfile flagged in CVE-2020-26298

The redcarpet version specified in Gemfile (gem 'redcarpet', '~> 2.0') is causing GitHub to flag https://rubysec.com/advisories/CVE-2020-26298/ (redcarpet downrev)

redcarpet appears to be leftover from older testing syntax/framework - it does not appear in Gemfile modules that have been converted to PDK (eg: augeasproviders_core, augeasproviders_shellvar); whereas redcarpet is present (and GitHub warning also shows) for other modules not yet converted to PDK (eg: augeasproviders_grub, augeasproviders_sysctl)

note: Dependabot appears to have raised PR in the puppet-augeasproviders repo for same/similar issue: voxpupuli/puppet-augeasproviders#167

pam: support composite namevars

see voxpupuli/puppet-augeasproviders#115

Cannot remove all options.

Affected Puppet, Ruby, OS and module versions/distributions

Puppet: 7
Ruby: 2.7
Distribution: RHEL9
Module version: 4.0.0

How to reproduce (e.g Puppet code you use)

pam{'Add pam_xdg_runtime_dir':
  ensure    => $_state_ensure,
  service   => 'sshd',
  type      => 'session',                                                  
  control   => 'optional',
  module    => 'pam_xdg_runtime_dir.so',
  position  => 'before *[type="session" and module="pam_krb5_cc_move.so"]',
  arguments  =>['debug'],
  require   => Pam['Add pam_krb5_cc_move'],
}

This correctly adds

session    optional      pam_xdg_runtime_dir.so debug

After re-running puppet with arguments as [] or undef the existing arguments are not removed.

What are you seeing

Seems to be not possible to delete all existing arguments.

What behaviour did you expect instead

That [] or undef would delete all of the arguments.

delete all references to module in file does not work.

The readme says that to "delete all references to module in file" use the following:

pam { "Remove all pam_sss.so from system-auth":
  ensure  => absent,
  service => 'system-auth',
  module  => 'pam_sss.so',
}

When using the above method to delete all reference I receiving the following:

Nothing to manage: no ensure and the resource doesn't exist

The only way I can delete a reference is to specify a type.

pam { "Remove all pam_sss.so from system-auth":
  ensure  => absent,
  service => 'system-auth',
  module  => 'pam_sss.so',
  type => 'auth',
}

2.0.0 forge release breaks PMT

$ tree spec/
spec/
`-- fixtures
    `-- modules
        `-- augeasproviders_syslog -> /home/rpinson/dev/augeasproviders_syslog

2 directories, 1 file

ensure=>'positioned' doesn't work with position=>'before first'

pam { "test":
  ensure    => 'positioned',
  service   => 'password-auth',
  type      => 'account',
  control   => 'sufficient',
  module    => 'pam_foo.so',
  arguments => ['use_first_pass', 'foo'],
  position  => 'before first',
}

won't reorder password-auth when pam_foo.so isn't the first account entry.
Unless the pam entry is the last entry in a section,
https://github.com/hercules-team/augeasproviders_pam/blob/master/lib/puppet/provider/pam/augeas.rb#L74 will find a match even if we're not first in the section.

Specifically, the match will be the 'first' entry that follows our entry, and in_position? will erroneously return true.

optional => true results in reconfig each time.

Versions:

augeasproviders_pam 2.1.0
augeasproviders_core 2.1.2

The following configuration:

pam{'Add pam_afs_session to ssh stack':
  ensure    => 'present',
  service   => 'sshd',
  type      => 'session',
  optional  => true,
  control   => 'optional',
  module    => 'pam_afs_session.so',       
  position  => 'before module postlogin',
  arguments => ['always_aklog', 'debug'],
}

adds a line which looks correct to me:

-session optional pam_afs_session.so always_aklog debug

In particular the - prefix is added for the optional => true.

Subsequent runs of puppet result in:

Notice: /Stage[main]/Afs::Config/Pam[Add pam_afs_session to ssh stack]/optional: optional changed 'false' to 'true' (corrective)

the line itself is unchanged , augtool output.

/files/etc/pam.d/sshd/14
/files/etc/pam.d/sshd/14/optional
/files/etc/pam.d/sshd/14/type = "session"
/files/etc/pam.d/sshd/14/control = "optional"
/files/etc/pam.d/sshd/14/module = "pam_afs_session.so"
/files/etc/pam.d/sshd/14/argument[1] = "always_aklog"
/files/etc/pam.d/sshd/14/argument[2] = "debug"

Ability to delete more specific items

Hey there, still loving this library (it's a lifesaver) 😄

Perhaps I'm missing something, but it seems that the absent keyword doesn't look at the control passed in:

e.g.

  pam { 'remove sufficient unix auth instance from system-auth':
    ensure  => absent,
    service => 'system-auth',
    type    => 'auth',
    control => 'sufficient',
    module  => 'pam_unix.so',
  }

This seems to remove pam_unix.so regardless of the control.

Is it possible to be more specific when removing entries like this?

Thanks
Fotis

Same module and control (control_is_param) not working

I'm trying to accomplish this in /etc/pam.d/password-auth:

auth required pam_faillock.so preauth silent deny=5 unlock_time=900
auth required pam_faillock.so authfail deny=5 unlock_time=900

And i'm using this code:

    pam { '(5.4.2) - pam_faillock preauth password-auth':
      ensure           => present,
      service          => 'password-auth',
      type             => 'auth',
      control          => 'required',
      control_is_param => true,
      module           => 'pam_faillock.so',
      arguments        => [
        'preauth',
        'silent',
        'deny=5',
        'unlock_time=900'
      ],
    }
    pam { '(5.4.2) - pam_faillock authfail password-auth':
      ensure           => present,
      service          => 'password-auth',
      type             => 'auth',
      control          => 'required',
      control_is_param => true,
      module           => 'pam_faillock.so',
      arguments        => [
        'authfail',
        'deny=5',
        'unlock_time=900'
      ],
    }

But each puppet-run the first block get applied (preauth) and then the second one corrects the first one (authfail). So in the end, I only have this line:

auth required pam_faillock.so authfail deny=5 unlock_time=900

Am I missing something?

I've also tried changed ensure => present to ensure => positioned and adding a position, but that didn't work either.

I gave the top block this position:

position         => 'before *[type="auth" and module="pam_unix.so"]',

And the bottom one this:

position         => 'after *[type="auth" and module="pam_unix.so"]',

But the result is the same.

Any ideas or suggestions would be helpfull.

Two pam resource edits with same module value compete and produce unexpected results

Using the following code

 pam { 'faillock_1' :
    ensure    => present,
    service   => 'password-auth',
    type      => 'auth',
    control   => 'required',
    module    => 'pam_faillock.so',
    arguments => ['preauth', 'audit', 'silent', 'deny=5', 'unlock_time=900'],
    position  => 'before *[type="auth" and module="pam_deny.so"]', 
  } ->

  pam { 'faillock_2' :
    ensure           => present,
    service          => 'password-auth',
    type             => 'auth',
    control          => 'sufficient',
    module           => 'pam_faillock.so',
    arguments        => ['authfail', 'audit', 'deny=5', 'unlock_time=900'],
    position         => 'before *[type="auth" and module="pam_deny.so"]', 
  }

Produces the following puppet notices:

Notice: /Stage[main]/Hdn_pam::Password_auth/Pam[faillock_1]/ensure: created
Notice: /Stage[main]/Hdn_pam::Password_auth/Pam[faillock_2]/arguments: arguments changed ['preauth', 'audit', 'silent', 'deny=5', 'unlock_time=900'] to 'authfail audit deny=5 unlock_time=900'
Notice: /Stage[main]/Hdn_pam::Password_auth/Pam[faillock_2]/control: control changed 'required' to 'sufficient'

And the faillock_2 resource overwrites the faillock_1 resource when they really should create two lines in password-auth:

auth    sufficient      pam_faillock.so authfail        audit   deny=5  unlock_time=900
auth    required        pam_deny.so

What I would expect to see is:

auth    required      pam_faillock.so  preauth       audit silent deny=5 unlock_time=900
auth    sufficient      pam_faillock.so authfail        audit   deny=5  unlock_time=900
auth    required        pam_deny.so

Failed to save Augeas tree to file

Hi,

I'm trying to do the following:

pam { 'set pam_mkhomedir.so to common-session':
  ensure => present,
  service => 'common-session',
  type   => 'session',
  control => 'required',
  module  => 'pam_mkhomedir.so',
  arguments => 'umask 022 skel=/etc/skel',
  position => 'after module pam_systemd.so',
}

However, it is spewing me with errors. Please help me out here.

Notice: /Stage[main]/Main/Pam[set pam_mkhomedir.so to common-session]/ensure: created
Debug: Puppet::Type::Pam::ProviderAugeas: Save failure details:
/augeas/files/etc/pam.d/common-session/error/path = /files/etc/pam.d/common-session/7
/augeas/files/etc/pam.d/common-session/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/pam.aug:58.21-.51:
/augeas/files/etc/pam.d/common-session/error/message = Failed to match
    { /optional/ }?{ /type/ = /auth|session|account|password/ }{ /control/ = /\\[[^]\001-\004\n#]*\\]|[^\001-\004\t [][^\001-\004\t ]*/ }{ /module/ = /[^\001-\004\t\n #]+/ }{ /argument/ = /\\[[^]\001-\004\n#]+\\]|[^\001-\004\t\n #[][^\001-\004\t\n #]*/ }*({ /#comment/ = /[^\001-\004\t\n\r ][^\001-\004\n]*[^\001-\004\t\n\r ]|[^\001-\004\t\n\r ]/ } | ())
  with tree
    { "type" = "session" } { "control" = "required" } { "module" = "pam_mkhomedir.so" } { "argument" = "umask 022 skel=/etc/skel" }
Error: /Stage[main]/Main/Pam[set pam_mkhomedir.so to common-session]: Could not evaluate: Failed to save Augeas tree to file. See debug logs for details.

Validate arguments

Validate arguments in the type, to avoid spaces, see #6

Removing "nullok" arguements ?

Is it possible to remove a specific argument ("nullok") from multiple lines in a file ?

As in /etc/pam.d/password-auth-ac and /etc/pam.d/system-auth-ac

Question: Can any file name in /etc/pam.d be used as the "service" parameter ?

The only "services" referenced in code or docs are service-auth and password-auth

Change an entry

hi,

I want to change the /etc/pam.d/common-session

from default:

session  optional        pam_umask.so

session optional pam_umask.so umask=027

but I'm only able to delete and readd, what isn't the best way :-)

Any suggestions ?

Feature Request: Support for 'include' in the provider

There does not appear to be any way to specify something like this...

@include common-account
@include common-password
@include common-session

Seems like the 'type' parameter could just be extended to add support for 'include'.

Thanks!

arguments being striped when two pam resources act on same module

I need to have the following in my /etc/pam.d/postlogin:

session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so nowtmp showfailed
session     required      pam_lastlog.so  noupdate showfailed

I created the following pam resources:

pam { 'pam_lastlog.so_ default_control':
  ensure => positioned,
  service => 'postlogin',
  type => 'session',
  control => '[default=1]',
  control_is_param => true,
  module => 'pam_lastlog.so',
  arguments => ['nowtmp', 'showfailed'],
  position => 'after *[type="session" and module="pam_succeed_if.so"]',
}

pam { 'pam_lastlog.so_ required_control':
  ensure => positioned,
  service => 'postlogin',
  type => 'session',
  control => 'required',
  module => 'pam_lastlog.so',
  arguments => ['noupdate', 'showfailed'],
  position => 'after *[type="session" and module="pam_lastlog.so" and control="[default=1]"]',
}

Starting with a /etc/pam.d/postlogin file of:

session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet

What this gives me in the /etc/pam.d/postlogin file is:

session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]   pam_lastlog.so
session     required      pam_lastlog.so

So where did my arguments go?

Version of herculesteam-augeasproviders_pam is 2,2.1, on PE 2019.2 working on RHEL7 test system.

Two Questions

First:
puppet resource pam
says
Error: could not run: No resource and no name in property hash in augeas instance
I am looking for a way to see how existing files are perceived by this module - so I can create them from scratch

Second:
Can comment lines be inserted using this module ?

Puppet 4 support

Are there plans to make this compatible with Puppet 4.x?

Module doesn't allow more than one line with same module

The below for example cannot be implemented:

auth required pam_env.so
auth required pam_faillock.so preauth audit silent deny=6 unlock_time=1800
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail deny=6 unlock_time=1800
auth sufficient pam_faillock.so authsucc deny=6 unlock_time=1800
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

as pam_faillock.so appears in more than one line.

position parameter does not work

I have tried using both XPath and default forms for declaring positions and neither seem to work. I also tried declaring the position param as 'after' on the second pam resource below but that also did not work.

Using Debian 7 / Puppet 3.7.3

    pam { "Set cracklib limits in common-password.":
      ensure    => present,
      service   => 'common-password',
      type      => 'password',
      control   => 'required',
      module    => 'pam_cracklib.so',
      arguments => [ 'retry=3', 'minlen=8', 'difok=3' ],
      position  => 'before module pam_unix.so'
    }

    pam { "Set unix options in common-password":
      ensure    => present,
      service   => 'common-password',
      type      => 'password',
      control   => 'required',
      module    => 'pam_unix.so',
      arguments => [ 'use_authtok', 'nullok', 'md5', 'remember=6' ],
    }

The output of this is...

password    required    pam_unix.so use_authtok nullok  md5 remember=6
password    required    pam_cracklib.so retry=3 minlen=8    difok=3

Can you tell me if variables are supported?

Can you tell me if variables are supported?
$retry, $time

pam { "/etc/pam.d/common-auth":
ensure => present,
service => common-auth',
type => 'auth',
module => 'pam_tally.so',
arguments => ['retry=$retry', 'minlen=$time'],
}

Cannot insert a line both before and after

Starting with default RHEL 7 /etc/pam.d/system-auth :
system-auth.txt
And trying to apply DISA STIG modifications:
To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
add the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny=3 unlock_time=never fail_interval=900
add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=never fail_interval=900

with this bit of puppet code:
snippet.pp.txt
and what I get is ...
log.txt
resulting in
system-auth-after.txt

Now is this a bug or did I mess up ?

Issue with position => 'before first' in Debian

Below are the contents of my site.pp file where I am testing getting the addition of the following 4 pam lines working in an sshd file. These commands work fine in my CentOS files, and need to been in this specific order. When used in my debian files, sepermit.so shows at the bottom of the file. Even when attempting to place it before the first module in the file (in this case nologin.so) it still drops to the bottom. Is there a known issue or workaround for this?

pam {"sshd pam_sepermit":
        ensure => positioned,
        service => 'sshd',
        type => 'auth',
        control => 'required',
        module => 'pam_sepermit.so',
        position => 'before first',
}
pam {"sshd pam_succeed itadmins":
        ensure => positioned,
        service => 'sshd',
        type => 'auth',
        control => '[success=2 default=ignore]',
        control_is_param => true,
        module => 'pam_succeed_if.so',
        arguments => ['user', 'ingroup', 'itadmins'],
        position => 'after module pam_sepermit.so',
}
pam {"sshd pam_succeed local_users":
        ensure => positioned,
        service => 'sshd',
        type => 'auth',
        control => '[success=1 default=ignore]',
        control_is_param => true,
        module => 'pam_succeed_if.so',
        arguments => ['user', 'ingroup', 'local_users'],
        position => 'after module pam_succeed_if.so',
}
pam {"sshd pam_radius":
        ensure => positioned,
        service => 'sshd',
        type => 'auth',
        control => 'required',
        module => 'pam_radius_auth.so',
        position => 'after *[control="[success=1 default=ignore]"]',
}