Support managing faillock.conf

ghoneycutt · Mar 11, 2024 · f8f0be8 · f8f0be8
1 parent 3c0c3a3
commit f8f0be8
Show file tree

Hide file tree

Showing 6 changed files with 223 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -33,6 +33,9 @@ though generally include things such as the following.
 The management of `/etc/security/access.conf` can be controlled by the
 `pam::manage_accesslogin` parameter (enabled by default).
 
+The management of `/etc/security/faillock.conf` can be controlled by the
+`pam::manage_faillock` parameter (disabled by default).
+
 ### Setup requirements
 This module requires `stdlib`. When deployed by default it will require
 `nsswitch`. See below for more information.

diff --git a/manifests/faillock.pp b/manifests/faillock.pp
@@ -0,0 +1,75 @@
+# @summary Manage faillock.conf
+#
+# @param config_file
+#   The faillock config path
+# @param config_file_owner
+#   The faillock config owner
+# @param config_file_group
+#   The faillock config group
+# @param config_file_mode
+#   The faillock config mode
+# @param config_file_template
+#   The faillock config template
+# @param config_file_source
+#   The faillock config source
+# @param dir
+#   The faillock 'dir' config option
+# @param audit_enabled
+#   The faillock 'audit' config option
+# @param silent
+#   The faillock 'silent' config option
+# @param no_log_info
+#   The faillock 'no_log_info' config option
+# @param local_users_only
+#   The faillock 'local_users_only' config option
+# @param deny
+#   The faillock 'deny' config option
+# @param fail_interval
+#   The faillock 'fail_interval' config option
+# @param unlock_time
+#   The faillock 'unlock_time' config option
+# @param even_deny_root
+#   The faillock 'even_deny_root' config option
+# @param root_unlock_time
+#   The faillock 'root_unlock_time' config option
+# @param admin_group
+#   The faillock 'admin_group' config option
+# 
+class pam::faillock (
+  Stdlib::Absolutepath $config_file = '/etc/security/faillock.conf',
+  String[1] $config_file_owner = 'root',
+  String[1] $config_file_group = 'root',
+  Stdlib::Filemode $config_file_mode = '0644',
+  String[1] $config_file_template = 'pam/faillock.conf.erb',
+  Optional[Stdlib::Filesource] $config_file_source = undef,
+  Stdlib::Absolutepath $dir = '/var/run/faillock',
+  Optional[Boolean] $audit_enabled = undef,
+  Optional[Boolean] $silent = undef,
+  Optional[Boolean] $no_log_info = undef,
+  Optional[Boolean] $local_users_only = undef,
+  Integer $deny = 3,
+  Integer $fail_interval = 900,
+  Integer $unlock_time = 600,
+  Optional[Boolean] $even_deny_root = undef,
+  Integer $root_unlock_time = $unlock_time,
+  Optional[String[1]] $admin_group = undef,
+) {
+  include pam
+
+  if $config_file_source {
+    $_config_file_content = undef
+  } else {
+    $_config_file_content = template($config_file_template)
+  }
+
+  file { 'faillock.conf':
+    ensure  => 'file',
+    path    => $config_file,
+    owner   => $config_file_owner,
+    group   => $config_file_group,
+    mode    => $config_file_mode,
+    content => $_config_file_content,
+    source  => $config_file_source,
+    require => Package[$pam::package_name],
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -29,6 +29,9 @@
 #   in Hiera. This is useful for specifying fragments at different levels of
 #   the hierarchy and having them all included in the catalog.
 #
+# @param manage_faillock
+#   Controls whether to manage faillock.conf
+#
 # @param package_name
 #   String or Array of packages providing the pam functionality. If undef,
 #   parameter is set based on the OS version.
@@ -203,6 +206,7 @@
   Optional[Hash] $services                                  = undef,
   Optional[Hash] $limits_fragments                          = undef,
   Boolean $limits_fragments_hiera_merge                     = false,
+  Boolean $manage_faillock                                  = false,
   Array $pam_d_login_oracle_options                         = [],
   Stdlib::Absolutepath $pam_d_login_path                    = '/etc/pam.d/login',
   String $pam_d_login_owner                                 = 'root',
@@ -311,6 +315,10 @@
     }
   }
 
+  if $manage_faillock {
+    include pam::faillock
+  }
+
   if $manage_nsswitch {
     include nsswitch
   }

diff --git a/spec/classes/faillock_spec.rb b/spec/classes/faillock_spec.rb
@@ -0,0 +1,101 @@
+require 'spec_helper'
+require 'spec_platforms'
+
+describe 'pam::faillock' do
+  on_supported_os.each do |os, os_facts|
+    # this function call mimic hiera data, it is sourced in from spec/spec_platforms.rb
+    package_name = package_name(os)
+
+    context "on #{os}" do
+      let(:facts) { os_facts }
+      let(:content) do
+        <<-END.gsub(%r{^\s+\|}, '')
+          |# This file is being maintained by Puppet.
+          |# DO NOT EDIT
+          |#
+          |dir=/var/run/faillock
+          |deny=3
+          |fail_interval=900
+          |unlock_time=600
+          |root_unlock_time=600
+        END
+      end
+
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_class('pam') }
+
+      it do
+        is_expected.to contain_file('faillock.conf').with(
+          'ensure'  => 'file',
+          'path'    => '/etc/security/faillock.conf',
+          'source'  => nil,
+          'content' => content,
+          'owner'   => 'root',
+          'group'   => 'root',
+          'mode'    => '0644',
+        )
+      end
+
+      package_name.sort.each do |pkg|
+        it { is_expected.to contain_file('faillock.conf').that_requires("Package[#{pkg}]") }
+      end
+
+      context 'with config_file set to a valid path' do
+        let(:params) { { config_file: '/testing' } }
+
+        it { is_expected.to contain_file('faillock.conf').with_path('/testing') }
+      end
+
+      context 'with config_file_source set to a valid string' do
+        let(:params) { { config_file_source: 'puppet:///pam/unit_tests.erb' } }
+
+        it { is_expected.to contain_file('faillock.conf').with_source('puppet:///pam/unit_tests.erb') }
+        it { is_expected.to contain_file('faillock.conf').with_content(nil) }
+      end
+
+      context 'with config_file_mode set to a valid string' do
+        let(:params) { { config_file_mode: '0242' } }
+
+        it { is_expected.to contain_file('faillock.conf').with_mode('0242') }
+      end
+
+      context 'when config options are non-default' do
+        let(:params) do
+          {
+            dir: '/foo',
+            audit: true,
+            silent: true,
+            no_log_info: true,
+            local_users_only: true,
+            deny: 1,
+            fail_interval: 2,
+            unlock_time: 3,
+            even_deny_root: true,
+            root_unlock_time: 4,
+            admin_group: 'admins'
+          }
+        end
+        let(:content) do
+          <<-END.gsub(%r{^\s+\|}, '')
+            |# This file is being maintained by Puppet.
+            |# DO NOT EDIT
+            |#
+            |dir=/foo
+            |audit
+            |silent
+            |no_log_info
+            |local_users_only
+            |deny=1
+            |fail_interval=2
+            |unlock_time=3
+            |even_deny_root
+            |root_unlock_time=4
+            |admin_group=admins
+          END
+        end
+
+        it { is_expected.to contain_file('faillock.conf').with_content(content) }
+      end
+    end
+  end
+end
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -268,6 +268,16 @@
           end
         end
 
+        context 'with manage_faillock parameter default value' do
+          it { is_expected.not_to contain_class('pam::faillock') }
+        end
+
+        context 'with manage_faillock parameter set to true' do
+          let(:params) { { manage_faillock: true } }
+
+          it { is_expected.to contain_class('pam::faillock') }
+        end
+
         context 'with manage_nsswitch parameter default value' do
           it { is_expected.to contain_class('nsswitch') }
         end

diff --git a/templates/faillock.conf.erb b/templates/faillock.conf.erb
@@ -0,0 +1,26 @@
+# This file is being maintained by Puppet.
+# DO NOT EDIT
+#
+dir=<%= @dir %>
+<% if @audit_enabled -%>
+audit
+<% end -%>
+<% if @silent -%>
+silent
+<% end -%>
+<% if @no_log_info -%>
+no_log_info
+<% end -%>
+<% if @local_users_only -%>
+local_users_only
+<% end -%>
+deny=<%= @deny %>
+fail_interval=<%= @fail_interval %>
+unlock_time=<%= @unlock_time %>
+<% if @even_deny_root -%>
+even_deny_root
+<% end -%>
+root_unlock_time=<%= @root_unlock_time %>
+<% if @admin_group -%>
+admin_group=<%= @admin_group %>
+<% end -%>