Skip to content

Instantly share code, notes, and snippets.

@aderixon

aderixon/tally.pp

Created May 20, 2014 15:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save aderixon/b261b950156a0963b6e3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save aderixon/b261b950156a0963b6e3 to your computer and use it in GitHub Desktop.
Download ZIP
Example of enabling pam_tally on various Linux with Puppet/Augeas
Raw
tally.pp
class pam::tally {
$tally_deny = extlookup('tally_deny', 5)
case $::operatingsystem {
# EL
/(?i-mx:redhat|centos|oraclelinux|oel)/: {
$pammod = $::osmajor ? {
'6' => 'pam_tally2.so',
default => 'pam_tally.so',
}
augeas { 'pam_tally_auth':
context => '/files/etc/pam.d/system-auth',
changes => $::osmajor ? {
# EL4:
'4' => ["ins 01 after *[module =~ regexp('.*pam_env.so')][type = 'auth'][last()]",
'set 01/type auth',
'set 01/control required',
"set 01/module ${pammod}",
'set 01/argument[last()+1] onerr=fail',
],
# EL5+:
default => ["ins 01 after *[module =~ regexp('.*pam_env.so')][type = 'auth'][last()]",
'set 01/type auth',
'set 01/control required',
"set 01/module ${pammod}",
'set 01/argument[last()+1] onerr=fail',
"set 01/argument[last()+1] deny=${tally_deny}",
'set 01/argument[last()+1] unlock_time=1800',
],
},
onlyif => "match *[module =~ regexp('.*pam_tally.*.so')][type = 'auth'][control = 'required'] size == 0"
}
augeas { 'pam_tally_acc':
context => '/files/etc/pam.d/system-auth',
changes => $::osmajor ? {
# EL4:
'4' => ["ins 01 after *[module =~ regexp('.*pam_permit.so')][type = 'account'][last()]",
'set 01/type account',
'set 01/control required',
"set 01/module ${pammod}",
"set 01/argument[last()+1] deny=${tally_deny}",
'set 01/argument[last()+1] reset',
],
# EL5+:
default => ["ins 01 after *[module =~ regexp('.*pam_unix.so')][type = 'account'][last()]",
'set 01/type account',
'set 01/control required',
"set 01/module ${pammod}",
],
},
onlyif => "match *[module =~ regexp('.*pam_tally.*.so')][type = 'account'][control = 'required'] size == 0"
}
# rinse & repeat for RHEL 6 remote services:
if ($::osmajor >= 6) {
augeas { 'pam_tally_auth6':
context => '/files/etc/pam.d/password-auth',
changes => ["ins 01 after *[module =~ regexp('.*pam_env.so')][type = 'auth'][last()]",
'set 01/type auth',
'set 01/control required',
"set 01/module ${pammod}",
'set 01/argument[last()+1] onerr=fail',
"set 01/argument[last()+1] deny=${tally_deny}",
'set 01/argument[last()+1] unlock_time=1800',
],
onlyif => "match *[module =~ regexp('.*pam_tally.*.so')][type = 'auth'][control = 'required'] size == 0"
}
augeas { 'pam_tally_acc6':
context => '/files/etc/pam.d/password-auth',
changes => ["ins 01 after *[module =~ regexp('.*pam_unix.so')][type = 'account'][last()]",
'set 01/type account',
'set 01/control required',
"set 01/module ${pammod}",
],
onlyif => "match *[module =~ regexp('.*pam_tally.*.so')][type = 'account'][control = 'required'] size == 0"
}
}
}
# SLES
/(?i-mx:sles)/: {
$pammod = 'pam_tally2.so'
# only SLES 11+:
if ($::osmajor >= 11) {
augeas { 'pam_tally_auth11':
context => '/files/etc/pam.d/common-auth',
changes => ["ins 01 after *[module =~ regexp('.*pam_unix2.so')][type = 'auth'][last()]",
'set 01/type auth',
'set 01/control required',
"set 01/module ${pammod}",
'set 01/argument[last()+1] onerr=fail',
"set 01/argument[last()+1] deny=${tally_deny}",
'set 01/argument[last()+1] unlock_time=1800',
],
onlyif => "match *[module =~ regexp('.*pam_tally.*.so')][type = 'auth'][control = 'required'] size == 0"
}
augeas { 'pam_tally_acc11':
context => '/files/etc/pam.d/common-account',
changes => ["ins 01 after *[module =~ regexp('.*pam_unix2.so')][type = 'account'][last()]",
'set 01/type account',
'set 01/control required',
"set 01/module ${pammod}",
],
onlyif => "match *[module =~ regexp('.*pam_tally.*.so')][type = 'account'][control = 'required'] size == 0"
}
}
}
default: {
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment