Skip to content

Commit

Permalink
factorise code in pam_account_password_unix_remember
Browse files Browse the repository at this point in the history
  • Loading branch information
@a-skr
a-skr committed May 5, 2024
1 parent 6ad26f8 commit 118cf7b
Show file tree
Hide file tree
Showing 9 changed files with 141 additions and 215 deletions.
48 changes: 0 additions & 48 deletions ...-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/debian.yml
View file

This file was deleted.

62 changes: 55 additions & 7 deletions ...-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,69 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
# platform = multi_platform_all
# reboot = false
# strategy = configure
# complexity = low
# disruption = medium

{{% if product in [ "sle12", "sle15" ] %}}
{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}

{{% if "ubuntu" in product or "debian" in product %}}
{{% set pam_file='/etc/pam.d/common-password' %}}
{{% set group='password' %}}
{{% set control='\[success=[A-Za-z0-9].*\]' %}}
{{% set module='pam_unix.so' %}}
{{% set option='remember' %}}
{{% set value='{{ var_password_pam_unix_remember }}' %}}
{{% elif product in [ "sle12", "sle13" ] %}}
{{% set pam_file='/etc/pam.d/common-password' %}}
{{% else %}}
{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
{{% set pam_file='/etc/pam.d/system-auth' %}}
{{% endif %}}

{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
{{% if "ubuntu" in product or "debian" in product %}}

# Modified version of macro ansible_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='').
# The original macro is designed to search/replace also the control field thus treating the field as a constant and escaping the regex.
# Here we adapt the code to allow using regex on the control field.

- name: '{{{ rule_title }}} - Check if the required PAM module option is present in {{{ pam_file }}}'
ansible.builtin.lineinfile:
path: "{{{ pam_file }}}"
regexp: ^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b
state: absent
check_mode: true
changed_when: false
register: result_pam_module_{{{ option }}}_option_present

- name: '{{{ rule_title }}} - Ensure the "{{{ option }}}" PAM option for "{{{ module }}}" is included in {{{ pam_file }}}'
ansible.builtin.lineinfile:
path: "{{{ pam_file }}}"
backrefs: true
regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*)
line: \1 {{{ option }}}={{{ value }}}
state: present
register: result_pam_{{{ option }}}_add
when:
- result_pam_module_{{{ option }}}_option_present.found == 0

{{{ ansible_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,
- name: '{{{ rule_title }}} - Ensure the required value for "{{{ option }}}" PAM option from "{{{ module }}}" in {{{ pam_file }}}'
ansible.builtin.lineinfile:
path: "{{{ pam_file }}}"
backrefs: true
regexp: ^(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}})=[0-9a-zA-Z]+\s*(.*)
line: \1\2={{{ value }}} \3
register: result_pam_{{{ option }}}_edit
when:
- result_pam_module_{{{ option }}}_option_present.found > 0


{{% else %}}

{{{ ansible_pam_pwhistory_enable(pam_file,
'requisite',
'^password.*requisite.*pam_pwquality\.so') }}}

{{{ ansible_pam_pwhistory_parameter_value(accounts_password_pam_unix_remember_file,
{{{ ansible_pam_pwhistory_parameter_value(pam_file,
'remember',
'{{ var_password_pam_unix_remember }}') }}}

{{% endif %}}
48 changes: 0 additions & 48 deletions ...-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/ubuntu.yml
View file

This file was deleted.

5 changes: 0 additions & 5 deletions ...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/debian.sh
View file

This file was deleted.

15 changes: 12 additions & 3 deletions ...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,18 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
# platform = multi_platform_all

{{% if product in [ "sle12", "sle15" ] %}}
{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}

{{% if "debian" in product or "ubuntu" in product or product in ["sle12", "sle15" ] %}}
{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
{{% else %}}
{{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
{{% endif %}}

{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
{{% if "debian" in product or "ubuntu" in product %}}

{{{ bash_ensure_pam_module_options(accounts_password_pam_unix_remember_file, 'password', '\[success=[[:alnum:]].*\]', 'pam_unix.so', 'remember', "$var_password_pam_unix_remember", "$var_password_pam_unix_remember") }}}

{{% else %}}

{{{ bash_pam_pwhistory_enable(accounts_password_pam_unix_remember_file,
'requisite',
Expand All @@ -15,3 +21,6 @@
{{{ bash_pam_pwhistory_parameter_value(accounts_password_pam_unix_remember_file,
'remember',
"$var_password_pam_unix_remember") }}}

{{% endif %}}

5 changes: 0 additions & 5 deletions ...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/ubuntu.sh
View file

This file was deleted.

1 change: 0 additions & 1 deletion ...nts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/debian.xml
View file

This file was deleted.

Loading

0 comments on commit 118cf7b

Please sign in to comment.