Class pam::pam
In: /tmp/puppet/modules/pam/manifests/init.pp
Parent:

Module: pam

Class: pam

Description:

      This class Hardens the pam area

Defines:

      pam::changeParm
        pam::addNumTriesLock

LinuxGuide:

      2.3.3.1.1
      2.3.3.2
        2.3.3.6

CCERef#:

      CCE-3762-2
        CCE-3410-8

Resources

Resources

Augeas["remove-lines"]
   context => "/files/etc/pam.d"
   changes => ["remove system-auth/*[type='auth'][control='requisite'][module ='pam_succeed_if.so']", "remove system-auth/*[type='auth'][control='required'][module ='pam_deny.so']"]
Pam::Addnumtrieslock["login"]

add whatever files you want to enable locking out for.

Pam::Changeparm["dcredit"]
   parm => "dcredit"
   value => "-1"
   path => "argument"
   module => "pam_cracklib.so"
   type => "password"
   filename => "system-auth"
Pam::Changeparm["lcredit"]
   parm => "lcredit"
   value => "0"
   path => "argument"
   module => "pam_cracklib.so"
   type => "password"
   filename => "system-auth"
Pam::Changeparm["minlen"]
   parm => "minlen"
   value => "14"
   path => "argument"
   module => "pam_cracklib.so"
   type => "password"
   filename => "system-auth"
Pam::Changeparm["ocredit"]
   parm => "ocredit"
   value => "-1"
   path => "argument"
   module => "pam_cracklib.so"
   type => "password"
   filename => "system-auth"
Pam::Changeparm["required"]
   parm => "required"
   value => ""
   path => "control"
   module => "pam_cracklib.so"
   type => "password"
   filename => "system-auth"

GuideSection 2.3.3.1.1 CCE-3762-2 Protect accounts via pamcracklib

Pam::Changeparm["required-2.3.3.2"]
   parm => "required"
   value => ""
   path => "control"
   module => "pam_unix.so"
   type => "auth"
   filename => "system-auth"

GuideSection 2.3.3.2 CCE-3410-8 Set Lockouts for Failed Password Attempts

Pam::Changeparm["reusepass"]
   parm => "remember"
   value => "5"
   path => "argument"
   module => "pam_unix.so"
   type => "password"
   filename => "system-auth"

GuideSection 2.3.3.6 Limit Password Reuse

Pam::Changeparm["ucredit"]
   parm => "ucredit"
   value => "-1"
   path => "argument"
   module => "pam_cracklib.so"
   type => "password"
   filename => "system-auth"

[Validate]