Introduces puppet module for `/etc/login.defs`

Enables management of shadow password directives in login.defs By allowing operators to set values in login.defs, they are able to improve password security for newly created system accounts. This change will in turn allow operators to adhere with security hardening frameworks, such as STIG DISA & CIS Security Benchmarks. bp login-defs Change-Id: Iec8c032adb44593da3770d3c6bb5a4655e463637
2017-04-19 10:57:58 +01:00 · 2017-04-19 10:57:58 +01:00 · 9d6f569ab9
parent 30399c3ca8
commit 9d6f569ab9
3 changed files with 146 additions and 0 deletions
--- a/manifests/profile/base/login_defs.pp
+++ b/manifests/profile/base/login_defs.pp
@ -0,0 +1,80 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::login_defs
+#
+# Sets login.defs Parameters
+#
+# === Parameters
+#
+# [*step*]
+#  (Optional) The current step in deployment. See tripleo-heat-templates
+#  for more details.
+#  Defaults to hiera('step')
+#
+# [*password_max_days*]
+#  (Optional) Set the maximum age allowed for passwords
+#  Defaults to hiera('password_max_days', 99999)
+#
+# [*password_min_days*]
+#  (Optional) Set the minimum age allowed for passwords
+#  Defaults to hiera('password_min_days', 7)
+#
+# [*password_warn_age*]
+#  (Optional) Set the warning period for password expiration
+#  Defaults to hiera('password_min_len', 6)
+#
+# [*password_min_len*]
+#  (Optional) Set the minimum allowed password length.
+#  Defaults to hiera('password_warn_age', 7)
+#
+# [*fail_delay*]
+#  (Optional) The period of time between password retries
+#  Defaults to hiera('fail_delay', 4)
+
+class tripleo::profile::base::login_defs (
+  $password_max_days = hiera('password_max_days', 99999),
+  $password_min_days = hiera('password_min_days', 7),
+  $password_min_len  = hiera('password_min_len', 6),
+  $password_warn_age = hiera('password_warn_age', 7),
+  $fail_delay        = hiera('fail_delay', 4),
+  $step              = Integer(hiera('step'))
+) {
+  include ::tripleo::profile::base::login_defs
+
+  if $step >= 1 {
+    package { 'shadow-utils':
+    ensure =>  'present'
+    }
+
+    augeas { 'login_defs':
+      context =>  '/files/etc/login.defs',
+      changes => [
+        "set PASS_MAX_DAYS ${password_max_days}",
+        "set PASS_MIN_DAYS ${password_min_days}",
+        "set PASS_MIN_LEN ${password_min_len}",
+        "set PASS_WARN_AGE ${password_warn_age}",
+        "set FAIL_DELAY ${fail_delay}"
+      ],
+    }
+
+    file { '/etc/login.defs':
+      ensure => file,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0644',
+    }
+  }
+}
--- a/releasenotes/notes/login_defs-1d1b32c233a33b2f.yaml
+++ b/releasenotes/notes/login_defs-1d1b32c233a33b2f.yaml
@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Enables management of the login.defs file and its values around
+    password functionality (such as max days, min days, warning age,
+    fail retry times)
+security:
+  - |
+    Operators using this puppet module, can change values that
+    influence password security.
--- a/spec/classes/tripleo_profile_base_login_defs_spec.rb
+++ b/spec/classes/tripleo_profile_base_login_defs_spec.rb
@ -0,0 +1,56 @@
+# Copyright 2017 Red Hat, Inc.  # All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo::profile::base::login_defs
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::login_defs' do
+
+    shared_examples_for 'tripleo::profile::base::login_defs' do
+
+      context 'setting values it should contain' do
+        let(:params) { { :step => 1 } }
+        it do
+          is_expected.to contain_augeas('login_defs')
+                  .with_changes(['set PASS_MAX_DAYS 99999',
+                                 'set PASS_MIN_DAYS 7',
+                                 'set PASS_MIN_LEN 6',
+                                 'set PASS_WARN_AGE 7',
+                                 'set FAIL_DELAY 4'])
+        end
+      end
+
+      context 'with file attributes' do
+        let(:params) { { :step => 1 } }
+        it do
+          is_expected.to contain_file('/etc/login.defs').with({
+            'owner'  => 'root',
+            'group'  => 'root',
+            'mode'   => '0644',
+            })
+        end
+      end
+    end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let (:facts) {
+        facts
+      }
+      it_behaves_like 'tripleo::profile::base::login_defs'
+    end
+  end
+end