Closed bschonec closed 11 months ago
bschonec
commented
1 year ago Here is my feature_branch where I'm working on PAM pwquality and faillock configuration for RHEL7 and newer. I'm no Puppet developer so any advice/help you can give is most appreciated.
ghoneycutt
commented
1 year ago This module is entirely data driven, so if you want to add extra lines to the PAM configs, you just specify them in Hiera. Suggest sending a pull request to the README that shows how to implement these features in data. This would be helpful for others to use this functionality.
I propose adding the ability to install pam_faillock and pam_faildelay (and probably other PAM password/login-related modules) and have the ability to configure the module. Currently, only pam_faildelay is available on Debian and RHEL based systems but the option 'delay' is hard coded.
The man pages for pam_faillock and pam_faildelay recommend against editing the /etc/pam.d/ files, instead configuring the options in /etc/security/faillock.conf and /etc/login.defs respectively.
Adding these features would aid in CIS compliance which requires faillock and failldelay to be configured.