Closed bschonec closed 11 months ago
Here is my feature_branch where I'm working on PAM pwquality and faillock configuration for RHEL7 and newer. I'm no Puppet developer so any advice/help you can give is most appreciated.
This module is entirely data driven, so if you want to add extra lines to the PAM configs, you just specify them in Hiera. Suggest sending a pull request to the README that shows how to implement these features in data. This would be helpful for others to use this functionality.
I propose adding the ability to install pam_faillock and pam_faildelay (and probably other PAM password/login-related modules) and have the ability to configure the module. Currently, only pam_faildelay is available on Debian and RHEL based systems but the option 'delay' is hard coded.
The man pages for pam_faillock and pam_faildelay recommend against editing the /etc/pam.d/ files, instead configuring the options in /etc/security/faillock.conf and /etc/login.defs respectively.
Adding these features would aid in CIS compliance which requires faillock and failldelay to be configured.