Commit cd7f71e2 authored by Christopher Huhn's avatar Christopher Huhn
Browse files

* Add option to block access via /etc/security/access.conf by default

* Cleaned up and rubocoped recipe and test
parent 11ac358e
......@@ -6,4 +6,4 @@ description 'System Software configuration and maintenance'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
source_url 'https://github.com/GSI-HPC/sys-chef-cookbook'
issues_url 'https://github.com/GSI-HPC/sys-chef-cookbook/issues'
version '1.22.6'
version '1.23.0'
......@@ -17,52 +17,71 @@
# limitations under the License.
#
unless node['sys']['pam']['access'].empty?
template '/etc/security/access.conf' do
source 'etc_security_access.conf.erb'
owner 'root'
group 'root'
mode "0600"
variables :rules => node['sys']['pam']['access']
#
# access rules
#
template '/etc/security/access.conf' do
source 'etc_security_access.conf.erb'
owner 'root'
group 'root'
mode "0600"
variables(
rules: node['sys']['pam']['access'],
default: node['sys']['pam']['access_default']
)
only_if do
node['sys']['pam']['access'] ||
node['sys']['pam']['access_default'] == 'deny'
end
end
unless node['sys']['pamd'].has_key?('sshd')
cookbook_file '/etc/pam.d/sshd' do
source 'etc_pam.d_sshd'
owner 'root'
group 'root'
mode "0644"
only_if do ::File.exist? '/etc/ssh/sshd_config' end
end
#
# PAM sshd config
#
cookbook_file '/etc/pam.d/sshd' do
source 'etc_pam.d_sshd'
owner 'root'
group 'root'
mode "0644"
only_if do
::File.exist?('/etc/ssh/sshd_config') &&
node['sys']['pamd'].key?('sshd')
end
end
cookbook_file '/etc/pam.d/login' do
source 'etc_pam.d_login'
owner 'root'
group 'root'
mode "0644"
not_if { node['sys']['pamd'].has_key?('login') }
end
#
# PAM login config
#
cookbook_file '/etc/pam.d/login' do
source 'etc_pam.d_login'
owner 'root'
group 'root'
mode "0644"
not_if { node['sys']['pamd'].key?('login') }
end
unless node['sys']['pam']['limits'].empty? # ~FC023 do not break conventions in sys
template '/etc/security/limits.conf' do
source 'etc_security_limits.conf.erb'
owner 'root'
group 'root'
mode "0644"
variables :rules => node['sys']['pam']['limits']
end
#
# resource limits
#
template '/etc/security/limits.conf' do
source 'etc_security_limits.conf.erb'
owner 'root'
group 'root'
mode "0644"
variables :rules => node['sys']['pam']['limits']
not_if { node['sys']['pam']['limits'].empty? }
end
unless node['sys']['pam']['group'].empty? # ~FC023 Do not break conventions in sys
template '/etc/security/group.conf' do
source 'etc_security_group.conf.erb'
owner 'root'
group 'root'
mode "0644"
variables :rules => node['sys']['pam']['group']
end
#
# dynamic group membership
#
template '/etc/security/group.conf' do
source 'etc_security_group.conf.erb'
owner 'root'
group 'root'
mode "0644"
variables :rules => node['sys']['pam']['group']
not_if { node['sys']['pam']['group'].empty? } # ~FC023 Do not break conventions in sys
end
unless node['sys']['pamd'].empty?
......@@ -74,7 +93,7 @@ unless node['sys']['pamd'].empty?
mode "0644"
variables(
# remove leading spaces, and empty lines
:rules => contents.gsub(/^ */,'').gsub(/^$\n/,''),
:rules => contents.gsub(/^ */, '').gsub(/^$\n/, ''),
:name => name
)
end
......@@ -91,25 +110,24 @@ unless node['sys']['pamupdate'].empty? # ~FC023 Do not break conventions in sys
generator = PamUpdate::Writer.new(configs)
if ! File.exist?("/etc/krb5.keytab")
unless File.exist?("/etc/krb5.keytab")
# Remove pam_krb5 from profiles
generator.remove_profile_byname("Kerberos authentication")
Chef::Log.warn("/etc/krb5.keytab not present. Not configuring libpam-krb5.")
end
%w[ account auth password session session-noninteractive ].each do |type|
%w( account auth password session session-noninteractive ).each do |type|
content = generator.send(type)
unless content.nil? # ~FC023 Do not break conventions in sys
template "/etc/pam.d/common-#{type}" do
source "etc_pam.d_generic.erb"
owner "root"
group "root"
mode "0644"
variables(
:rules => content,
:name => "common-#{type}"
)
end
next if content.nil? # ~FC023 Do not break conventions in sys
template "/etc/pam.d/common-#{type}" do
source "etc_pam.d_generic.erb"
owner "root"
group "root"
mode "0644"
variables(
:rules => content,
:name => "common-#{type}"
)
end
end
rescue PamUpdateError => e
......
......@@ -4,6 +4,10 @@
#
# This file is managed by the Chef `sys` cookbook.
<% @rules.each do |rule| %>
<%- @rules.each do |rule| %>
<%= rule %>
<% end %>
<%- end %>
<%- if @default == 'deny' %>
# block any access not explictly allowed:
-:ALL:ALL
<%- end %>
\ No newline at end of file
......@@ -3,19 +3,20 @@ describe 'sys::pam' do
context 'node.sys.pam is empty' do
it 'does nothing' do
expect(chef_run.run_context.resource_collection).to be_empty
expect(chef_run.run_context.resource_collection
.to_hash.keep_if { |x| x['updated'] }).to be_empty
end
end
context 'with basic attributes' do
before do
fqdn = 'node.example.com'
chef_run.node.default['sys']['pam']['rules'] = [ 'rule_1', 'rule_2', 'rule_3' ]
chef_run.node.default['sys']['pam']['access'] = [ 'access_1', 'access_2', 'access_3' ]
chef_run.node.default['sys']['pam']['rules'] = %w(rule_1 rule_2 rule_3)
chef_run.node.default['sys']['pam']['access'] = %w(access_1 access_2 access_3)
chef_run.node.default['sys']['pamd']['sshd'] = "sshd_1\nsshd_2\nsshd_3"
chef_run.node.default['sys']['pamd']['login'] = "login_1\nlogin_2\nlogin_3"
chef_run.node.default['sys']['pam']['limits'] = [ "limit_1", "limit_2", "limit_3" ]
chef_run.node.default['sys']['pam']['group'] = [ Hash.new, Hash.new, Hash.new ]
chef_run.node.default['sys']['pam']['limits'] = %w(limit_1 limit_2 limit_3)
chef_run.node.default['sys']['pam']['group'] = [Hash.new, Hash.new, Hash.new]
chef_run.node.default['sys']['pamd']['common-test'] = " \n module1\nmodule2"
chef_run.node.automatic['fqdn'] = fqdn
chef_run.node.automatic['domain'] = "example.com"
......@@ -25,7 +26,8 @@ describe 'sys::pam' do
it 'manages /etc/security/access.conf' do
expect(chef_run).to create_template('/etc/security/access.conf').with_mode('0600').with(
:variables => {
:rules => [ 'access_1', 'access_2', 'access_3' ]
rules: %w(access_1 access_2 access_3),
default: nil
}
)
......@@ -45,7 +47,7 @@ describe 'sys::pam' do
it 'manages /etc/security/limits.conf' do
expect(chef_run).to create_template('/etc/security/limits.conf').with_mode('0644').with(
:variables => {
:rules => [ "limit_1", "limit_2", "limit_3" ]
:rules => %w(limit_1 limit_2 limit_3)
}
)
......@@ -57,7 +59,7 @@ describe 'sys::pam' do
it 'manages /etc/security/group.conf' do
expect(chef_run).to create_template('/etc/security/group.conf').with_mode('0644').with(
:variables => {
:rules => [ {}, {}, {} ]
:rules => [{}, {}, {}]
}
)
......@@ -149,7 +151,7 @@ describe 'sys::pam' do
:Password => "[success=end default=ignore] pam_krb5.so minimum_uid=1000 try_first_pass use_authtok",
:"Password-Initial" => "[success=end default=ignore] pam_krb5.so minimum_uid=1000",
:"Session-Type" => "Additional",
:Session => "optional pam_krb5.so minimum_uid=1000" }}
:Session => "optional pam_krb5.so minimum_uid=1000" } }
chef_run.converge(described_recipe)
end
......@@ -275,13 +277,14 @@ auth\t\toptional\t\t\tpam_group.so"
:Password => "[success=end default=ignore] pam_krb5.so minimum_uid=1000 try_first_pass use_authtok",
:"Password-Initial" => "[success=end default=ignore] pam_krb5.so minimum_uid=1000",
:"Session-Type" => "Additional",
:Session => "optional pam_krb5.so minimum_uid=1000" }}
:Session => "optional pam_krb5.so minimum_uid=1000" } }
chef_run.converge(described_recipe)
end
it "should do nothing" do
expect(chef_run).to_not create_template('/etc/pam.d/common-auth')
expect(chef_run.run_context.resource_collection).to be_empty
expect(chef_run.run_context.resource_collection
.to_hash.keep_if { |x| x['updated'] }).to be_empty
end
end
end
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment