From 5337db71adbb90621fbe96ad6a0a56a6515b70c7 Mon Sep 17 00:00:00 2001 From: Andre Lehmann Date: Thu, 17 Mar 2022 10:00:38 +0100 Subject: [PATCH] add support for winbind on rhel systems Signed-off-by: Andre Lehmann --- roles/os_hardening/README.md | 3 +++ roles/os_hardening/tasks/pam_rhel.yml | 7 +++++++ roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 | 13 +++++++++++++ roles/os_hardening/vars/Amazon.yml | 1 + roles/os_hardening/vars/Fedora.yml | 1 + roles/os_hardening/vars/RedHat.yml | 1 + roles/os_hardening/vars/RedHat_7.yml | 1 + roles/os_hardening/vars/RedHat_8.yml | 1 + roles/os_hardening/vars/Rocky_8.yml | 1 + 9 files changed, 29 insertions(+) diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 12e5f9197..e1acc9286 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -130,6 +130,9 @@ We know that this is the case on Raspberry Pi. - `os_auth_pam_sssd_enable` - Default: `false` (on RHEL8/CentOS8/Fedora `true`) - Description: activate PAM auth support for sssd +- `os_auth_pam_winbind_enable` + - Default: `false` + - Description: activate PAM auth support for winbind - `os_security_users_allow` - Default: `[]` - Description: list of things, that a user is allowed to do. May contain `change_user`. diff --git a/roles/os_hardening/tasks/pam_rhel.yml b/roles/os_hardening/tasks/pam_rhel.yml index 8548dc82f..0bcaeab42 100644 --- a/roles/os_hardening/tasks/pam_rhel.yml +++ b/roles/os_hardening/tasks/pam_rhel.yml @@ -6,6 +6,13 @@ when: - os_auth_pam_sssd_enable | bool +- name: Install samba-winbind-modules + yum: + name: samba-winbind-modules + state: 'present' + when: + - os_auth_pam_winbind_enable | bool + - name: Configure passwdqc and faillock via central system-auth config template: src: 'etc/pam.d/rhel_auth.j2' diff --git a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 index 676251559..4b6b48375 100644 --- a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 +++ b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 @@ -16,6 +16,10 @@ auth sufficient pam_unix.so nullok try_first_pass auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_sss.so forward_pass {% endif %} +{% if (os_auth_pam_winbind_enable | bool) %} +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet +auth sufficient pam_winbind.so use_first_pass +{% endif %} {% if os_auth_retries > 0 %} auth required pam_faillock.so authfail audit even_deny_root deny={{ os_auth_retries }} unlock_time={{ os_auth_lockout_time }} {% endif %} @@ -30,6 +34,9 @@ account sufficient pam_succeed_if.so uid < 1000 quiet {% if (os_auth_pam_sssd_enable | bool) %} account [default=bad success=ok user_unknown=ignore] pam_sss.so {% endif %} +{% if (os_auth_pam_winbind_enable | bool) %} +account [default=bad success=ok user_unknown=ignore] pam_winbind.so +{% endif %} account required pam_permit.so {% if (os_auth_pam_passwdqc_enable | bool) %} @@ -42,6 +49,9 @@ password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_au {% if (os_auth_pam_sssd_enable | bool) %} password sufficient pam_sss.so use_authtok {% endif %} +{% if (os_auth_pam_winbind_enable | bool) %} +password sufficient pam_winbind.so use_authtok +{% endif %} password required pam_deny.so session optional pam_keyinit.so revoke @@ -52,3 +62,6 @@ session required pam_unix.so {% if (os_auth_pam_sssd_enable | bool) %} session optional pam_sss.so {% endif %} +{% if (os_auth_pam_winbind_enable | bool) %} +session optional pam_winbind.so +{% endif %} diff --git a/roles/os_hardening/vars/Amazon.yml b/roles/os_hardening/vars/Amazon.yml index 044c21231..1d320a5a0 100644 --- a/roles/os_hardening/vars/Amazon.yml +++ b/roles/os_hardening/vars/Amazon.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: false +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail diff --git a/roles/os_hardening/vars/Fedora.yml b/roles/os_hardening/vars/Fedora.yml index d9253b8a0..b56f67fee 100644 --- a/roles/os_hardening/vars/Fedora.yml +++ b/roles/os_hardening/vars/Fedora.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: true +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail diff --git a/roles/os_hardening/vars/RedHat.yml b/roles/os_hardening/vars/RedHat.yml index a54384ace..29b5a60a6 100644 --- a/roles/os_hardening/vars/RedHat.yml +++ b/roles/os_hardening/vars/RedHat.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: false +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail diff --git a/roles/os_hardening/vars/RedHat_7.yml b/roles/os_hardening/vars/RedHat_7.yml index c33088503..076bbaac1 100644 --- a/roles/os_hardening/vars/RedHat_7.yml +++ b/roles/os_hardening/vars/RedHat_7.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: false +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail diff --git a/roles/os_hardening/vars/RedHat_8.yml b/roles/os_hardening/vars/RedHat_8.yml index 2a0aa3294..286b1e98e 100644 --- a/roles/os_hardening/vars/RedHat_8.yml +++ b/roles/os_hardening/vars/RedHat_8.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: true +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail diff --git a/roles/os_hardening/vars/Rocky_8.yml b/roles/os_hardening/vars/Rocky_8.yml index 2a0aa3294..286b1e98e 100644 --- a/roles/os_hardening/vars/Rocky_8.yml +++ b/roles/os_hardening/vars/Rocky_8.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: true +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail