diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 12e5f919..e1acc928 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -130,6 +130,9 @@ We know that this is the case on Raspberry Pi. - `os_auth_pam_sssd_enable` - Default: `false` (on RHEL8/CentOS8/Fedora `true`) - Description: activate PAM auth support for sssd +- `os_auth_pam_winbind_enable` + - Default: `false` + - Description: activate PAM auth support for winbind - `os_security_users_allow` - Default: `[]` - Description: list of things, that a user is allowed to do. May contain `change_user`. diff --git a/roles/os_hardening/tasks/pam_rhel.yml b/roles/os_hardening/tasks/pam_rhel.yml index 8548dc82..0bcaeab4 100644 --- a/roles/os_hardening/tasks/pam_rhel.yml +++ b/roles/os_hardening/tasks/pam_rhel.yml @@ -6,6 +6,13 @@ when: - os_auth_pam_sssd_enable | bool +- name: Install samba-winbind-modules + yum: + name: samba-winbind-modules + state: 'present' + when: + - os_auth_pam_winbind_enable | bool + - name: Configure passwdqc and faillock via central system-auth config template: src: 'etc/pam.d/rhel_auth.j2' diff --git a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 index 67625155..4b6b4837 100644 --- a/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 +++ b/roles/os_hardening/templates/etc/pam.d/rhel_auth.j2 @@ -16,6 +16,10 @@ auth sufficient pam_unix.so nullok try_first_pass auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_sss.so forward_pass {% endif %} +{% if (os_auth_pam_winbind_enable | bool) %} +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet +auth sufficient pam_winbind.so use_first_pass +{% endif %} {% if os_auth_retries > 0 %} auth required pam_faillock.so authfail audit even_deny_root deny={{ os_auth_retries }} unlock_time={{ os_auth_lockout_time }} {% endif %} @@ -30,6 +34,9 @@ account sufficient pam_succeed_if.so uid < 1000 quiet {% if (os_auth_pam_sssd_enable | bool) %} account [default=bad success=ok user_unknown=ignore] pam_sss.so {% endif %} +{% if (os_auth_pam_winbind_enable | bool) %} +account [default=bad success=ok user_unknown=ignore] pam_winbind.so +{% endif %} account required pam_permit.so {% if (os_auth_pam_passwdqc_enable | bool) %} @@ -42,6 +49,9 @@ password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_au {% if (os_auth_pam_sssd_enable | bool) %} password sufficient pam_sss.so use_authtok {% endif %} +{% if (os_auth_pam_winbind_enable | bool) %} +password sufficient pam_winbind.so use_authtok +{% endif %} password required pam_deny.so session optional pam_keyinit.so revoke @@ -52,3 +62,6 @@ session required pam_unix.so {% if (os_auth_pam_sssd_enable | bool) %} session optional pam_sss.so {% endif %} +{% if (os_auth_pam_winbind_enable | bool) %} +session optional pam_winbind.so +{% endif %} diff --git a/roles/os_hardening/vars/Amazon.yml b/roles/os_hardening/vars/Amazon.yml index 044c2123..1d320a5a 100644 --- a/roles/os_hardening/vars/Amazon.yml +++ b/roles/os_hardening/vars/Amazon.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: false +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail diff --git a/roles/os_hardening/vars/Fedora.yml b/roles/os_hardening/vars/Fedora.yml index d9253b8a..b56f67fe 100644 --- a/roles/os_hardening/vars/Fedora.yml +++ b/roles/os_hardening/vars/Fedora.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: true +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail diff --git a/roles/os_hardening/vars/RedHat.yml b/roles/os_hardening/vars/RedHat.yml index a54384ac..29b5a60a 100644 --- a/roles/os_hardening/vars/RedHat.yml +++ b/roles/os_hardening/vars/RedHat.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: false +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail diff --git a/roles/os_hardening/vars/RedHat_7.yml b/roles/os_hardening/vars/RedHat_7.yml index c3308850..076bbaac 100644 --- a/roles/os_hardening/vars/RedHat_7.yml +++ b/roles/os_hardening/vars/RedHat_7.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: false +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail diff --git a/roles/os_hardening/vars/RedHat_8.yml b/roles/os_hardening/vars/RedHat_8.yml index 2a0aa329..286b1e98 100644 --- a/roles/os_hardening/vars/RedHat_8.yml +++ b/roles/os_hardening/vars/RedHat_8.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: true +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail diff --git a/roles/os_hardening/vars/Rocky_8.yml b/roles/os_hardening/vars/Rocky_8.yml index 2a0aa329..286b1e98 100644 --- a/roles/os_hardening/vars/Rocky_8.yml +++ b/roles/os_hardening/vars/Rocky_8.yml @@ -34,6 +34,7 @@ os_auth_sub_gid_max: 600100000 os_auth_sub_gid_count: 65536 os_auth_pam_sssd_enable: true +os_auth_pam_winbind_enable: false # defaults for useradd os_useradd_mail_dir: /var/spool/mail