FAQ
Hello,

I try to ensure our password policies using /etc/login.defs and PAM
cracklib.

class pci_policy::password(
     $cracklib = $pci_policy::params::cracklib,
     $pam_password = $pci_policy::params::pam_password,
) inherits pci_policy::params {

   package{$cracklib:
     ensure => installed,
   }

   file{'/etc/login.defs':
     ensure => present,
     owner => root,
     group => root,
     mode => 0644,
     source => "puppet:///modules/pci_policy/login.defs.$::operatingsystem",
     require => Package[$cracklib],
   }

   exec{'ensure password policy for pci':
     cwd => '/bin/',
     command => "/bin/sed -i 's/^password.*cracklib.so.*/password
requisite pam_cracklib.so retry=3 minlen=8 difok=5
dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password",
     path => "/usr/bin:/usr/sbin:/bin",
     onlyif => "grep '^password.*cracklib.so.*' $pam_password",
     require => Package[$cracklib],
   }

   exec{'ensure password policy for pci when nothing is present':
     cwd => '/bin/',
     command => "echo 'password requisite
pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1
ocredit=-1' >> $pam_password",
     path => "/usr/bin:/usr/sbin:/bin",
     onlyif => "grep -vq '^password.*cracklib.so.*' $pam_password",
     require => Package[$cracklib],
   }
}

My problem are the exec commands.

With the first exec I try to change an existing line with sed.

With the second exec I try to add the rule if no line with
"password.*cracklib" is existing.
Unfortunately, this exec run when the return code of onlyif is 0. I don't
know a command which return 0 when the line isn't available and return 1
when the line is available.

May be I'm thinking to complicated? Do you have another solution?

Thanks a lot!

Björn

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

  • Mike Delaney at Oct 3, 2013 at 12:35 am

    On Wed, Oct 2, 2013 at 4:15 AM, Björn wrote:

    exec{'ensure password policy for pci':
    cwd => '/bin/',
    command => "/bin/sed -i 's/^password.*cracklib.so.*/password
    requisite pam_cracklib.so retry=3 minlen=8 difok=5
    dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password",
    path => "/usr/bin:/usr/sbin:/bin",
    onlyif => "grep '^password.*cracklib.so.*' $pam_password",
    require => Package[$cracklib],
    }

    exec{'ensure password policy for pci when nothing is present':
    cwd => '/bin/',
    command => "echo 'password requisite
    pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1
    ocredit=-1' >> $pam_password",
    path => "/usr/bin:/usr/sbin:/bin",
    onlyif => "grep -vq '^password.*cracklib.so.*' $pam_password",
    require => Package[$cracklib],
    }
    }

    My problem are the exec commands.

    With the first exec I try to change an existing line with sed.

    With the second exec I try to add the rule if no line with
    "password.*cracklib" is existing.
    Unfortunately, this exec run when the return code of onlyif is 0. I don't
    know a command which return 0 when the line isn't available and return 1
    when the line is available.

    May be I'm thinking to complicated? Do you have another solution?

    Off the top of my head, I can't think of a way to invert grep's exit status
    like you want (at least not a way
    that will work in an onlyif), however the use of two execs to modify a file
    is probably not the ideal solution.
    Indeed, once the cracklib entry is present in the file, that first exec
    will fire every time puppet runs, which
    is probably not what you want either.

    If you don't want to manage the entire file, you could use either the
    native augeas type or the file_line
    type from the stdlib module to accomplish what you want (file_line is
    probably easier):

       file_line { 'ensure password policy for pci':
         path => $pam_password,
         match => '^password.*cracklib\.so',
         line => 'password requisite
       pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1
    ocredit=-1'
    }

    -Mike

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To post to this group, send email to puppet-users@googlegroups.com.
    Visit this group at http://groups.google.com/group/puppet-users.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Björn at Oct 4, 2013 at 1:04 pm
    Hello Mike,

    thanks a lot, file_line works great! I not remember why I don't use
    file_line for such things.

    Björn
    On Thursday, October 3, 2013 2:35:46 AM UTC+2, Mike Delaney wrote:

    On Wed, Oct 2, 2013 at 4:15 AM, Björn <bbecke...@googlemail.com<javascript:>
    wrote:
    exec{'ensure password policy for pci':
    cwd => '/bin/',
    command => "/bin/sed -i 's/^password.*cracklib.so.*/password
    requisite pam_cracklib.so retry=3 minlen=8 difok=5
    dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password",
    path => "/usr/bin:/usr/sbin:/bin",
    onlyif => "grep '^password.*cracklib.so.*' $pam_password",
    require => Package[$cracklib],
    }

    exec{'ensure password policy for pci when nothing is present':
    cwd => '/bin/',
    command => "echo 'password requisite
    pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1
    ocredit=-1' >> $pam_password",
    path => "/usr/bin:/usr/sbin:/bin",
    onlyif => "grep -vq '^password.*cracklib.so.*' $pam_password",
    require => Package[$cracklib],
    }
    }

    My problem are the exec commands.

    With the first exec I try to change an existing line with sed.

    With the second exec I try to add the rule if no line with
    "password.*cracklib" is existing.
    Unfortunately, this exec run when the return code of onlyif is 0. I don't
    know a command which return 0 when the line isn't available and return 1
    when the line is available.

    May be I'm thinking to complicated? Do you have another solution?

    Off the top of my head, I can't think of a way to invert grep's exit
    status like you want (at least not a way
    that will work in an onlyif), however the use of two execs to modify a
    file is probably not the ideal solution.
    Indeed, once the cracklib entry is present in the file, that first exec
    will fire every time puppet runs, which
    is probably not what you want either.

    If you don't want to manage the entire file, you could use either the
    native augeas type or the file_line
    type from the stdlib module to accomplish what you want (file_line is
    probably easier):

    file_line { 'ensure password policy for pci':
    path => $pam_password,
    match => '^password.*cracklib\.so',
    line => 'password requisite
    pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1
    ucredit=-1 ocredit=-1'
    }

    -Mike
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To post to this group, send email to puppet-users@googlegroups.com.
    Visit this group at http://groups.google.com/group/puppet-users.
    For more options, visit https://groups.google.com/groups/opt_out.
  • James Eckersall at Oct 3, 2013 at 11:44 am
    The exec resource has an unless parameter too which I think is what you
    need.

    From: http://docs.puppetlabs.com/references/latest/type.html#exec

    onlyif If this parameter is set, then this exec will only run if the
    command returns 0

    unless If this parameter is set, then this exec will run unless the command
    returns 0

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To post to this group, send email to puppet-users@googlegroups.com.
    Visit this group at http://groups.google.com/group/puppet-users.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Björn at Oct 4, 2013 at 1:05 pm
    Unless was also a good hint! But my sed solution was running every time
    puppet agent run. So I use file_line now.

    Thanks!
    On Wednesday, October 2, 2013 1:15:53 PM UTC+2, Björn wrote:

    Hello,

    I try to ensure our password policies using /etc/login.defs and PAM
    cracklib.

    class pci_policy::password(
    $cracklib = $pci_policy::params::cracklib,
    $pam_password = $pci_policy::params::pam_password,
    ) inherits pci_policy::params {

    package{$cracklib:
    ensure => installed,
    }

    file{'/etc/login.defs':
    ensure => present,
    owner => root,
    group => root,
    mode => 0644,
    source =>
    "puppet:///modules/pci_policy/login.defs.$::operatingsystem",
    require => Package[$cracklib],
    }

    exec{'ensure password policy for pci':
    cwd => '/bin/',
    command => "/bin/sed -i 's/^password.*cracklib.so.*/password
    requisite pam_cracklib.so retry=3 minlen=8 difok=5
    dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1/g' $pam_password",
    path => "/usr/bin:/usr/sbin:/bin",
    onlyif => "grep '^password.*cracklib.so.*' $pam_password",
    require => Package[$cracklib],
    }

    exec{'ensure password policy for pci when nothing is present':
    cwd => '/bin/',
    command => "echo 'password requisite
    pam_cracklib.so retry=3 minlen=8 difok=5 dcredit=-1 lcredit=-1 ucredit=-1
    ocredit=-1' >> $pam_password",
    path => "/usr/bin:/usr/sbin:/bin",
    onlyif => "grep -vq '^password.*cracklib.so.*' $pam_password",
    require => Package[$cracklib],
    }
    }

    My problem are the exec commands.

    With the first exec I try to change an existing line with sed.

    With the second exec I try to add the rule if no line with
    "password.*cracklib" is existing.
    Unfortunately, this exec run when the return code of onlyif is 0. I don't
    know a command which return 0 when the line isn't available and return 1
    when the line is available.

    May be I'm thinking to complicated? Do you have another solution?

    Thanks a lot!

    Björn
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To post to this group, send email to puppet-users@googlegroups.com.
    Visit this group at http://groups.google.com/group/puppet-users.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedOct 2, '13 at 11:15a
activeOct 4, '13 at 1:05p
posts5
users3
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase