Try SpotterManage PAM Modules
| "added in version" 2.3 of ansible.builtin"
Authors: Kenneth D. Evensen (@kevensen)
preview | supported by community
pipInstall with pip install ansible==2.6.2
Edit PAM service's type, control, module path and module arguments. In order for a PAM rule to be modified, the type, control and module_path must match an existing rule. See man(5) pam.d for details.
- name: Update pamd rule's control in /etc/pam.d/system-auth
pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
new_control: sufficient
- name: Update pamd rule's complex control in /etc/pam.d/system-auth
pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
new_control: '[success=2 default=ignore]'
- name: Insert a new rule before an existing rule
pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
new_type: auth
new_control: sufficient
new_module_path: pam_faillock.so
state: before
- name: Insert a new rule pam_wheel.so with argument 'use_uid' after an existing rule pam_rootok.so
pamd:
name: su
type: auth
control: sufficient
module_path: pam_rootok.so
new_type: auth
new_control: required
new_module_path: pam_wheel.so
module_arguments: 'use_uid'
state: after
- name: Remove module arguments from an existing rule
pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: ''
state: updated
- name: Replace all module arguments in an existing rule
pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: 'preauth
silent
deny=3
unlock_time=604800
fail_interval=900'
state: updated
- name: Remove specific arguments from a rule
pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments: crond,quiet
state: args_absent
- name: Ensure specific arguments are present in a rule
pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments: crond,quiet
state: args_present
- name: Ensure specific arguments are present in a rule (alternative)
pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments:
- crond
- quiet
state: args_present
- name: Module arguments requiring commas must be listed as a Yaml list
pamd:
name: special-module
type: account
control: required
module_path: pam_access.so
module_arguments:
- listsep=,
state: args_present
- name: Update specific argument value in a rule
pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: 'fail_interval=300'
state: args_present
- name: Add pam common-auth rule for duo
pamd:
name: common-auth
new_type: auth
new_control: '[success=1 default=ignore]'
new_module_path: '/lib64/security/pam_duo.so'
state: after
type: auth
module_path: pam_sss.so
control: 'requisite'
name:
description:
- The name generally refers to the PAM service file to change, for example system-auth.
required: true
path:
default: /etc/pam.d/
description:
- This is the path to the PAM service files
type:
description:
- The type of the PAM rule being modified. The type, control and module_path all
must match a rule to be modified.
required: true
state:
choices:
- updated
- before
- after
- args_present
- args_absent
- absent
default: updated
description:
- The default of 'updated' will modify an existing rule if type, control and module_path
all match an existing rule. With 'before', the new rule will be inserted before
a rule matching type, control and module_path. Similarly, with 'after', the new
rule will be inserted after an existing rule matching type, control and module_path. With
either 'before' or 'after' new_type, new_control, and new_module_path must all be
specified. If state is 'args_absent' or 'args_present', new_type, new_control,
and new_module_path will be ignored. State 'absent' will remove the rule. The
'absent' state was added in version 2.4 and is only available in Ansible versions
>= 2.4.
backup:
default: 'no'
description:
- Create a backup file including the timestamp information so you can get the original
file back if you somehow clobbered it incorrectly.
type: bool
version_added: '2.6'
version_added_collection: ansible.builtin
control:
description:
- The control of the PAM rule being modified. This may be a complicated control with
brackets. If this is the case, be sure to put "[bracketed controls]" in quotes. The
type, control and module_path all must match a rule to be modified.
required: true
new_type:
description:
- The new type to assign to the new rule.
module_path:
description:
- The module path of the PAM rule being modified. The type, control and module_path
all must match a rule to be modified.
required: true
new_control:
description:
- The new control to assign to the new rule.
new_module_path:
description:
- The new module path to be assigned to the new rule.
module_arguments:
description:
- When state is 'updated', the module_arguments will replace existing module_arguments. When
state is 'args_absent' args matching those listed in module_arguments will be removed. When
state is 'args_present' any args listed in module_arguments are added if missing
from the existing rule. Furthermore, if the module argument takes a value denoted
by '=', the value will be changed to that specified in module_arguments. Note that
module_arguments is a list. Please see the examples for usage.
action:
description:
- 'That action that was taken and is one of: update_rule, insert_before_rule, insert_after_rule,
args_present, args_absent, absent.'
returned: always
sample: update_rule
type: string
version_added: 2.4
version_added_collection: ansible.builtin
backupdest:
description:
- The file name of the the backup file, if created.
returned: success
type: string
version_added: 2.6
version_added_collection: ansible.builtin
change_count:
description: How many rules were changed
returned: success
sample: 1
type: int
version_added: 2.4
version_added_collection: ansible.builtin
dest:
description:
- Path to pam.d service that was changed. This is only available in Ansible version
2.3 and was removed in 2.4.
returned: success
sample: /etc/pam.d/system-auth
type: string
new_rule:
description: The changes to the rule. This was available in Ansible version 2.4
and 2.5. It was removed in 2.6.
returned: success
sample: None None None sha512 shadow try_first_pass use_authtok
type: string
version_added: 2.4
version_added_collection: ansible.builtin
updated_rule_(n):
description: The rule(s) that was/were changed. This is only available in Ansible
version 2.4 and was removed in 2.5.
returned: success
sample:
- password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
type: string
version_added: 2.4
version_added_collection: ansible.builtin