Try SpotterManage PAM Modules
| "added in version" 2.3 of ansible.builtin"
Authors: Kenneth D. Evensen (@kevensen)
preview | supported by community
pipInstall with pip install ansible==2.9.27
Edit PAM service's type, control, module path and module arguments.
In order for a PAM rule to be modified, the type, control and module_path must match an existing rule. See man(5) pam.d for details.
- name: Update pamd rule's control in /etc/pam.d/system-auth
pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
new_control: sufficient
- name: Update pamd rule's complex control in /etc/pam.d/system-auth
pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
new_control: '[success=2 default=ignore]'
- name: Insert a new rule before an existing rule
pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
new_type: auth
new_control: sufficient
new_module_path: pam_faillock.so
state: before
- name: Insert a new rule pam_wheel.so with argument 'use_uid' after an \
existing rule pam_rootok.so
pamd:
name: su
type: auth
control: sufficient
module_path: pam_rootok.so
new_type: auth
new_control: required
new_module_path: pam_wheel.so
module_arguments: 'use_uid'
state: after
- name: Remove module arguments from an existing rule
pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: ''
state: updated
- name: Replace all module arguments in an existing rule
pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: 'preauth
silent
deny=3
unlock_time=604800
fail_interval=900'
state: updated
- name: Remove specific arguments from a rule
pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments: crond,quiet
state: args_absent
- name: Ensure specific arguments are present in a rule
pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments: crond,quiet
state: args_present
- name: Ensure specific arguments are present in a rule (alternative)
pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments:
- crond
- quiet
state: args_present
- name: Module arguments requiring commas must be listed as a Yaml list
pamd:
name: special-module
type: account
control: required
module_path: pam_access.so
module_arguments:
- listsep=,
state: args_present
- name: Update specific argument value in a rule
pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: 'fail_interval=300'
state: args_present
- name: Add pam common-auth rule for duo
pamd:
name: common-auth
new_type: auth
new_control: '[success=1 default=ignore]'
new_module_path: '/lib64/security/pam_duo.so'
state: after
type: auth
module_path: pam_sss.so
control: 'requisite'
name:
description:
- The name generally refers to the PAM service file to change, for example system-auth.
required: true
type: str
path:
default: /etc/pam.d
description:
- This is the path to the PAM service files.
type: path
type:
choices:
- account
- -account
- auth
- -auth
- password
- -password
- session
- -session
description:
- The type of the PAM rule being modified.
- The C(type), C(control) and C(module_path) all must match a rule to be modified.
required: true
type: str
state:
choices:
- absent
- before
- after
- args_absent
- args_present
- updated
default: updated
description:
- The default of C(updated) will modify an existing rule if type, control and module_path
all match an existing rule.
- With C(before), the new rule will be inserted before a rule matching type, control
and module_path.
- Similarly, with C(after), the new rule will be inserted after an existing rulematching
type, control and module_path.
- With either C(before) or C(after) new_type, new_control, and new_module_path must
all be specified.
- If state is C(args_absent) or C(args_present), new_type, new_control, and new_module_path
will be ignored.
- State C(absent) will remove the rule. The 'absent' state was added in Ansible 2.4.
type: str
backup:
default: false
description:
- Create a backup file including the timestamp information so you can get the original
file back if you somehow clobbered it incorrectly.
type: bool
version_added: '2.6'
version_added_collection: ansible.builtin
control:
description:
- The control of the PAM rule being modified.
- This may be a complicated control with brackets. If this is the case, be sure to
put "[bracketed controls]" in quotes.
- The C(type), C(control) and C(module_path) all must match a rule to be modified.
required: true
type: str
new_type:
choices:
- account
- -account
- auth
- -auth
- password
- -password
- session
- -session
description:
- The new type to assign to the new rule.
type: str
module_path:
description:
- The module path of the PAM rule being modified.
- The C(type), C(control) and C(module_path) all must match a rule to be modified.
required: true
type: str
new_control:
description:
- The new control to assign to the new rule.
type: str
new_module_path:
description:
- The new module path to be assigned to the new rule.
type: str
module_arguments:
description:
- When state is C(updated), the module_arguments will replace existing module_arguments.
- When state is C(args_absent) args matching those listed in module_arguments will
be removed.
- When state is C(args_present) any args listed in module_arguments are added if missing
from the existing rule.
- Furthermore, if the module argument takes a value denoted by C(=), the value will
be changed to that specified in module_arguments.
type: list
action:
description:
- 'That action that was taken and is one of: update_rule, insert_before_rule, insert_after_rule,
args_present, args_absent, absent. This was available in Ansible 2.4 and removed
in Ansible 2.8'
returned: always
sample: update_rule
type: str
version_added: 2.4
version_added_collection: ansible.builtin
backupdest:
description:
- The file name of the backup file, if created.
returned: success
type: str
version_added: 2.6
version_added_collection: ansible.builtin
change_count:
description: How many rules were changed.
returned: success
sample: 1
type: int
version_added: 2.4
version_added_collection: ansible.builtin
dest:
description:
- Path to pam.d service that was changed. This is only available in Ansible 2.3
and was removed in Ansible 2.4.
returned: success
sample: /etc/pam.d/system-auth
type: str
new_rule:
description: The changes to the rule. This was available in Ansible 2.4 and Ansible
2.5. It was removed in Ansible 2.6.
returned: success
sample: None None None sha512 shadow try_first_pass use_authtok
type: str
version_added: 2.4
version_added_collection: ansible.builtin
updated_rule_(n):
description: The rule(s) that was/were changed. This is only available in Ansible
2.4 and was removed in Ansible 2.5.
returned: success
sample:
- password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
type: str
version_added: 2.4
version_added_collection: ansible.builtin