Try SpotterManage PAM Modules
Authors: Kenneth D. Evensen (@kevensen)
Install with ansible-galaxy collection install community.general:==8.5.0
collections:
- name: community.general
version: 8.5.0Edit PAM service's type, control, module path and module arguments.
In order for a PAM rule to be modified, the type, control and module_path must match an existing rule. See man(5) pam.d for details.
- name: Update pamd rule's control in /etc/pam.d/system-auth
community.general.pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
new_control: sufficient
- name: Update pamd rule's complex control in /etc/pam.d/system-auth
community.general.pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
new_control: '[success=2 default=ignore]'
- name: Insert a new rule before an existing rule
community.general.pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
new_type: auth
new_control: sufficient
new_module_path: pam_faillock.so
state: before
- name: Insert a new rule pam_wheel.so with argument 'use_uid' after an \
existing rule pam_rootok.so
community.general.pamd:
name: su
type: auth
control: sufficient
module_path: pam_rootok.so
new_type: auth
new_control: required
new_module_path: pam_wheel.so
module_arguments: 'use_uid'
state: after
- name: Remove module arguments from an existing rule
community.general.pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: ''
state: updated
- name: Replace all module arguments in an existing rule
community.general.pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: 'preauth
silent
deny=3
unlock_time=604800
fail_interval=900'
state: updated
- name: Remove specific arguments from a rule
community.general.pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments: crond,quiet
state: args_absent
- name: Ensure specific arguments are present in a rule
community.general.pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments: crond,quiet
state: args_present
- name: Ensure specific arguments are present in a rule (alternative)
community.general.pamd:
name: system-auth
type: session
control: '[success=1 default=ignore]'
module_path: pam_succeed_if.so
module_arguments:
- crond
- quiet
state: args_present
- name: Module arguments requiring commas must be listed as a Yaml list
community.general.pamd:
name: special-module
type: account
control: required
module_path: pam_access.so
module_arguments:
- listsep=,
state: args_present
- name: Update specific argument value in a rule
community.general.pamd:
name: system-auth
type: auth
control: required
module_path: pam_faillock.so
module_arguments: 'fail_interval=300'
state: args_present
- name: Add pam common-auth rule for duo
community.general.pamd:
name: common-auth
new_type: auth
new_control: '[success=1 default=ignore]'
new_module_path: '/lib64/security/pam_duo.so'
state: after
type: auth
module_path: pam_sss.so
control: 'requisite'
name:
description:
- The name generally refers to the PAM service file to change, for example system-auth.
required: true
type: str
path:
default: /etc/pam.d
description:
- This is the path to the PAM service files.
type: path
type:
choices:
- account
- -account
- auth
- -auth
- password
- -password
- session
- -session
description:
- The type of the PAM rule being modified.
- The O(type), O(control), and O(module_path) options all must match a rule to be
modified.
required: true
type: str
state:
choices:
- absent
- before
- after
- args_absent
- args_present
- updated
default: updated
description:
- The default of V(updated) will modify an existing rule if type, control and module_path
all match an existing rule.
- With V(before), the new rule will be inserted before a rule matching type, control
and module_path.
- Similarly, with V(after), the new rule will be inserted after an existing rulematching
type, control and module_path.
- With either V(before) or V(after) O(new_type), O(new_control), and O(new_module_path)
must all be specified.
- If state is V(args_absent) or V(args_present), O(new_type), O(new_control), and
O(new_module_path) will be ignored.
- State V(absent) will remove the rule.
type: str
backup:
default: false
description:
- Create a backup file including the timestamp information so you can get the original
file back if you somehow clobbered it incorrectly.
type: bool
control:
description:
- The control of the PAM rule being modified.
- This may be a complicated control with brackets. If this is the case, be sure to
put "[bracketed controls]" in quotes.
- The O(type), O(control), and O(module_path) options all must match a rule to be
modified.
required: true
type: str
new_type:
choices:
- account
- -account
- auth
- -auth
- password
- -password
- session
- -session
description:
- The new type to assign to the new rule.
type: str
module_path:
description:
- The module path of the PAM rule being modified.
- The O(type), O(control), and O(module_path) options all must match a rule to be
modified.
required: true
type: str
new_control:
description:
- The new control to assign to the new rule.
type: str
new_module_path:
description:
- The new module path to be assigned to the new rule.
type: str
module_arguments:
description:
- When O(state=updated), the O(module_arguments) will replace existing module_arguments.
- When O(state=args_absent) args matching those listed in O(module_arguments) will
be removed.
- When O(state=args_present) any args listed in O(module_arguments) are added if missing
from the existing rule.
- Furthermore, if the module argument takes a value denoted by C(=), the value will
be changed to that specified in module_arguments.
elements: str
type: list
backupdest: description: - The file name of the backup file, if created. returned: success type: str change_count: description: How many rules were changed. returned: success sample: 1 type: int