Merge pull request #47 from indiana-university/duo_passcode

Rsyslog feature

.pdkignore

@@ -26,6 +26,12 @@
 .envrc
 /inventory.yaml
 /spec/fixtures/litmus_inventory.yaml
+.resource_types
+.modules
+.task_cache.json
+.plan_cache.json
+.rerun.json
+bolt-debug.log
 /.fixtures.yml
 /Gemfile
 /.gitattributes

CHANGELOG.md

@@ -1,4 +1,7 @@
 # Changelog
+## Release 4.2.0
+* Adds duo_rsyslog option to the module - when activated, it sends Duo's syslog messages into the OS default auth log (also helpful for fail2ban use cases)
+
 ## Release 4.1.0
 * Adds pdk auto-added .config directory to gitignore
 * Format linting on manifests/ssh_config.pp

Gemfile

@@ -20,9 +20,9 @@ group :development do
   gem "json", '= 2.6.1',                         require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "json", '= 2.6.3',                         require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "racc", '~> 1.4.0',                        require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
-  gem "deep_merge", '~> 1.0',                    require: false
+  gem "deep_merge", '~> 1.2.2',                  require: false
   gem "voxpupuli-puppet-lint-plugins", '~> 5.0', require: false
-  gem "facterdb", '~> 1.18',                     require: false
+  gem "facterdb", '~> 1.26',                     require: false
   gem "metadata-json-lint", '~> 4.0',            require: false
   gem "rspec-puppet-facts", '~> 3.0',            require: false
   gem "dependency_checker", '~> 1.0.0',          require: false
@@ -34,6 +34,7 @@ group :development do
   gem "rubocop-performance", '= 1.16.0',         require: false
   gem "rubocop-rspec", '= 2.19.0',               require: false
   gem "rb-readline", '= 0.5.5',                  require: false, platforms: [:mswin, :mingw, :x64_mingw]
+  gem "rexml", '>= 3.0.0', '< 3.2.7',            require: false
 end
 group :development, :release_prep do
   gem "puppet-strings", '~> 4.0',         require: false

README.md

@@ -81,16 +81,18 @@ class { 'duo_unix':
   skey              => 'your secret key',
   host              => 'api-yourhost.duosecurity.com',
   motd              => 'yes',
-  accept_env_factor => 'no', 
+  accept_env_factor => 'no',
+  duo_rsyslog       => false, 
 }
 ```
-**Note:** accept_env_factor is set to 'no' by default, but enables DUO_PASSCODE
-as desribed above for out-of-band 2FA when set to 'yes'
+### Notes 
+* accept_env_factor is set to 'no' by default, but when set to 'yes', enables DUO_PASSCODE as desribed above for out-of-band 2FA
+* duo_rsyslog is set to false by default, but when set to true, enables sending duo auth messages to the OS-default auth log (this is also very helpful for simplifying fail2ban config if also used)
 
 ## Limitations
 
 In the past the official Duo module supported various RedHat derivatives. This
-module *currently* makes no attempt to support them.
+module *currently* only makes minor attempts to support them.
 
 ## Contributing
 

manifests/init.pp

@@ -81,8 +81,16 @@
 # @param accept_env_factor
 #   Look for factor selection or passcode in the $DUO_PASSCODE environment
 #   variable before prompting the user for input. When $DUO_PASSCODE is
-#   non-empty, it will override autopush.
-#   Default is "no"
+#   non-empty, it will override autopush. For this parameter to work properly 
+#   when set to 'yes', the manage_ssh parameter must be set to true. 
+#   Default is "no".
+#
+# @param duo_rsyslog
+#   Sends Duo-related auth logs into auth.log in addition to Duo's default
+#   syslog logging destination. This is to facilitate the use of fail2ban
+#   with Duo conditions by confining all auth-related activity to auth.log.
+#   Default is false
+#
 # @param proxy
 #   Whether to use a proxy.
 #
@@ -113,6 +121,7 @@
   Enum['no', 'yes']                   $motd              = $duo_unix::params::motd,
   Integer[1, 3]                       $prompts           = $duo_unix::params::prompts,
   Enum['no', 'yes']                   $accept_env_factor = $duo_unix::params::accept_env_factor,
+  Boolean                             $duo_rsyslog       = $duo_unix::params::duo_rsyslog,
   Optional[StdLib::Httpurl]           $proxy             = undef,
   Optional[Stdlib::Absolutepath]      $cafile            = undef,
   Optional[String]                    $groups            = undef,
@@ -121,6 +130,9 @@
   if $manage_repo {
     include duo_unix::repo
   }
+  if $duo_rsyslog {
+    include duo_unix::rsyslog
+  }
 
   #
   # I need to figure out a neater way to do this, my assumptions about

manifests/pam_ssh_config.pp

@@ -27,10 +27,12 @@
         'set UseDNS no',
         'set ChallengeResponseAuthentication yes',
         'set ExposeAuthInfo yes',
+        # lint:ignore:140chars
         $keyonly ? {
           true  => 'set AuthenticationMethods "publickey,keyboard-interactive:pam"',
           false => 'set AuthenticationMethods "gssapi-with-mic,keyboard-interactive:pam publickey,keyboard-interactive:pam keyboard-interactive:pam,keyboard-interactive:pam"'
         },
+        # lint:endignore
       ],
       require => [
         Package[$duo_unix::params::duo_package],

manifests/params.pp

@@ -19,6 +19,7 @@
   $prompts            = 3
   $accept_env_factor  = 'no'
   $pam_unix_control   = 'requisite'
+  $duo_rsyslog        = false
 
   $pam_module = $facts['os']['architecture'] ? {
     'i386'   => '/lib/security/pam_duo.so',
@@ -27,10 +28,11 @@
   }
 
   case $facts['os']['family'] {
-    'Debian': {
-      $duo_package = 'duo-unix'
-      $ssh_service = 'sshd'
-      $pam_file    = '/etc/pam.d/common-auth'
+    'Debian', 'Ubuntu' : {
+      $duo_package  = 'duo-unix'
+      $ssh_service  = 'sshd'
+      $pam_file     = '/etc/pam.d/common-auth'
+      $auth_logfile = '/var/log/auth.log'
     }
     'RedHat': {
       $duo_package = 'duo_unix'
@@ -40,6 +42,7 @@
         '5' => '/etc/pam.d/system-auth',
         default => '/etc/pam.d/password-auth',
       }
+      $auth_logfile = '/var/log/secure'
     }
     default: {
       fail("Module ${module_name} does not support ${facts['os']['release']['full']}")

manifests/rsyslog.pp

@@ -0,0 +1,17 @@
+# This class creates a configuration file
+# (/etc/rsyslog.d/60-duo_unix.conf) to direct
+# login_duo messages into the system's auth log
+#
+# @summary This class configures rsyslog.d to send Duo-related auth logs 
+#   into the system's auth log in addition to its default syslog logging destination. 
+#   This is to facilitate the use of fail2ban with Duo conditions by
+#   confining all auth-related activity to the auth log.
+#
+# @example
+#   include duo_unix::rsyslog
+class duo_unix::rsyslog inherits duo_unix::params {
+  package { 'rsyslog': }
+  file { '/etc/rsyslog.d/60-duo_unix.conf':
+    content => "# This file is managed by Puppet. DO NOT EDIT.\nlogin_duo\t\t${duo_unix::params::auth_logfile}",
+  }
+}

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "iu-duo_unix",
-  "version": "4.1.0",
+  "version": "4.2.0",
   "author": "Anthony Vitacco <[email protected]>, Mark Addonizio <[email protected]>, Will Meredith <[email protected]>",
   "summary": "Installs, configures, and manages Duo Unix",
   "license": "MIT",
@@ -76,7 +76,7 @@
       "version_requirement": ">= 7.0.0 < 9.0.0"
     }
   ],
-  "pdk-version": "3.0.1",
+  "pdk-version": "3.2.0",
   "template-url": "https://github.com/puppetlabs/pdk-templates.git#main",
-  "template-ref": "tags/3.2.0-0-gb257ef1"
+  "template-ref": "heads/main-0-g1829b3f"
 }

provision.yaml

@@ -4,7 +4,6 @@ default:
   images:
     - 'litmusimage/ubuntu:20.04'
     - 'litmusimage/ubuntu:22.04'
-    - 'litmusimage/centos:stream8'
     - 'litmusimage/centos:stream9'
   vars: "docker_run_opts: ['--tmpfs=/run', '--tmpfs=/run/lock', '-v=/sys/fs/cgroup/puppet.slice:/sys/fs/cgroup/puppet.slice:rw', '--cgroupns=host', '--cgroup-parent=puppet.slice']"
 ubuntu:
@@ -23,8 +22,6 @@ debian:
 centos:
   provisioner: docker
   images:
-    - 'litmusimage/centos:7'
-    - 'litmusimage/centos:stream8'
     - 'litmusimage/centos:stream9'
   vars: "docker_run_opts: ['--tmpfs=/run', '--tmpfs=/run/lock', '-v=/sys/fs/cgroup/puppet.slice:/sys/fs/cgroup/puppet.slice:rw', '--cgroupns=host', '--cgroup-parent=puppet.slice']"
 redhatish:

spec/acceptance/rsyslog_spec.rb

@@ -0,0 +1,28 @@
+require 'spec_helper_acceptance'
+
+rsyslog_config_file = '/etc/rsyslog.d/60-duo_unix.conf'
+
+# manage_ssh is needed for testing because sshd is already used for
+# the testing environment and gives false failures without setting to false here
+pp_static_content = <<-PUPPETCODE
+    class { 'duo_unix':
+        usage       => 'login',
+        ikey        => 'ikey',
+        skey        => 'skey',
+        host        => 'host',
+        manage_ssh  => false,
+        duo_rsyslog => true,
+    }
+PUPPETCODE
+
+def test_rsyslog(pp, filename)
+  idempotent_apply(pp)
+  expect(file(filename)).to be_file
+end
+
+describe 'rsyslog configuration' do
+  context 'applying rsyslog configuration'
+  it do
+    test_rsyslog(pp_static_content, rsyslog_config_file)
+  end
+end

spec/acceptance/ssh_config_spec.rb

@@ -2,6 +2,8 @@
 
 duo_config_file = '/etc/duo/login_duo.conf'
 
+# manage_ssh is needed for testing because sshd is already used for
+# the testing environment and gives false failures without setting to false here
 pp_static_content = <<-PUPPETCODE
     class { 'duo_unix':
         manage_ssh => false,