Refactor login.defs adjustments [+Docs]

This patch refactors the login.defs adjustments into a single task
that loops over a variable. It also adds tasks for RHEL-07-010200,
RHEL-07-010420, and RHEL-07-020230.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I7c1f869d87338547da8943d5aa506ceb871cee68

defaults/main.yml

@@ -465,17 +465,22 @@ security_pwquality_require_character_classes_changed: yes    # RHEL-07-010140
 security_pwquality_limit_repeated_characters: yes            # RHEL-07-010150
 security_pwquality_limit_repeated_character_classes: yes     # RHEL-07-010160
 # Ensure passwords are stored using SHA512.
-security_require_sha512_password_storage: yes                # RHEL-07-010180
+security_password_encrypt_method: SHA512                     # RHEL-07-010180
 # Ensure user/group admin utilities only store encrypted passwords.
 security_libuser_crypt_style_sha512: yes                     # RHEL-07-010190
-# Set a maximum lifetime limit for user passwords.
+# Set a minimum/maximum lifetime limit for user passwords.
+#security_password_min_lifetime_days: 1                      # RHEL-07-010200
 #security_password_max_lifetime_days: 60                     # RHEL-07-010220
 # Set a timeout (in seconds) to cache NSS authenticators with sssd.
 security_nss_cached_authenticator_timeout: 86400             # RHEL-07-010400
 # Set a timeout (in days) to cache PAM/ssh authenticators with sssd.
 security_pam_offline_credentials_expiration_days: 1          # RHEL-07-010401 / RHEL-07-010402
+# Set a delay (in seconds) between failed login attempts.
+security_shadow_utils_fail_delay: 4                          # RHEL-07-010420
+# Set a umask for all authenticated users.
+security_shadow_utils_umask: 077                             # RHEL-07-020230
 # Create home directories for new users by default.
-security_create_home_directory_default: yes                  # RHEL-07-020630
+security_shadow_utils_create_home: yes                       # RHEL-07-020630
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.

doc/metadata/rhel7/RHEL-07-010180.rst

@@ -8,8 +8,15 @@ The default password storage mechanism for Ubuntu 16.04, CentOS 7, and Red Hat
 Enterprise Linux 7 is ``SHA512`` and the tasks in the security role ensure that
 the default is maintained.
 
-Deployers can opt out of this change by setting the following Ansible variable:
+Deployers can configure a different password storage mechanism by setting the
+following Ansible variable:
 
 .. code-block:: yaml
 
-    security_require_sha512_password_storage: no
+    security_password_encrypt_method: SHA512
+
+.. warning::
+
+    SHA512 is the default on most modern Linux distributions and it meets the
+    requirement of the STIG. Do not change the value unless a system has
+    a specific need for a different password mechanism.

doc/metadata/rhel7/RHEL-07-010200.rst

@@ -1,7 +1,18 @@
 ---
 id: RHEL-07-010200
-status: not implemented
-tag: misc
+status: opt-in
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG requires that all passwords have a minimum lifetime set, this
+can cause issue in some production environments. Therefore, deployers must opt
+in for this change.
+
+Set the following Ansible variable to an integer (in days) to enable this
+setting:
+
+.. code-block:: yaml
+
+    security_password_min_lifetime_days: 1
+
+The STIG requires the minimum lifetime for password to be one day.

doc/metadata/rhel7/RHEL-07-010220.rst

@@ -4,9 +4,10 @@ status: opt-in
 tag: auth
 ---
 
-Setting a limit on the lifetime for passwords might be disruptive for some
-users without proper communication explaining the change. Therefore, this
-change is **disabled by default**.
+Although the STIG requires that all passwords have a maximum lifetime set, this
+can cause authentication disruptions in production environments if users are
+not aware that their password will expire. Therefore, this change is not
+applied by default.
 
 Deployers can opt in for this change and provide a maximum lifetime for user
 passwords (in days) by setting the following Ansible variable:
@@ -14,3 +15,5 @@ passwords (in days) by setting the following Ansible variable:
 .. code-block:: yaml
 
     security_password_max_lifetime_days: 60
+
+The STIG requires that all passwords expire after 60 days.

doc/metadata/rhel7/RHEL-07-010420.rst

@@ -1,7 +1,13 @@
 ---
 id: RHEL-07-010420
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the Ansible role set a four second delay between failed login
+attempts. Deployers can configure a different delay (in seconds) by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+    security_shadow_utils_fail_delay: 4

doc/metadata/rhel7/RHEL-07-020230.rst

@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-020230
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+The umask for authenticated users is set to ``077`` by the tasks in the
+security role. This is the default for Ubuntu, CentOS, and Red Hat Enterprise
+Linux already.
+
+Deployers can choose a different umask value by setting the following Ansible
+variable:
+
+.. code-block:: yaml
+
+    security_shadow_utils_umask: 077

doc/metadata/rhel7/RHEL-07-020630.rst

@@ -12,10 +12,10 @@ Deployers can opt out of this change by setting the following Ansible variable:
 
 .. code-block:: yaml
 
-    security_create_home_directory_default: no
+    security_shadow_utils_create_home: no
 
 .. note::
 
-    On CentOS 7 and Red Hat Enterprise Linux 7 systems, home directores are
+    On CentOS 7 and Red Hat Enterprise Linux 7 systems, home directories are
     always created with new users by default. Home directories are not created
     by default on Ubuntu systems.

tasks/rhel7stig/auth.yml

@@ -71,18 +71,24 @@
     - medium
     - RHEL-07-010170
 
-- name: RHEL-07-010180 - The shadow file must be configured to store only encrypted representations of passwords.
+- name: Configure shadow-utils configuration
   lineinfile:
     dest: /etc/login.defs
-    regexp: "^ENCRYPT_METHOD"
-    line: "ENCRYPT_METHOD SHA512"
+    regexp: "^{{ item.parameter }}"
+    line: "{{ item.parameter }} {{ item.value }}"
     state: present
   when:
-    - security_require_sha512_password_storage | bool
+    - item.value != ''
+  with_items: "{{ shadow_utils_rhel7 }}"
   tags:
     - auth
     - medium
     - RHEL-07-010180
+    - RHEL-07-010200
+    - RHEL-07-010220
+    - RHEL-07-010420
+    - RHEL-07-020230
+    - RHEL-07-020630
 
 - name: RHEL-07-010190 - User and group account administration utilities must be configured to store only encrypted representations of passwords.
   ini_file:
@@ -122,18 +128,6 @@
     - medium
     - RHEL-07-010210
 
-- name: RHEL-07-010220 - Passwords for new users must be restricted to a 60-day maximum lifetime.
-  lineinfile:
-    dest: /etc/login.defs
-    regexp: "^(#)?PASS_MAX_DAYS"
-    line: "PASS_MAX_DAYS {{ security_password_max_lifetime_days }}"
-  when:
-    - security_password_max_lifetime_days is defined
-  tags:
-    - auth
-    - medium
-    - RHEL-07-010220
-
 - name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
   lineinfile:
     dest: "{{ pam_auth_file }}"
@@ -292,19 +286,6 @@
     - medium
     - RHEL-07-020620
 
-- name: RHEL-07-020630 - All local interactive user accounts, upon creation, must be assigned a home directory.
-  lineinfile:
-    dest: /etc/login.defs
-    regexp: "^(#)?CREATE_HOME"
-    line: "CREATE_HOME yes"
-    state: present
-  when:
-    - security_create_home_directory_default | bool
-  tags:
-    - auth
-    - medium
-    - RHEL-07-020630
-
 - name: Check each user to see if its home directory exists on the filesystem
   stat:
     path: "{{ item['dir'] }}"

vars/common.yml

@@ -250,6 +250,35 @@ password_quality_rhel7:
     description: "Password must have at most four characters in the same character class repeated consecutively"
     enabled: "{{ security_pwquality_limit_repeated_character_classes }}"
 
+## shadow-utils settings
+# This variable is used in main/rhel7stig/auth.yml to set shadow file-related
+# configurations in /etc/login.defs.
+#
+# Each dictionary has this structure:
+#
+#   parameter: the parameter to set
+#   value: the value for the parameter
+#   stig_id: the STIG ID number for the requirement
+#
+shadow_utils_rhel7:
+  - parameter: ENCRYPT_METHOD
+    value: "{{ security_password_encrypt_method | default('') }}"
+    stig_id: RHEL-07-010180
+  - parameter: PASS_MIN_DAYS
+    value: "{{ security_password_min_lifetime_days | default('') }}"
+    stig_id: RHEL-07-010200
+  - parameter: PASS_MAX_DAYS
+    value: "{{ security_password_max_lifetime_days | default('') }}"
+    stig_id: RHEL-07-010220
+  - parameter: FAIL_DELAY
+    value: "{{ security_shadow_utils_fail_delay | default('') }}"
+    stig_id: RHEL-07-010420
+  - parameter: UMASK
+    value: "{{ security_shadow_utils_umask | default('') }}"
+    stig_id: RHEL-07-020230
+  - parameter: CREATE_HOME
+    value: "{{ security_shadow_utils_create_home | default('') }}"
+    stig_id: RHEL-07-020630
 
 ## sysctl settings
 # This variable is used in main/rhel7stig/kernel.yml to set sysctl