Security: Add tasks for RHEL-07-010260

This patch adds tasks to disallow logins from accounts with null
or blank passwords.

Implements: blueprint security-rhel7-stig
Change-Id: Icc5fd167be93bff9946810a17d8ef5521653d648

defaults/main.yml

@@ -382,6 +382,10 @@ security_unattended_upgrades_notifications: false
 #
 ###############################################################################
 
+## Authentication (auth)
+# Disallow logins from accounts with blank/null passwords via PAM.
+security_disallow_blank_password_login: yes             # RHEL-07-010260
+
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
 security_reset_perm_ownership: yes                # RHEL-07-010010

doc/metadata/rhel7/RHEL-07-010260.rst

@@ -1,7 +1,18 @@
 ---
 id: RHEL-07-010260
-status: not implemented
+status: implemented
-tag: misc
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+The Ansible tasks will ensure that PAM is configured to disallow logins from
+accounts with null or blank passwords. This involves removing a single option
+from one of the PAM configuration files:
+
+  * CentOS or RHEL: removes ``nullok`` from ``/etc/pam.d/system-auth``
+  * Ubuntu: removes ``nullok_secure`` from ``/etc/pam.d/common-auth``
+
+Deployers can opt-out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+   security_disallow_blank_password_login: no

tasks/rhel7stig/auth.yml

@@ -0,0 +1,47 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
+  lineinfile:
+    dest: "{{ pam_auth_file }}"
+    state: present
+    regexp: "^(.*)nullok_secure(.*)$"
+    line: '\1\2'
+    backup: yes
+    backrefs: yes
+  when:
+    - ansible_os_family == 'Debian'
+    - security_disallow_blank_password_login | bool
+  tags:
+    - high
+    - RHEL-07-010260
+
+- name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
+  lineinfile:
+    dest: "{{ pam_auth_file }}"
+    state: present
+    regexp: "^({{ item }}.*sufficient.*)nullok(.*)$"
+    line: '\1\2'
+    backup: yes
+    backrefs: yes
+  with_items:
+    - auth
+    - password
+  when:
+    - ansible_os_family == 'RedHat'
+    - security_disallow_blank_password_login | bool
+  tags:
+    - high
+    - RHEL-07-010260

tasks/rhel7stig/main.yml

@@ -48,6 +48,10 @@
   tags:
     - apt
 
+- include: auth.yml
+  tags:
+    - auth
+
 - include: file_perms.yml
   tags:
     - file_perms