Check for SHA512 password storage [+Docs]

This patch looks for `sha512` password storage inside the PAM configuration
file for password auth. A warning is printed if it is not found.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I0aa02f5731ad4b227be9a244042cdb104a4ea341

doc/metadata/rhel7/RHEL-07-010170.rst

@@ -1,7 +1,9 @@
 ---
 id: RHEL-07-010170
-status: not implemented
-tag: misc
+status: implemented
+tag: implemented
 ---
 
-This STIG requirement is not yet implemented.
+The PAM configuration file for password storage is checked to ensure that
+``sha512`` is found on the ``pam_unix.so`` line. If ``sha512`` is not found,
+a debug message is printed in the Ansible output.

tasks/rhel7stig/auth.yml

@@ -51,6 +51,26 @@
     - RHEL-07-010150
     - RHEL-07-010160
 
+- name: Check for SHA512 password storage in PAM
+  command: "grep pam_unix.so {{ pam_password_file }}"
+  register: password_sha512_check
+  changed_when: False
+  check_mode: no
+  tags:
+    - always
+
+- name: RHEL-07-010170 - The PAM system service must be configured to store only encrypted representations of passwords.
+  debug:
+    msg: >
+      PAM is not using SHA512 for password storage. This is a security issue.
+  when:
+    - password_sha512_check is defined
+    - "'sha512' not in password_sha512_check.stdout"
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010170
+
 - name: RHEL-07-010180 - The shadow file must be configured to store only encrypted representations of passwords.
   lineinfile:
     dest: /etc/login.defs