Set minimum password length [+Docs]

This patch allows deployers to opt in for a minimum password length restriction. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: Ia1d5d6677233ae21ce585b4a363d130e1bb003fa
2016-12-01 10:36:58 -06:00 · 2016-12-01 10:36:58 -06:00 · 8ad68162f3
commit 8ad68162f3
parent 708cb62161
5 changed files with 20 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -464,6 +464,7 @@ security_pwquality_require_characters_changed: yes           # RHEL-07-010130
 security_pwquality_require_character_classes_changed: yes    # RHEL-07-010140
 security_pwquality_limit_repeated_characters: yes            # RHEL-07-010150
 security_pwquality_limit_repeated_character_classes: yes     # RHEL-07-010160
+security_pwquality_require_minimum_password_length: no       # RHEL-07-010250
 # Ensure passwords are stored using SHA512.
 security_password_encrypt_method: SHA512                     # RHEL-07-010180
 # Ensure user/group admin utilities only store encrypted passwords.
--- a/doc/metadata/rhel7/RHEL-07-010250.rst
+++ b/doc/metadata/rhel7/RHEL-07-010250.rst
@ -1,7 +1,16 @@
 ---
 id: RHEL-07-010250
-status: not implemented
-tag: misc
+status: opt-in
+tag: auth
 ---

-This STIG requirement is not yet implemented.
+Although the STIG requires that passwords have a minimum length of 15
+characters, this change might be disruptive to users on a production system
+without communicating the change first. Therefore, this change is not applied
+by default.
+
+Deployers can opt in for the change by setting the following Ansible variable:
+
+.. code-block::
+
+    security_pwquality_require_minimum_password_length: yes
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@ -50,6 +50,7 @@
    - RHEL-07-010140
    - RHEL-07-010150
    - RHEL-07-010160
+    - RHEL-07-010250

 - name: Check for SHA512 password storage in PAM
  command: "grep pam_unix.so {{ pam_password_file }}"
--- a/templates/pwquality.conf.j2
+++ b/templates/pwquality.conf.j2
@ -1,6 +1,6 @@
 {% if security_pwquality_apply_rules | bool %}
 {% for rule in password_quality_rhel7 %}
-{% if rule.enabled | bool %}
+{% if rule.value is defined and rule.enabled | bool %}
 # {{ rule.stig_id }} - {{ rule.description }}
 {{ rule.parameter}} = {{ rule.value }}
 {% endif %}
--- a/vars/common.yml
+++ b/vars/common.yml
@ -249,6 +249,11 @@ password_quality_rhel7:
    stig_id: RHEL-07-010160
    description: "Password must have at most four characters in the same character class repeated consecutively"
    enabled: "{{ security_pwquality_limit_repeated_character_classes }}"
+  - parameter: minlen
+    value: 15
+    stig_id: RHEL-07-010250
+    description: "Passwords must be a minimum of 15 characters in length"
+    enabled: "{{ security_pwquality_require_minimum_password_length }}"

 ## shadow-utils settings
 # This variable is used in main/rhel7stig/auth.yml to set shadow file-related