From 8ad68162f3bfa508516e0d4b3747f3b1f485d8f5 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Thu, 1 Dec 2016 10:36:58 -0600 Subject: [PATCH] Set minimum password length [+Docs] This patch allows deployers to opt in for a minimum password length restriction. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: Ia1d5d6677233ae21ce585b4a363d130e1bb003fa --- defaults/main.yml | 1 + doc/metadata/rhel7/RHEL-07-010250.rst | 15 ++++++++++++--- tasks/rhel7stig/auth.yml | 1 + templates/pwquality.conf.j2 | 2 +- vars/common.yml | 5 +++++ 5 files changed, 20 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3ca32853..267125c1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -464,6 +464,7 @@ security_pwquality_require_characters_changed: yes # RHEL-07-010130 security_pwquality_require_character_classes_changed: yes # RHEL-07-010140 security_pwquality_limit_repeated_characters: yes # RHEL-07-010150 security_pwquality_limit_repeated_character_classes: yes # RHEL-07-010160 +security_pwquality_require_minimum_password_length: no # RHEL-07-010250 # Ensure passwords are stored using SHA512. security_password_encrypt_method: SHA512 # RHEL-07-010180 # Ensure user/group admin utilities only store encrypted passwords. diff --git a/doc/metadata/rhel7/RHEL-07-010250.rst b/doc/metadata/rhel7/RHEL-07-010250.rst index d0ed8a3e..871cd981 100644 --- a/doc/metadata/rhel7/RHEL-07-010250.rst +++ b/doc/metadata/rhel7/RHEL-07-010250.rst @@ -1,7 +1,16 @@ --- id: RHEL-07-010250 -status: not implemented -tag: misc +status: opt-in +tag: auth --- -This STIG requirement is not yet implemented. +Although the STIG requires that passwords have a minimum length of 15 +characters, this change might be disruptive to users on a production system +without communicating the change first. Therefore, this change is not applied +by default. + +Deployers can opt in for the change by setting the following Ansible variable: + +.. code-block:: + + security_pwquality_require_minimum_password_length: yes diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 57505f0c..0fa4f6e1 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -50,6 +50,7 @@ - RHEL-07-010140 - RHEL-07-010150 - RHEL-07-010160 + - RHEL-07-010250 - name: Check for SHA512 password storage in PAM command: "grep pam_unix.so {{ pam_password_file }}" diff --git a/templates/pwquality.conf.j2 b/templates/pwquality.conf.j2 index 93060413..d0301c77 100644 --- a/templates/pwquality.conf.j2 +++ b/templates/pwquality.conf.j2 @@ -1,6 +1,6 @@ {% if security_pwquality_apply_rules | bool %} {% for rule in password_quality_rhel7 %} -{% if rule.enabled | bool %} +{% if rule.value is defined and rule.enabled | bool %} # {{ rule.stig_id }} - {{ rule.description }} {{ rule.parameter}} = {{ rule.value }} {% endif %} diff --git a/vars/common.yml b/vars/common.yml index 7ee61b70..c92fa40f 100644 --- a/vars/common.yml +++ b/vars/common.yml @@ -249,6 +249,11 @@ password_quality_rhel7: stig_id: RHEL-07-010160 description: "Password must have at most four characters in the same character class repeated consecutively" enabled: "{{ security_pwquality_limit_repeated_character_classes }}" + - parameter: minlen + value: 15 + stig_id: RHEL-07-010250 + description: "Passwords must be a minimum of 15 characters in length" + enabled: "{{ security_pwquality_require_minimum_password_length }}" ## shadow-utils settings # This variable is used in main/rhel7stig/auth.yml to set shadow file-related