Fix null password auth in CentOS

The task for V-38497 works well for Ubuntu, but CentOS uses a different string for enabling null password logins in PAM. This patch splits the existing task into two so that each case is handled properly. Closes-bug: 1583752 Change-Id: I4c3bde487308270d43b52eba183bb9137b4c4d6b
2016-05-23 13:18:32 -05:00 · 2016-05-23 13:18:32 -05:00 · a972b4f60f
commit a972b4f60f
parent 490d2f4bd8
2 changed files with 32 additions and 11 deletions
--- a/doc/source/developer-notes/V-38497.rst
+++ b/doc/source/developer-notes/V-38497.rst
@ -1,12 +1,17 @@
-Ubuntu 14.04 allows accounts with null passwords to authenticate via PAM by
-default. This STIG requires that those login attempts are blocked.
+Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to
+authenticate via PAM by default. This STIG requires that those login attempts
+are blocked.

-In Ubuntu, this functionality is controlled by the ``nullok_secure`` parameter
-found in ``/etc/pam.d/common-auth``.  The Ansible task for this STIG will
-remove the ``nullok_secure`` from the PAM configuration file.  The effects of
-the change are immediate and no service restarts are required.
+For Ubuntu, the ``nullok_secure`` option will be removed from ``/etc/pam.d
+/common-auth``.

-However, deployers can opt-out of this change by adjusting an Ansible variable:
+For CentOS, the ``nullok`` option will be removed from ``/etc/pam.d/system-
+auth``.
+
+The effects of the change are **immediate** and no service restarts are
+required.
+
+Deployers can opt-out of this change by adjusting an Ansible variable:

 .. code-block:: yaml

--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -100,9 +100,7 @@
    - cat2
    - V-38496

-# RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in
-# /etc/pam.d/common-auth
- name: V-38497 - The system must not have accounts configured with blank or null passwords.
+- name: V-38497 - The system must not have accounts configured with blank or null passwords. (Ubuntu)
  lineinfile:
    dest: "{{ pam_auth_file }}"
    state: present
@ -110,7 +108,25 @@
    line: '\1\2'
    backup: yes
    backrefs: yes
-  when: security_pam_remove_nullok | bool
+  when:
+    - ansible_os_family == 'Debian'
+    - security_pam_remove_nullok | bool
+  tags:
+    - auth
+    - cat1
+    - V-38497
+
+- name: V-38497 - The system must not have accounts configured with blank or null passwords. (CentOS)
+  lineinfile:
+    dest: "{{ pam_auth_file }}"
+    state: present
+    regexp: "^(auth.*sufficient.*)nullok(.*)$"
+    line: '\1\2'
+    backup: yes
+    backrefs: yes
+  when:
+    - ansible_os_family == 'RedHat'
+    - security_pam_remove_nullok | bool
  tags:
    - auth
    - cat1