From a972b4f60ff27b856cb820a1cf4078cb11e01ccb Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Mon, 23 May 2016 13:18:32 -0500
Subject: [PATCH] Fix null password auth in CentOS

The task for V-38497 works well for Ubuntu, but CentOS uses a different
string for enabling null password logins in PAM. This patch splits the
existing task into two so that each case is handled properly.

Closes-bug: 1583752

Change-Id: I4c3bde487308270d43b52eba183bb9137b4c4d6b
---
 doc/source/developer-notes/V-38497.rst | 19 ++++++++++++-------
 tasks/auth.yml                         | 24 ++++++++++++++++++++----
 2 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/doc/source/developer-notes/V-38497.rst b/doc/source/developer-notes/V-38497.rst
index 97cea9be..c6f1abef 100644
--- a/doc/source/developer-notes/V-38497.rst
+++ b/doc/source/developer-notes/V-38497.rst
@@ -1,12 +1,17 @@
-Ubuntu 14.04 allows accounts with null passwords to authenticate via PAM by
-default. This STIG requires that those login attempts are blocked.
+Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to
+authenticate via PAM by default. This STIG requires that those login attempts
+are blocked.
 
-In Ubuntu, this functionality is controlled by the ``nullok_secure`` parameter
-found in ``/etc/pam.d/common-auth``.  The Ansible task for this STIG will
-remove the ``nullok_secure`` from the PAM configuration file.  The effects of
-the change are immediate and no service restarts are required.
+For Ubuntu, the ``nullok_secure`` option will be removed from ``/etc/pam.d
+/common-auth``.
 
-However, deployers can opt-out of this change by adjusting an Ansible variable:
+For CentOS, the ``nullok`` option will be removed from ``/etc/pam.d/system-
+auth``.
+
+The effects of the change are **immediate** and no service restarts are
+required.
+
+Deployers can opt-out of this change by adjusting an Ansible variable:
 
 .. code-block:: yaml
 
diff --git a/tasks/auth.yml b/tasks/auth.yml
index f3341d79..03b4903d 100644
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@@ -100,9 +100,7 @@
     - cat2
     - V-38496
 
-# RHEL 6 keeps this content in /etc/pam.d/system-auth, but Ubuntu keeps it in
-# /etc/pam.d/common-auth
-- name: V-38497 - The system must not have accounts configured with blank or null passwords.
+- name: V-38497 - The system must not have accounts configured with blank or null passwords. (Ubuntu)
   lineinfile:
     dest: "{{ pam_auth_file }}"
     state: present
@@ -110,7 +108,25 @@
     line: '\1\2'
     backup: yes
     backrefs: yes
-  when: security_pam_remove_nullok | bool
+  when:
+    - ansible_os_family == 'Debian'
+    - security_pam_remove_nullok | bool
+  tags:
+    - auth
+    - cat1
+    - V-38497
+
+- name: V-38497 - The system must not have accounts configured with blank or null passwords. (CentOS)
+  lineinfile:
+    dest: "{{ pam_auth_file }}"
+    state: present
+    regexp: "^(auth.*sufficient.*)nullok(.*)$"
+    line: '\1\2'
+    backup: yes
+    backrefs: yes
+  when:
+    - ansible_os_family == 'RedHat'
+    - security_pam_remove_nullok | bool
   tags:
     - auth
     - cat1