Apply password quality rules

This patch applies password quality rules and satisfies the following
controls:

 - RHEL-07-010090
 - RHEL-07-010100
 - RHEL-07-010110
 - RHEL-07-010120
 - RHEL-07-010130
 - RHEL-07-010140
 - RHEL-07-010150
 - RHEL-07-010160

Each password quality requirement can be turned on/off with variables
and there is one master switch variable that turns them all off. The
master switch is off by default because these rules can cause problems
with existing systems if users aren't aware of the new requirements.

This will be explained in detail in the docs in the follow-on patch.

Implements: blueprint security-rhel7-stig
Change-Id: I3023715933321f11668c060046c065c17d7d2c6b

defaults/main.yml

@@ -449,6 +449,19 @@ security_rhel7_audit_account_actions: yes                    # RHEL-07-030710
 ## Authentication (auth)
 # Disallow logins from accounts with blank/null passwords via PAM.
 security_disallow_blank_password_login: yes                  # RHEL-07-010260
+# Apply password quality rules.
+# NOTE: The security_pwquality_apply_rules variable is a "master switch".
+# Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of
+# the password quality rules. Each rule can be disabled with a value of 'no'.
+security_pwquality_apply_rules: no
+security_pwquality_require_uppercase: yes                    # RHEL-07-010090
+security_pwquality_require_lowercase: yes                    # RHEL-07-010100
+security_pwquality_require_numeric: yes                      # RHEL-07-010110
+security_pwquality_require_special: yes                      # RHEL-07-010120
+security_pwquality_require_characters_changed: yes           # RHEL-07-010130
+security_pwquality_require_character_classes_changed: yes    # RHEL-07-010140
+security_pwquality_limit_repeated_characters: yes            # RHEL-07-010150
+security_pwquality_limit_repeated_character_classes: yes     # RHEL-07-010160
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.

tasks/rhel7stig/auth.yml

@@ -13,6 +13,36 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Check if /etc/security/pwquality.conf exists
+  stat:
+    path: /etc/security/pwquality.conf
+  check_mode: no
+  register: pwquality_config_check
+  tags:
+    - always
+
+- name: Set password quality requirements
+  blockinfile:
+    dest: /etc/security/pwquality.conf
+    backup: yes
+    insertbefore: EOF
+    marker: "# {mark} Added by openstack-ansible-security role"
+    state: present
+    block: "{{ lookup('template', 'pwquality.conf.j2') }}"
+  when:
+    - pwquality_config_check.stat.exists
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010090
+    - RHEL-07-010100
+    - RHEL-07-010110
+    - RHEL-07-010120
+    - RHEL-07-010130
+    - RHEL-07-010140
+    - RHEL-07-010150
+    - RHEL-07-010160
+
 - name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
   lineinfile:
     dest: "{{ pam_auth_file }}"

templates/pwquality.conf.j2

@@ -0,0 +1,8 @@
+{% if security_pwquality_apply_rules | bool %}
+{% for rule in password_quality_rhel7 %}
+{% if rule.enabled | bool %}
+# {{ rule.stig_id }} - {{ rule.description }}
+{{ rule.parameter}} = {{ rule.value }}
+{% endif %}
+{% endfor %}
+{% endif %}

tests/test.yml

@@ -76,6 +76,7 @@
   roles:
     - role: "openstack-ansible-security"
   vars:
+    security_pwquality_apply_rules: yes
     security_package_clean_on_remove: yes
     security_unattended_upgrades_enabled: true
     security_unattended_upgrades_notifications: true

vars/common.yml

@@ -196,6 +196,61 @@ audited_commands:
     stig_id: RHEL-07-030514
     arch_specific: no
 
+## Password quality settings
+# This variable is used in main/rhel7stig/auth.yml to set password quality
+# requirements.
+#
+# Each dictionary has this structure:
+#
+#   parameter: the pwquality parameter to set
+#   value: the value of the parameter
+#   stig_id: the STIG id number
+#   description: description of the control from the STIG
+#   enabled: whether the change should be applied
+#
+password_quality_rhel7:
+  - parameter: ucredit
+    value: -1
+    stig_id: RHEL-07-010090
+    description: "Password must contain at least one upper-case character"
+    enabled: "{{ security_pwquality_require_uppercase }}"
+  - parameter: lcredit
+    value: -1
+    stig_id: RHEL-07-010100
+    description: "Password must contain at least one lower-case character"
+    enabled: "{{ security_pwquality_require_lowercase }}"
+  - parameter: dcredit
+    value: -1
+    stig_id: RHEL-07-010110
+    description: "Password must contain at least one numeric character"
+    enabled: "{{ security_pwquality_require_numeric }}"
+  - parameter: ocredit
+    value: -1
+    stig_id: RHEL-07-010120
+    description: "Password must contain at least one special character"
+    enabled: "{{ security_pwquality_require_special }}"
+  - parameter: difok
+    value: 8
+    stig_id: RHEL-07-010130
+    description: "Password must have at least eight characters changed"
+    enabled: "{{ security_pwquality_require_characters_changed }}"
+  - parameter: minclass
+    value: 4
+    stig_id: RHEL-07-010140
+    description: "Password must have at least four character classes changed"
+    enabled: "{{ security_pwquality_require_character_classes_changed }}"
+  - parameter: maxrepeat
+    value: 4
+    stig_id: RHEL-07-010150
+    description: "Password must have at most four characters repeated consecutively"
+    enabled: "{{ security_pwquality_limit_repeated_characters }}"
+  - parameter: maxclassrepeat
+    value: 4
+    stig_id: RHEL-07-010160
+    description: "Password must have at most four characters in the same character class repeated consecutively"
+    enabled: "{{ security_pwquality_limit_repeated_character_classes }}"
+
+
 ## sysctl settings
 # This variable is used in main/rhel7stig/kernel.yml to set sysctl
 # configurations on hosts.