From c59d5b693613cef87c17c66a33392acc1fd0ed0a Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Thu, 17 Nov 2016 12:40:56 -0600
Subject: [PATCH] Apply password quality rules

This patch applies password quality rules and satisfies the following
controls:

 - RHEL-07-010090
 - RHEL-07-010100
 - RHEL-07-010110
 - RHEL-07-010120
 - RHEL-07-010130
 - RHEL-07-010140
 - RHEL-07-010150
 - RHEL-07-010160

Each password quality requirement can be turned on/off with variables
and there is one master switch variable that turns them all off. The
master switch is off by default because these rules can cause problems
with existing systems if users aren't aware of the new requirements.

This will be explained in detail in the docs in the follow-on patch.

Implements: blueprint security-rhel7-stig
Change-Id: I3023715933321f11668c060046c065c17d7d2c6b
---
 defaults/main.yml           | 13 +++++++++
 tasks/rhel7stig/auth.yml    | 30 ++++++++++++++++++++
 templates/pwquality.conf.j2 |  8 ++++++
 tests/test.yml              |  1 +
 vars/common.yml             | 55 +++++++++++++++++++++++++++++++++++++
 5 files changed, 107 insertions(+)
 create mode 100644 templates/pwquality.conf.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 0a876a62..5e0dcf4a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -449,6 +449,19 @@ security_rhel7_audit_account_actions: yes                    # RHEL-07-030710
 ## Authentication (auth)
 # Disallow logins from accounts with blank/null passwords via PAM.
 security_disallow_blank_password_login: yes                  # RHEL-07-010260
+# Apply password quality rules.
+# NOTE: The security_pwquality_apply_rules variable is a "master switch".
+# Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of
+# the password quality rules. Each rule can be disabled with a value of 'no'.
+security_pwquality_apply_rules: no
+security_pwquality_require_uppercase: yes                    # RHEL-07-010090
+security_pwquality_require_lowercase: yes                    # RHEL-07-010100
+security_pwquality_require_numeric: yes                      # RHEL-07-010110
+security_pwquality_require_special: yes                      # RHEL-07-010120
+security_pwquality_require_characters_changed: yes           # RHEL-07-010130
+security_pwquality_require_character_classes_changed: yes    # RHEL-07-010140
+security_pwquality_limit_repeated_characters: yes            # RHEL-07-010150
+security_pwquality_limit_repeated_character_classes: yes     # RHEL-07-010160
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index beb9b2f2..60d6375d 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -13,6 +13,36 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Check if /etc/security/pwquality.conf exists
+  stat:
+    path: /etc/security/pwquality.conf
+  check_mode: no
+  register: pwquality_config_check
+  tags:
+    - always
+
+- name: Set password quality requirements
+  blockinfile:
+    dest: /etc/security/pwquality.conf
+    backup: yes
+    insertbefore: EOF
+    marker: "# {mark} Added by openstack-ansible-security role"
+    state: present
+    block: "{{ lookup('template', 'pwquality.conf.j2') }}"
+  when:
+    - pwquality_config_check.stat.exists
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010090
+    - RHEL-07-010100
+    - RHEL-07-010110
+    - RHEL-07-010120
+    - RHEL-07-010130
+    - RHEL-07-010140
+    - RHEL-07-010150
+    - RHEL-07-010160
+
 - name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
   lineinfile:
     dest: "{{ pam_auth_file }}"
diff --git a/templates/pwquality.conf.j2 b/templates/pwquality.conf.j2
new file mode 100644
index 00000000..93060413
--- /dev/null
+++ b/templates/pwquality.conf.j2
@@ -0,0 +1,8 @@
+{% if security_pwquality_apply_rules | bool %}
+{% for rule in password_quality_rhel7 %}
+{% if rule.enabled | bool %}
+# {{ rule.stig_id }} - {{ rule.description }}
+{{ rule.parameter}} = {{ rule.value }}
+{% endif %}
+{% endfor %}
+{% endif %}
diff --git a/tests/test.yml b/tests/test.yml
index 471f719f..85c11803 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -76,6 +76,7 @@
   roles:
     - role: "openstack-ansible-security"
   vars:
+    security_pwquality_apply_rules: yes
     security_package_clean_on_remove: yes
     security_unattended_upgrades_enabled: true
     security_unattended_upgrades_notifications: true
diff --git a/vars/common.yml b/vars/common.yml
index b2a2f0aa..b65a7cea 100644
--- a/vars/common.yml
+++ b/vars/common.yml
@@ -196,6 +196,61 @@ audited_commands:
     stig_id: RHEL-07-030514
     arch_specific: no
 
+## Password quality settings
+# This variable is used in main/rhel7stig/auth.yml to set password quality
+# requirements.
+#
+# Each dictionary has this structure:
+#
+#   parameter: the pwquality parameter to set
+#   value: the value of the parameter
+#   stig_id: the STIG id number
+#   description: description of the control from the STIG
+#   enabled: whether the change should be applied
+#
+password_quality_rhel7:
+  - parameter: ucredit
+    value: -1
+    stig_id: RHEL-07-010090
+    description: "Password must contain at least one upper-case character"
+    enabled: "{{ security_pwquality_require_uppercase }}"
+  - parameter: lcredit
+    value: -1
+    stig_id: RHEL-07-010100
+    description: "Password must contain at least one lower-case character"
+    enabled: "{{ security_pwquality_require_lowercase }}"
+  - parameter: dcredit
+    value: -1
+    stig_id: RHEL-07-010110
+    description: "Password must contain at least one numeric character"
+    enabled: "{{ security_pwquality_require_numeric }}"
+  - parameter: ocredit
+    value: -1
+    stig_id: RHEL-07-010120
+    description: "Password must contain at least one special character"
+    enabled: "{{ security_pwquality_require_special }}"
+  - parameter: difok
+    value: 8
+    stig_id: RHEL-07-010130
+    description: "Password must have at least eight characters changed"
+    enabled: "{{ security_pwquality_require_characters_changed }}"
+  - parameter: minclass
+    value: 4
+    stig_id: RHEL-07-010140
+    description: "Password must have at least four character classes changed"
+    enabled: "{{ security_pwquality_require_character_classes_changed }}"
+  - parameter: maxrepeat
+    value: 4
+    stig_id: RHEL-07-010150
+    description: "Password must have at most four characters repeated consecutively"
+    enabled: "{{ security_pwquality_limit_repeated_characters }}"
+  - parameter: maxclassrepeat
+    value: 4
+    stig_id: RHEL-07-010160
+    description: "Password must have at most four characters in the same character class repeated consecutively"
+    enabled: "{{ security_pwquality_limit_repeated_character_classes }}"
+
+
 ## sysctl settings
 # This variable is used in main/rhel7stig/kernel.yml to set sysctl
 # configurations on hosts.