Password rules enhancement

Story: 2011084 Task: 50154 Change-Id: I34a70e6f2a68cb6617a16931f04edc92ccff0a93 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
2024-06-10 20:15:39 +00:00 · 2024-06-10 20:15:39 +00:00 · f85f77229a
commit f85f77229a
parent d02980606e
14 changed files with 104 additions and 22 deletions
--- a/doc/source/archive/configuration/k8s_auth_winactivedir.rst
+++ b/doc/source/archive/configuration/k8s_auth_winactivedir.rst
@ -115,7 +115,7 @@ are in ``/home/sysadmin/ssl/``.
            insecureNoSSL: false
            insecureSkipVerify: false
            bindDN: cn=Administrator,cn=Users,dc=cumulus,dc=wrs,dc=com
-            bindPW: Li69nux*
+            bindPW: St8rlingXCloud*
            usernamePrompt: Username
            userSearch:
              baseDN: ou=Users,ou=Titanium,dc=cumulus,dc=wrs,dc=com
--- a/doc/source/backup/kubernetes/node-replacement-for-aiominussx-using-optimized-backup-and-restore-6603c650c80d.rst
+++ b/doc/source/backup/kubernetes/node-replacement-for-aiominussx-using-optimized-backup-and-restore-6603c650c80d.rst
@ -34,4 +34,4 @@ For example:

 .. code-block:: none

-    ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin" -e "ansible_become_pass=St8rlingX*" -e "admin_password=St8rlingX*" -e "backup_filename=localhost_platform_backup.tgz" -e "restore_mode=optimized" -e "restore_registry_filesystem=true" -e "replacement_mgmt_mac=a1:a2:a3:a4:a5:a6"
+    ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin" -e "ansible_become_pass=St8rlingXCloud*" -e "admin_password=St8rlingXCloud*" -e "backup_filename=localhost_platform_backup.tgz" -e "restore_mode=optimized" -e "restore_registry_filesystem=true" -e "replacement_mgmt_mac=a1:a2:a3:a4:a5:a6"
--- a/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst
+++ b/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst
@ -137,7 +137,7 @@ conditions are in place:
 #.  Ensure that the system is at the same patch level as it was when the backup
    was taken. On the |AIO-SX| systems, you must manually reinstall any
    previous patches. This may include doing a reboot if required.
- 
+
    For steps on how to install patches using the :command:`sw-patch install-local` command, see :ref:`aio_simplex_install_kubernetes_r7`;
    ``Install Software on Controller-0``.

@ -176,7 +176,7 @@ conditions are in place:

    .. code-block:: none

-        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_user_images.yml -e "initial_backup_dir=/home/sysadmin backup_filename=localhost_user_images_backup_2023_07_15_21_24_22.tgz ansible_become_pass=St8rlingX*"
+        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_user_images.yml -e "initial_backup_dir=/home/sysadmin backup_filename=localhost_user_images_backup_2023_07_15_21_24_22.tgz ansible_become_pass=St8rlingXCloud*"

    .. note::

--- a/doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst
+++ b/doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst
@ -84,11 +84,11 @@ and target it at controller-0.
            yes/no: 'yes'
            sysadmin*: 'sysadmin'
            (current) UNIX password: 'sysadmin'
-            New password: 'St8rlingX*'
-            Retype new password: 'St8rlingX*'
-        admin_password: St8rlingX*
-        ansible_become_pass: St8rlingX*
-        ansible_ssh_pass: St8rlingX*
+            New password: 'St8rlingXCloud*'
+            Retype new password: 'St8rlingXCloud*'
+        admin_password: St8rlingXCloud*
+        ansible_become_pass: St8rlingXCloud*
+        ansible_ssh_pass: St8rlingXCloud*

    Save your changes and quit the editor. If you need to make additional
    changes, you can use the command :command:`ansible-vault edit
--- a/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst
+++ b/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst
@ -85,7 +85,7 @@ Below you can find other ``-e`` command line options:

    .. code-block:: none

-        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin ansible_become_pass=St8rlingX* admin_password=St8rlingX* backup_filename=localhost_platform_backup_2020_07_27_07_48_48.tgz wipe_ceph_osds=true"
+        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_platform_backup_2020_07_27_07_48_48.tgz wipe_ceph_osds=true"

    .. note::

--- a/doc/source/deploy_install_guides/release/bare_metal/ironic_install.rst
+++ b/doc/source/deploy_install_guides/release/bare_metal/ironic_install.rst
@ -186,7 +186,7 @@ From a new shell as a root user, without sourcing ``/etc/platform/openrc``:
       endpoint_type: internalURL
       auth:
         username: 'admin'
-         password: 'Li69nux*'
+         password: 'St8rlingXCloud*'
         project_name: 'admin'
         project_domain_name: 'default'
         user_domain_name: 'default'
--- a/doc/source/deploy_install_guides/release/openstack/access.rst
+++ b/doc/source/deploy_install_guides/release/openstack/access.rst
@ -269,7 +269,7 @@ The following command will request the Keystone token:
            "user": {
              "name": "admin",
              "domain": { "id": "default" },
-              "password": "St8rlingX*"
+              "password": "St8rlingXCloud*"
            }
          }
        },
--- a/doc/source/developer_resources/backup_restore.rst
+++ b/doc/source/developer_resources/backup_restore.rst
@ -127,7 +127,7 @@ Example:

 ::

-  ansible-playbook /localdisk/designer/repo/cgcs-root/stx/stx-ansible-playbooks/playbookconfig/src/playbooks/backup-restore/backup.yml --limit my_vbox -i $HOME/br_test/hosts -e "host_backup_dir=$HOME/br_test ansible_become_pass=Li69nux* admin_password=Li69nux* ansible_ssh_pass=Li69nux* ansible_ssh_pass=Li69nux*"
+  ansible-playbook /localdisk/designer/repo/cgcs-root/stx/stx-ansible-playbooks/playbookconfig/src/playbooks/backup-restore/backup.yml --limit my_vbox -i $HOME/br_test/hosts -e "host_backup_dir=$HOME/br_test ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud*"

 #. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable.

@ -344,7 +344,7 @@ Steps:

            ::

-              ansible-playbook /localdisk/designer/jenkins/tis-stx-dev/cgcs-root/stx/ansible-playbooks/playbookconfig/src/playbooks/restore_platform.yml --limit my_vbox -i $HOME/br_test/hosts -e "ansible_become_pass=Li69nux* admin_password=Li69nux* ansible_ssh_pass=Li69nux* initial_backup_dir=$HOME/br_test backup_filename=my_vbox_system_backup_2019_08_08_15_25_36.tgz ansible_remote_tmp=/home/sysadmin/ansible-restore"
+              ansible-playbook /localdisk/designer/jenkins/tis-stx-dev/cgcs-root/stx/ansible-playbooks/playbookconfig/src/playbooks/restore_platform.yml --limit my_vbox -i $HOME/br_test/hosts -e "ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud* initial_backup_dir=$HOME/br_test backup_filename=my_vbox_system_backup_2019_08_08_15_25_36.tgz ansible_remote_tmp=/home/sysadmin/ansible-restore"

    #.  If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable in above command.

@ -470,7 +470,7 @@ Steps:

        ::

-          ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'initial_backup_dir=/opt/backups ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz'
+          ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'initial_backup_dir=/opt/backups ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz'

        If you want to restore Glance images and Cinder volumes from external
        storage (the Optional step above was executed) or you want to reconcile
@ -489,7 +489,7 @@ Steps:

          ::

-            ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_cinder_glance_data=true ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'
+            ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_cinder_glance_data=true ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'

        * Restore Glance images and Cinder volumes using image-backup.sh and
          tidy_storage_post_restore helper scripts.
@ -556,4 +556,4 @@ Steps:

        ::

-          ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_openstack_continue=true ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'
+          ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_openstack_continue=true ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'
--- a/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst
+++ b/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst
@ -93,7 +93,7 @@ using the ansible playbook.
    .. code-block:: none

         {
-          "ansible_ssh_pass": "St8rlingX*",
+          "ansible_ssh_pass": "St8rlingXCloud*",
          "external_oam_node_0_address": "10.10.10.13",
          "external_oam_node_1_address": "10.10.10.14",
          }
--- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
+++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
@ -21,6 +21,7 @@ System Accounts
   remote-windows-active-directory-accounts
   starlingx-system-accounts-system-account-password-rules
   manage-local-ldap-39fe3a85a528
+   linux-accounts-password-3dcad436dce4

 *****************
 Access the System
--- a/doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst
+++ b/doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst
@ -18,6 +18,26 @@ You can configure custom password rules for keystone security compliance.
        system service-parameter-add identity security_compliance unique_last_password_count
        system service-parameter-add identity security_compliance password_regex
        system service-parameter-add identity security_compliance password_regex_description
+        system service-parameter-add identity security_compliance password_expires_days
+
+    .. note::
+
+        ``password_expire_days`` must be a positive integer.
+
+        .. code-block:: none
+
+            [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance password_expires_days=90
+            +-------------+--------------------------------------+
+            | Property    | Value                                |
+            +-------------+--------------------------------------+
+            | uuid        | 27d24c80-e9de-37ce-9d26-f21236782be8 |
+            | service     | identity                             |
+            | section     | security_compliance                  |
+            | name        | password_expires_days                |
+            | value       | 90                                   |
+            | personality | None                                 |
+            | resource    | None                                 |
+            +-------------+--------------------------------------+

 #.  In order for the changes to take effect, apply the new configuration with
    the command:
--- a/doc/source/security/kubernetes/linux-accounts-password-3dcad436dce4.rst
+++ b/doc/source/security/kubernetes/linux-accounts-password-3dcad436dce4.rst
@ -0,0 +1,58 @@
+.. _linux-accounts-password-3dcad436dce4:
+
+=============================
+Linux Accounts Password Rules
+=============================
+
+.. rubric:: Check Current Password Expiry Settings
+
+Before making any changes, you may want to check the current password expiry
+settings for the user. You can do this by running the :command:`chage -l
+<username>` command, replacing ``<username>`` with the name of the user whose
+password expiry settings you want to view.
+
+.. code-block:: none
+
+    sudo chage -l <username>
+
+.. rubric:: Change Password Expiry Settings
+
+To change the password expiry period of Linux accounts, run the :command:`chage`
+command, as bellow:
+
+.. code-block:: none
+
+    [sysadmin@controller-0 ~(keystone_admin)]$ sudo chage -M <days_to_expiry> <username>
+
+For example, to set the maximum number of days before the password must be
+changed to 60 days for a user named ``sysadmin``, you can use the following
+command:
+
+.. code-block:: none
+
+    [sysadmin@controller-0 ~(keystone_admin)]$ sudo chage -M 60 sysadmin
+
+
+Verify Changes
+--------------
+
+After making the changes, verify that the new password expiry settings have
+been applied by running the :command:`chage -l <username>` command again.
+
+.. code-block:: none
+
+    chage -l <username>
+
+For the example above of user ``sysadmin`` and expiry period of 60 days, the
+output of ``chage -l <username>`` should be as follows:
+
+.. code-block:: none
+
+    [sysadmin@controller-0 ~(keystone_admin)]$ chage -l sysadmin
+    Last password change                                : abr 30, 2024
+    Password expires                                    : jun 29, 2024
+    Password inactive                                   : never
+    Account expires                                     : never
+    Minimum number of days between password change      : 0
+    Maximum number of days between password change      : 60
+    Number of days of warning before password expires   : 7
--- a/doc/source/security/kubernetes/starlingx-system-accounts-system-account-password-rules.rst
+++ b/doc/source/security/kubernetes/starlingx-system-accounts-system-account-password-rules.rst
@ -14,9 +14,9 @@ other Linux Accounts, and Keystone accounts):

 .. _starlingx-system-accounts-system-account-password-rules-ul-evs-dsn-ynb:

-   The password must be at least seven characters long.
+-   The password must be at least 12 characters long.

-   You cannot reuse the last 2 passwords in history.
+-   You cannot reuse the last 5 passwords in history.

 -   The password must contain:

@ -59,3 +59,6 @@ LDAP, sysadmin, and other Linux accounts):
    .. note::

        This rule does not apply to the root user.
+
+For more details on Linux Accounts password rules see:
+:ref:`linux-accounts-password-3dcad436dce4`.
--- a/doc/source/security/openstack/security-system-account-password-rules.rst
+++ b/doc/source/security/openstack/security-system-account-password-rules.rst
@ -13,9 +13,9 @@ By default, the following rules apply:

 .. _security-system-account-password-rules-ul-jwb-g15-zw:

-   The password must be at least seven characters long.
+-   The password must be at least 12 characters long.

-   You cannot reuse the last 2 passwords in history.
+-   You cannot reuse the last 5 passwords in history.

 -   The password must contain: