Password rules enhancement

Story: 2011084
Task: 50154

Change-Id: I34a70e6f2a68cb6617a16931f04edc92ccff0a93
Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>

doc/source/archive/configuration/k8s_auth_winactivedir.rst

@@ -115,7 +115,7 @@ are in ``/home/sysadmin/ssl/``.
             insecureNoSSL: false
             insecureSkipVerify: false
             bindDN: cn=Administrator,cn=Users,dc=cumulus,dc=wrs,dc=com
-            bindPW: Li69nux*
+            bindPW: St8rlingXCloud*
             usernamePrompt: Username
             userSearch:
               baseDN: ou=Users,ou=Titanium,dc=cumulus,dc=wrs,dc=com

doc/source/backup/kubernetes/node-replacement-for-aiominussx-using-optimized-backup-and-restore-6603c650c80d.rst

@@ -34,4 +34,4 @@ For example:
 
 .. code-block:: none
 
-    ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin" -e "ansible_become_pass=St8rlingX*" -e "admin_password=St8rlingX*" -e "backup_filename=localhost_platform_backup.tgz" -e "restore_mode=optimized" -e "restore_registry_filesystem=true" -e "replacement_mgmt_mac=a1:a2:a3:a4:a5:a6"
+    ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin" -e "ansible_become_pass=St8rlingXCloud*" -e "admin_password=St8rlingXCloud*" -e "backup_filename=localhost_platform_backup.tgz" -e "restore_mode=optimized" -e "restore_registry_filesystem=true" -e "replacement_mgmt_mac=a1:a2:a3:a4:a5:a6"

doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst

@@ -176,7 +176,7 @@ conditions are in place:
 
     .. code-block:: none
 
-        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_user_images.yml -e "initial_backup_dir=/home/sysadmin backup_filename=localhost_user_images_backup_2023_07_15_21_24_22.tgz ansible_become_pass=St8rlingX*"
+        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_user_images.yml -e "initial_backup_dir=/home/sysadmin backup_filename=localhost_user_images_backup_2023_07_15_21_24_22.tgz ansible_become_pass=St8rlingXCloud*"
 
     .. note::
 

doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst

@@ -84,11 +84,11 @@ and target it at controller-0.
             yes/no: 'yes'
             sysadmin*: 'sysadmin'
             (current) UNIX password: 'sysadmin'
-            New password: 'St8rlingX*'
-            Retype new password: 'St8rlingX*'
-        admin_password: St8rlingX*
-        ansible_become_pass: St8rlingX*
-        ansible_ssh_pass: St8rlingX*
+            New password: 'St8rlingXCloud*'
+            Retype new password: 'St8rlingXCloud*'
+        admin_password: St8rlingXCloud*
+        ansible_become_pass: St8rlingXCloud*
+        ansible_ssh_pass: St8rlingXCloud*
 
     Save your changes and quit the editor. If you need to make additional
     changes, you can use the command :command:`ansible-vault edit

doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst

@@ -85,7 +85,7 @@ Below you can find other ``-e`` command line options:
 
     .. code-block:: none
 
-        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin ansible_become_pass=St8rlingX* admin_password=St8rlingX* backup_filename=localhost_platform_backup_2020_07_27_07_48_48.tgz wipe_ceph_osds=true"
+        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=/home/sysadmin ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_platform_backup_2020_07_27_07_48_48.tgz wipe_ceph_osds=true"
 
     .. note::
 

doc/source/deploy_install_guides/release/bare_metal/ironic_install.rst

@@ -186,7 +186,7 @@ From a new shell as a root user, without sourcing ``/etc/platform/openrc``:
        endpoint_type: internalURL
        auth:
          username: 'admin'
-         password: 'Li69nux*'
+         password: 'St8rlingXCloud*'
          project_name: 'admin'
          project_domain_name: 'default'
          user_domain_name: 'default'

doc/source/deploy_install_guides/release/openstack/access.rst

@@ -269,7 +269,7 @@ The following command will request the Keystone token:
             "user": {
               "name": "admin",
               "domain": { "id": "default" },
-              "password": "St8rlingX*"
+              "password": "St8rlingXCloud*"
             }
           }
         },

doc/source/developer_resources/backup_restore.rst

@@ -127,7 +127,7 @@ Example:
 
 ::
 
-  ansible-playbook /localdisk/designer/repo/cgcs-root/stx/stx-ansible-playbooks/playbookconfig/src/playbooks/backup-restore/backup.yml --limit my_vbox -i $HOME/br_test/hosts -e "host_backup_dir=$HOME/br_test ansible_become_pass=Li69nux* admin_password=Li69nux* ansible_ssh_pass=Li69nux* ansible_ssh_pass=Li69nux*"
+  ansible-playbook /localdisk/designer/repo/cgcs-root/stx/stx-ansible-playbooks/playbookconfig/src/playbooks/backup-restore/backup.yml --limit my_vbox -i $HOME/br_test/hosts -e "host_backup_dir=$HOME/br_test ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud*"
 
 #. If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable.
 
@@ -344,7 +344,7 @@ Steps:
 
             ::
 
-              ansible-playbook /localdisk/designer/jenkins/tis-stx-dev/cgcs-root/stx/ansible-playbooks/playbookconfig/src/playbooks/restore_platform.yml --limit my_vbox -i $HOME/br_test/hosts -e "ansible_become_pass=Li69nux* admin_password=Li69nux* ansible_ssh_pass=Li69nux* initial_backup_dir=$HOME/br_test backup_filename=my_vbox_system_backup_2019_08_08_15_25_36.tgz ansible_remote_tmp=/home/sysadmin/ansible-restore"
+              ansible-playbook /localdisk/designer/jenkins/tis-stx-dev/cgcs-root/stx/ansible-playbooks/playbookconfig/src/playbooks/restore_platform.yml --limit my_vbox -i $HOME/br_test/hosts -e "ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* ansible_ssh_pass=St8rlingXCloud* initial_backup_dir=$HOME/br_test backup_filename=my_vbox_system_backup_2019_08_08_15_25_36.tgz ansible_remote_tmp=/home/sysadmin/ansible-restore"
 
     #.  If you deploy the system with rook instead of ceph backend, you must add the ``rook_enabled=true`` variable in above command.
 
@@ -470,7 +470,7 @@ Steps:
 
         ::
 
-          ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'initial_backup_dir=/opt/backups ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz'
+          ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'initial_backup_dir=/opt/backups ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz'
 
         If you want to restore Glance images and Cinder volumes from external
         storage (the Optional step above was executed) or you want to reconcile
@@ -489,7 +489,7 @@ Steps:
 
           ::
 
-            ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_cinder_glance_data=true ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'
+            ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_cinder_glance_data=true ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'
 
         * Restore Glance images and Cinder volumes using image-backup.sh and
           tidy_storage_post_restore helper scripts.
@@ -556,4 +556,4 @@ Steps:
 
         ::
 
-          ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_openstack_continue=true ansible_become_pass=Li69nux* admin_password=Li69nux* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'
+          ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_openstack.yml -e 'restore_openstack_continue=true ansible_become_pass=St8rlingXCloud* admin_password=St8rlingXCloud* backup_filename=localhost_openstack_backup_2019_12_13_12_43_17.tgz initial_backup_dir=/opt/backups'

doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst

@@ -93,7 +93,7 @@ using the ansible playbook.
     .. code-block:: none
 
          {
-          "ansible_ssh_pass": "St8rlingX*",
+          "ansible_ssh_pass": "St8rlingXCloud*",
           "external_oam_node_0_address": "10.10.10.13",
           "external_oam_node_1_address": "10.10.10.14",
           }

doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst

@@ -21,6 +21,7 @@ System Accounts
    remote-windows-active-directory-accounts
    starlingx-system-accounts-system-account-password-rules
    manage-local-ldap-39fe3a85a528
+   linux-accounts-password-3dcad436dce4
 
 *****************
 Access the System

doc/source/security/kubernetes/keystone-security-compliance-configuration-b149adca6a7f.rst

@@ -18,6 +18,26 @@ You can configure custom password rules for keystone security compliance.
         system service-parameter-add identity security_compliance unique_last_password_count
         system service-parameter-add identity security_compliance password_regex
         system service-parameter-add identity security_compliance password_regex_description
+        system service-parameter-add identity security_compliance password_expires_days
+
+    .. note::
+
+        ``password_expire_days`` must be a positive integer.
+
+        .. code-block:: none
+
+            [sysadmin@controller-0 ~(keystone_admin)]$ system service-parameter-add identity security_compliance password_expires_days=90
+            +-------------+--------------------------------------+
+            | Property    | Value                                |
+            +-------------+--------------------------------------+
+            | uuid        | 27d24c80-e9de-37ce-9d26-f21236782be8 |
+            | service     | identity                             |
+            | section     | security_compliance                  |
+            | name        | password_expires_days                |
+            | value       | 90                                   |
+            | personality | None                                 |
+            | resource    | None                                 |
+            +-------------+--------------------------------------+
 
 #.  In order for the changes to take effect, apply the new configuration with
     the command:

doc/source/security/kubernetes/linux-accounts-password-3dcad436dce4.rst

@@ -0,0 +1,58 @@
+.. _linux-accounts-password-3dcad436dce4:
+
+=============================
+Linux Accounts Password Rules
+=============================
+
+.. rubric:: Check Current Password Expiry Settings
+
+Before making any changes, you may want to check the current password expiry
+settings for the user. You can do this by running the :command:`chage -l
+<username>` command, replacing ``<username>`` with the name of the user whose
+password expiry settings you want to view.
+
+.. code-block:: none
+
+    sudo chage -l <username>
+
+.. rubric:: Change Password Expiry Settings
+
+To change the password expiry period of Linux accounts, run the :command:`chage`
+command, as bellow:
+
+.. code-block:: none
+
+    [sysadmin@controller-0 ~(keystone_admin)]$ sudo chage -M <days_to_expiry> <username>
+
+For example, to set the maximum number of days before the password must be
+changed to 60 days for a user named ``sysadmin``, you can use the following
+command:
+
+.. code-block:: none
+
+    [sysadmin@controller-0 ~(keystone_admin)]$ sudo chage -M 60 sysadmin
+
+
+Verify Changes
+--------------
+
+After making the changes, verify that the new password expiry settings have
+been applied by running the :command:`chage -l <username>` command again.
+
+.. code-block:: none
+
+    chage -l <username>
+
+For the example above of user ``sysadmin`` and expiry period of 60 days, the
+output of ``chage -l <username>`` should be as follows:
+
+.. code-block:: none
+
+    [sysadmin@controller-0 ~(keystone_admin)]$ chage -l sysadmin
+    Last password change                                : abr 30, 2024
+    Password expires                                    : jun 29, 2024
+    Password inactive                                   : never
+    Account expires                                     : never
+    Minimum number of days between password change      : 0
+    Maximum number of days between password change      : 60
+    Number of days of warning before password expires   : 7

doc/source/security/kubernetes/starlingx-system-accounts-system-account-password-rules.rst

@@ -14,9 +14,9 @@ other Linux Accounts, and Keystone accounts):
 
 .. _starlingx-system-accounts-system-account-password-rules-ul-evs-dsn-ynb:
 
--   The password must be at least seven characters long.
+-   The password must be at least 12 characters long.
 
--   You cannot reuse the last 2 passwords in history.
+-   You cannot reuse the last 5 passwords in history.
 
 -   The password must contain:
 
@@ -59,3 +59,6 @@ LDAP, sysadmin, and other Linux accounts):
     .. note::
 
         This rule does not apply to the root user.
+
+For more details on Linux Accounts password rules see:
+:ref:`linux-accounts-password-3dcad436dce4`.

doc/source/security/openstack/security-system-account-password-rules.rst

@@ -13,9 +13,9 @@ By default, the following rules apply:
 
 .. _security-system-account-password-rules-ul-jwb-g15-zw:
 
--   The password must be at least seven characters long.
+-   The password must be at least 12 characters long.
 
--   You cannot reuse the last 2 passwords in history.
+-   You cannot reuse the last 5 passwords in history.
 
 -   The password must contain: