Merge "Ensure passwords hashed with SHA512 [+Docs]"

defaults/main.yml

@@ -462,6 +462,8 @@ security_pwquality_require_characters_changed: yes           # RHEL-07-010130
 security_pwquality_require_character_classes_changed: yes    # RHEL-07-010140
 security_pwquality_limit_repeated_characters: yes            # RHEL-07-010150
 security_pwquality_limit_repeated_character_classes: yes     # RHEL-07-010160
+# Ensure passwords are stored using SHA512.
+security_require_sha512_password_storage: yes                # RHEL-07-010180
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.

doc/metadata/rhel7/RHEL-07-010180.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-010180
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+The default password storage mechanism for Ubuntu 16.04, CentOS 7, and Red Hat
+Enterprise Linux 7 is ``SHA512`` and the tasks in the security role ensure that
+the default is maintained.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_require_sha512_password_storage: no

tasks/rhel7stig/auth.yml

@@ -43,6 +43,19 @@
     - RHEL-07-010150
     - RHEL-07-010160
 
+- name: RHEL-07-010180 - The shadow file must be configured to store only encrypted representations of passwords.
+  lineinfile:
+    dest: /etc/login.defs
+    regexp: "^ENCRYPT_METHOD"
+    line: "ENCRYPT_METHOD SHA512"
+    state: present
+  when:
+    - security_require_sha512_password_storage | bool
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010180
+
 - name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
   lineinfile:
     dest: "{{ pam_auth_file }}"