Prevent password re-use [+Docs]

This patch adds a restriction for password re-use. Deployers must opt in for the change. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I5795bc28bd9270623d0d320b0e38746cc1700663
2016-12-01 09:36:47 -06:00 · 2016-12-01 09:36:47 -06:00 · 708cb62161
commit 708cb62161
parent 0eef112699
4 changed files with 30 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -481,6 +481,8 @@ security_shadow_utils_fail_delay: 4                          # RHEL-07-010420
 security_shadow_utils_umask: 077                             # RHEL-07-020230
 # Create home directories for new users by default.
 security_shadow_utils_create_home: yes                       # RHEL-07-020630
+# How many old user password to remember to prevent password re-use.
+#security_password_remember_password: 5                       # RHEL-07-010240

 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
--- a/doc/metadata/rhel7/RHEL-07-010240.rst
+++ b/doc/metadata/rhel7/RHEL-07-010240.rst
@ -1,7 +1,17 @@
 ---
 id: RHEL-07-010240
-status: not implemented
-tag: misc
+status: opt-in
+tag: auth
 ---

-This STIG requirement is not yet implemented.
+Although the STIG requires that five passwords are remembered to prevent re-
+use, this can cause issues in production environment if the change is not
+communicated well to users. Therefore, the tasks in the security role do not
+apply this change by default.
+
+Deployers can opt in for the change and specify a number of passwords to
+remember by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_password_remember_password: 5
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@ -128,6 +128,20 @@
    - medium
    - RHEL-07-010210

+- name: RHEL-07-010240 - Passwords must be prohibited from reuse for a minimum of five generations.
+  lineinfile:
+    dest: "{{ pam_password_file }}"
+    regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$'
+    line: '\1 remember={{ security_password_remember_password }}'
+    backrefs: yes
+    state: present
+  when:
+    - security_password_remember_password is defined
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010240
+
 - name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
  lineinfile:
    dest: "{{ pam_auth_file }}"
--- a/tests/test.yml
+++ b/tests/test.yml
@ -84,3 +84,4 @@
    security_search_for_invalid_owner: yes
    security_search_for_invalid_group_owner: yes
    security_enable_firewalld: yes
+    security_password_remember_password: 5