Merge "Ensure libuser crypt_style is SHA512 [+Docs]"

defaults/main.yml

@@ -464,6 +464,8 @@ security_pwquality_limit_repeated_characters: yes            # RHEL-07-010150
 security_pwquality_limit_repeated_character_classes: yes     # RHEL-07-010160
 # Ensure passwords are stored using SHA512.
 security_require_sha512_password_storage: yes                # RHEL-07-010180
+# Ensure user/group admin utilities only store encrypted passwords.
+security_libuser_crypt_style_sha512: yes                     # RHEL-07-010190
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.

doc/metadata/rhel7/RHEL-07-010190.rst

@@ -1,7 +1,17 @@
 ---
 id: RHEL-07-010190
-status: not implemented
+status: implemented - red hat only
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The role ensures that ``crypt_style`` is set to ``sha512`` in
+``/etc/libuser.conf``, which is the default for CentOS 7 and Red Hat Enterprise
+Linux 7.
+
+Ubuntu does not use ``libuser``, so this change is not applicable.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_libuser_crypt_style_sha512: no

tasks/rhel7stig/auth.yml

@@ -56,6 +56,21 @@
     - medium
     - RHEL-07-010180
 
+- name: RHEL-07-010190 - User and group account administration utilities must be configured to store only encrypted representations of passwords.
+  ini_file:
+    dest: /etc/libuser.conf
+    section: defaults
+    option: crypt_style
+    value: sha512
+    backup: yes
+  when:
+    - security_libuser_crypt_style_sha512 | bool
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010190
+
 - name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
   lineinfile:
     dest: "{{ pam_auth_file }}"