From 06090a2bdad09c5feb75ba97da0c5bbb5bb0ab9f Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Thu, 17 Nov 2016 13:33:53 -0600
Subject: [PATCH] Ensure libuser crypt_style is SHA512 [+Docs]

This patch applies fixes for RHEL-07-010190 and also includes
documentation.

Implements: blueprint security-rhel7-stig
Change-Id: Ic77b55bd392b03bbfec923e4e6dbd361d050470e
---
 defaults/main.yml                     |  2 ++
 doc/metadata/rhel7/RHEL-07-010190.rst | 14 ++++++++++++--
 tasks/rhel7stig/auth.yml              | 15 +++++++++++++++
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 44a6a9ad..d523b0e7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -464,6 +464,8 @@ security_pwquality_limit_repeated_characters: yes            # RHEL-07-010150
 security_pwquality_limit_repeated_character_classes: yes     # RHEL-07-010160
 # Ensure passwords are stored using SHA512.
 security_require_sha512_password_storage: yes                # RHEL-07-010180
+# Ensure user/group admin utilities only store encrypted passwords.
+security_libuser_crypt_style_sha512: yes                     # RHEL-07-010190
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
diff --git a/doc/metadata/rhel7/RHEL-07-010190.rst b/doc/metadata/rhel7/RHEL-07-010190.rst
index d069e1c2..665d98ed 100644
--- a/doc/metadata/rhel7/RHEL-07-010190.rst
+++ b/doc/metadata/rhel7/RHEL-07-010190.rst
@@ -1,7 +1,17 @@
 ---
 id: RHEL-07-010190
-status: not implemented
+status: implemented - red hat only
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The role ensures that ``crypt_style`` is set to ``sha512`` in
+``/etc/libuser.conf``, which is the default for CentOS 7 and Red Hat Enterprise
+Linux 7.
+
+Ubuntu does not use ``libuser``, so this change is not applicable.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_libuser_crypt_style_sha512: no
diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index 3b0a331e..198de476 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -56,6 +56,21 @@
     - medium
     - RHEL-07-010180
 
+- name: RHEL-07-010190 - User and group account administration utilities must be configured to store only encrypted representations of passwords.
+  ini_file:
+    dest: /etc/libuser.conf
+    section: defaults
+    option: crypt_style
+    value: sha512
+    backup: yes
+  when:
+    - security_libuser_crypt_style_sha512 | bool
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010190
+
 - name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
   lineinfile:
     dest: "{{ pam_auth_file }}"