From 1cacbf42561bd012e18b93f6467d2dfb5b2aeb2f Mon Sep 17 00:00:00 2001
From: Tristan Keen <tristan.keen@sainsburys.co.uk>
Date: Wed, 18 Jan 2017 11:10:44 +0000
Subject: [PATCH] Support RHEL7 password quality and HTTP(S) proxies

Oracle Linux -> OracleLinux in both ansible_os_family and ansible_distribution: https://github.com/ansible/ansible/pull/10789
(Note - older versions before latest 1.9 had the name including a space - but I can see PR to drop 1.9 support is in progress)

pam_pwfamily (the supposed package to install to get password complexity checking in RHEL7) doesn't seem to exist.
There is a libpwquality package that provides /usr/lib64/security/pam_pwquality.so, but that is installed by default according to a RHEL support case answer.
---
 .kitchen.vagrant.yml          | 16 ++++++++++++++++
 .kitchen.yml                  | 14 ++++++++++++++
 default.yml                   |  3 +--
 kitchen_vagrant_block.rb      | 15 +++++++++++++++
 tasks/main.yml                |  3 +--
 tasks/pam.yml                 | 12 ++++--------
 templates/rhel_system_auth.j2 |  7 ++++---
 vars/RedHat.yml               |  1 -
 8 files changed, 55 insertions(+), 16 deletions(-)
 create mode 100644 kitchen_vagrant_block.rb

diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml
index cb414963a..e89de6af1 100644
--- a/.kitchen.vagrant.yml
+++ b/.kitchen.vagrant.yml
@@ -1,6 +1,11 @@
 ---
 driver:
   name: vagrant
+  driver_config:
+    http_proxy: <%= ENV['http_proxy'] || nil %>
+    https_proxy: <%= ENV['https_proxy'] || nil %>
+  vagrantfiles:
+    - kitchen_vagrant_block.rb
 
 provisioner:
   name: ansible_playbook
@@ -13,6 +18,8 @@ provisioner:
   ansible_verbose: true
   roles_path: ../ansible-os-hardening/
   playbook: default.yml
+  http_proxy: <%= ENV['http_proxy'] || nil %>
+  https_proxy: <%= ENV['https_proxy'] || nil %>
 
 platforms:
 - name: ubuntu-12.04
@@ -31,6 +38,12 @@ platforms:
   driver_config:
     box: opscode-centos-6.5
     box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
+- name: centos-6.8
+  driver_config:
+    box: bento/centos-6.8
+- name: centos-7
+  driver_config:
+    box: bento/centos-7.2
 - name: oracle-6.4
   driver_config:
     box: oracle-6.4
@@ -39,6 +52,9 @@ platforms:
   driver_config:
     box: oracle-6.5
     box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
+- name: oracle-7
+  driver_config:
+    box: boxcutter/ol72
 - name: debian-7
   driver_config:
     box: debian-7
diff --git a/.kitchen.yml b/.kitchen.yml
index a015eeae3..084056f29 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -3,6 +3,8 @@ driver:
   name: docker
   use_sudo: false
   privileged: true
+  http_proxy: <%= ENV['http_proxy'] || nil %>
+  https_proxy: <%= ENV['https_proxy'] || nil %>
 
 transport:
   max_ssh_sessions: 5
@@ -18,6 +20,8 @@ provisioner:
   ansible_diff: true
   hosts: all
   roles_path: ../ansible-os-hardening/
+  http_proxy: <%= ENV['http_proxy'] || nil %>
+  https_proxy: <%= ENV['https_proxy'] || nil %>
   playbook: default.yml
   ansible_extra_flags:
     - "--skip-tags=sysctl"
@@ -45,6 +49,16 @@ platforms:
     image: centos:7
     privileged: true
     run_command: /usr/sbin/init
+- name: oracle-6
+  driver:
+    image: oraclelinux:6
+    platform: rhel
+- name: oracle-7
+  driver:
+    image: oraclelinux:7
+    platform: rhel
+    privileged: true
+    run_command: /usr/sbin/init
 - name: debian-7
   driver:
     image: debian:7
diff --git a/default.yml b/default.yml
index cbdbb1848..379e5bc70 100644
--- a/default.yml
+++ b/default.yml
@@ -5,13 +5,12 @@
     - ansible-os-hardening
   vars:
     os_security_users_allow: change_user
-    os_security_kernel_enable_core_dump: true
+    os_security_kernel_enable_core_dump: false
     os_security_suid_sgid_remove_from_unknown: true
     os_auth_pam_passwdqc_enable: false
     os_desktop_enable: true
     os_env_extra_user_paths: ['/home']
     os_auth_allow_homeless: true
-    os_security_kernel_enable_core_dump: true
     os_security_suid_sgid_blacklist: ['/bin/umount']
     os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
 
diff --git a/kitchen_vagrant_block.rb b/kitchen_vagrant_block.rb
new file mode 100644
index 000000000..41930a7d3
--- /dev/null
+++ b/kitchen_vagrant_block.rb
@@ -0,0 +1,15 @@
+# This is a Vagrant block to allow proxy settings to be carried into Kitchen
+# You need this for all of yum/apt etc. to work!
+unless ENV['http_proxy'].empty? || Vagrant.has_plugin?("vagrant-proxyconf")
+  raise "Missing required plugin 'vagrant-proxyconf' to support HTTP(S) proxies, run `vagrant plugin install vagrant-proxyconf`"
+end
+
+Vagrant.configure(2) do |config|
+  config.proxy.http     = "#{ENV['http_proxy']}"
+  config.proxy.https    = "#{ENV['https_proxy']}"
+  config.proxy.no_proxy = "localhost,127.0.0.1"
+
+  # You may have vagrant-vbguest plugin installed to keep your images up to date
+  # - but will probably have VBoxAddition build issues with the foreign boxes listed in .kitchen.vagrant.yml
+  config.vbguest.auto_update = false
+end
diff --git a/tasks/main.yml b/tasks/main.yml
index fca263526..e65a1797c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -35,10 +35,9 @@
   tags: rhosts
 
 - include: yum.yml
-  when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
+  when: ansible_os_family == 'RedHat'
   tags: yum
 
 - include: apt.yml
   when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
   tags: apt
-
diff --git a/tasks/pam.yml b/tasks/pam.yml
index b2774456b..e06d9e560 100644
--- a/tasks/pam.yml
+++ b/tasks/pam.yml
@@ -12,7 +12,7 @@
 
 - name: remove pam ccreds on Redhat systems
   yum: name='{{os_packages_pam_ccreds}}' state=absent
-  when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
+  when: ansible_os_family == 'RedHat'
 
 - name: remove pam_cracklib, because it does not play nice with passwdqc
   apt: name='{{os_packages_pam_cracklib}}' state=absent
@@ -44,19 +44,15 @@
 
 - name: remove pam_cracklib, because it does not play nice with passwdqc
   yum: name='{{os_packages_pam_cracklib}}' state='absent'
-  when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' and ansible_distribution_version <= '7')) and os_auth_pam_passwdqc_enable
+  when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7') and os_auth_pam_passwdqc_enable
 
 - name: install the package for strong password checking
   yum: name='{{os_packages_pam_passwdqc}}' state='installed'
-  when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' and ansible_distribution_version <= '7')) and os_auth_pam_passwdqc_enable
-
-- name: install pam_pwquality on rhel7, replacement for pam_passwdqc and pam_cracklib
-  yum: name='{{os_packages_pam_pwquality}}' state='installed'
-  when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' and ansible_distribution_version >= '7')) and os_auth_pam_passwdqc_enable
+  when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7') and os_auth_pam_passwdqc_enable
 
 - name: remove passwdqc
   yum: name='{{os_packages_pam_passwdqc}}' state='absent'
-  when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux') and not os_auth_pam_passwdqc_enable
+  when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable
 
 - name: configure passwdqc and tally via central system-auth confic
   template: src='rhel_system_auth.j2' dest='/etc/pam.d/system-auth-ac' mode=0640 owner=root group=root
diff --git a/templates/rhel_system_auth.j2 b/templates/rhel_system_auth.j2
index 7210deff8..70749fbf0 100644
--- a/templates/rhel_system_auth.j2
+++ b/templates/rhel_system_auth.j2
@@ -19,15 +19,16 @@ account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 
 {% if os_auth_pam_passwdqc_enable %}
-  {% if ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' and ansible_distribution_version >= '7' %}
+  {%- if ansible_os_family == 'RedHat' and ansible_distribution_version >= '7' %}
 password    required      pam_pwquality.so {{os_auth_pam_pwquality_options}}
-  {% else %}
+  {%- else %}
 password    requisite     pam_passwdqc.so {{os_auth_pam_passwdqc_options}}
-  {% endif %}
+  {%- endif %}
 {% else %}
 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 {% endif %}
 
+
 # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
 # NSA 2.3.3.6 Limit Password Reuse
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
index 540306d6e..004fdb4ad 100644
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@@ -1,5 +1,4 @@
 os_packages_pam_ccreds: 'pam_ccreds'
 os_packages_pam_passwdqc: 'pam_passwdqc'
 os_packages_pam_cracklib: 'pam_cracklib'
-os_packages_pam_pwquality: 'pam_pwfamily'
 os_nologin_shell_path: '/sbin/nologin'