policy_pam: New role allowing to manage password policy with pam_pwquality & pam_pwhistory

CHANGELOG.md

@@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 * userlogrotate: rotate also php.log.
 * nagios-nrpe: add a NRPE check-local command with completion.
+* policy_pam: New role allowing to manage password policy with pam_pwquality & pam_pwhistory
 
 ### Changed
 

policy_pam/defaults/main.yml

@@ -0,0 +1,32 @@
+---
+
+# PAM -- pam_pwquality
+# Ensure password meet a given quality/complexity requirement
+policy_pam_pwquality: true
+
+# Configuration settings for pam_pwquality
+# For more in depth info, see man pam_pwquality(8)
+
+# Minimum password lengh/credit
+policy_pam_pwquality_minlen: 4
+
+# Credits values for char types
+# Value : Interger N with :
+#         N >= 0 - Maximum credit given for each char type in the password
+#         N <  0 - Minimum number of chars of given type in the password
+# digit chars
+policy_pam_pwquality_dcredit: 0
+# uppercase chars
+policy_pam_pwquality_ucredit: 0
+# lowercase chars
+policy_pam_pwquality_lcredit: 0
+# other chars
+policy_pam_pwquality_ocredit: 0
+
+
+# PAM -- pam_pwhistory
+# Prevent old password re-use
+policy_pam_pwhistory: true
+
+# How many old passwords to retain
+policy_pam_pwhistory_length: 5

policy_pam/meta/main.yml

@@ -0,0 +1,25 @@
+---
+galaxy_info:
+  author: Evolix
+  company: Evolix
+  description: Add repositories to APT sources list.
+
+  issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
+
+  license: GPLv2
+
+  min_ansible_version: "2.10"
+
+  platforms:
+    - name: Debian
+      versions:
+        - bullseye
+
+  galaxy_tags: []
+    # Be sure to remove the '[]' above if you add dependencies
+    # to this list.
+
+dependencies: []
+  # List your role dependencies here, one per line.
+  # Be sure to remove the '[]' above if you add dependencies
+  # to this list.

policy_pam/tasks/main.yml

@@ -0,0 +1,88 @@
+---
+#
+# -password       [success=1 default=ignore]      pam_unix.so obscure yescrypt
+# +password       requisite                       pam_pwquality.so retry=3
+# +password       [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass yescrypt
+
+
+
+# PAM -- pam_pwquality
+
+- name: libpam-pwquality is installed
+  apt:
+    state: present
+    name:
+      - libpam-pwquality
+      - cracklib-runtime
+  when: policy_pam_pwquality
+
+- name: Enable pam_pwquality
+  ansible.builtin.lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+requisite\s+pam_pwquality.so'
+    line: "password       requisite                       pam_pwquality.so retry=3"
+    insertafter: '(the "Primary" block)'
+  when: policy_pam_pwquality
+
+- name: Disable pam_pwquality
+  ansible.builtin.lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+requisite\s+pam_pwquality.so'
+    state: absent
+  when: policy_pam_pwquality is false
+
+- name: Configure pam_pwquality
+  replace:
+    dest: /etc/security/pwquality.conf
+    regexp: "^#? ?{{ item.name }} = .*"
+    replace: "{{ item.name }} = {{ item.value }}"
+  with_items:
+    - { name: minlen, value: "{{ policy_pam_pwquality_minlen }}" }
+    - { name: dcredit, value: "{{ policy_pam_pwquality_dcredit }}" }
+    - { name: ucredit, value: "{{ policy_pam_pwquality_ucredit }}" }
+    - { name: lcredit, value: "{{ policy_pam_pwquality_lcredit }}" }
+    - { name: ocredit, value: "{{ policy_pam_pwquality_ocredit }}" }
+  when: policy_pam_pwquality
+
+
+
+# PAM -- pam_pwhistory
+
+- name: Enable pam_pwhistory
+  ansible.builtin.lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+required\s+pam_pwhistory.so'
+    line: "password       required           pam_pwhistory.so  remember={{ policy_pam_pwhistory_length }} {{ 'use_authtok' if policy_pam_pwquality}}"
+    insertbefore: 'pam_unix.so'
+  when: policy_pam_pwhistory
+
+# LATER : Enforce a password min age 
+# - name: Change PASS_MIN_DAYS
+#   replace:
+#     dest: /etc/login.defs
+#     replace: "PASS_MIN_DAYS  7"
+#     regexp: '^PASS_MIN_DAYS.*'
+
+- name: Disable pam_pwhistory
+  ansible.builtin.lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+required\s+pam_pwhistory.so'
+    state: absent
+  when: policy_pam_pwhistory is false
+
+
+
+# PAM -- pam_unix
+- name: Update pam_unix if previous modules were enabled
+  ansible.builtin.lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: 'pam_unix.so obscure'
+    line: "password       [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass yescrypt"
+  when: policy_pam_pwhistory or policy_pam_pwquality
+
+- name: Update pam_unix if previous modules are all disabled
+  ansible.builtin.lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: 'pam_unix.so obscure'
+    line: "password       [success=1 default=ignore]      pam_unix.so obscure yescrypt"
+  when: policy_pam_pwhistory is false and policy_pam_pwquality is false