Support RHEL7 password quality and HTTP(S) proxies

Oracle Linux -> OracleLinux in both ansible_os_family and ansible_distribution: https://github.com/ansible/ansible/pull/10789
(Note - older versions before latest 1.9 had the name including a space - but I can see PR to drop 1.9 support is in progress)

pam_pwfamily (the supposed package to install to get password complexity checking in RHEL7) doesn't seem to exist.
There is a libpwquality package that provides /usr/lib64/security/pam_pwquality.so, but that is installed by default according to a RHEL support case answer.

.kitchen.vagrant.yml

@@ -1,6 +1,11 @@
 ---
 driver:
   name: vagrant
+  driver_config:
+    http_proxy: <%= ENV['http_proxy'] || nil %>
+    https_proxy: <%= ENV['https_proxy'] || nil %>
+  vagrantfiles:
+    - kitchen_vagrant_block.rb
 
 provisioner:
   name: ansible_playbook
@@ -13,6 +18,8 @@ provisioner:
   ansible_verbose: true
   roles_path: ../ansible-os-hardening/
   playbook: default.yml
+  http_proxy: <%= ENV['http_proxy'] || nil %>
+  https_proxy: <%= ENV['https_proxy'] || nil %>
 
 platforms:
 - name: ubuntu-12.04
@@ -31,6 +38,12 @@ platforms:
   driver_config:
     box: opscode-centos-6.5
     box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
+- name: centos-6.8
+  driver_config:
+    box: bento/centos-6.8
+- name: centos-7
+  driver_config:
+    box: bento/centos-7.2
 - name: oracle-6.4
   driver_config:
     box: oracle-6.4
@@ -39,6 +52,9 @@ platforms:
   driver_config:
     box: oracle-6.5
     box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
+- name: oracle-7
+  driver_config:
+    box: boxcutter/ol72
 - name: debian-7
   driver_config:
     box: debian-7

.kitchen.yml

@@ -3,6 +3,8 @@ driver:
   name: docker
   use_sudo: false
   privileged: true
+  http_proxy: <%= ENV['http_proxy'] || nil %>
+  https_proxy: <%= ENV['https_proxy'] || nil %>
 
 transport:
   max_ssh_sessions: 5
@@ -18,6 +20,8 @@ provisioner:
   ansible_diff: true
   hosts: all
   roles_path: ../ansible-os-hardening/
+  http_proxy: <%= ENV['http_proxy'] || nil %>
+  https_proxy: <%= ENV['https_proxy'] || nil %>
   playbook: default.yml
   ansible_extra_flags:
     - "--skip-tags=sysctl"
@@ -45,6 +49,16 @@ platforms:
     image: centos:7
     privileged: true
     run_command: /usr/sbin/init
+- name: oracle-6
+  driver:
+    image: oraclelinux:6
+    platform: rhel
+- name: oracle-7
+  driver:
+    image: oraclelinux:7
+    platform: rhel
+    privileged: true
+    run_command: /usr/sbin/init
 - name: debian-7
   driver:
     image: debian:7

default.yml

@@ -5,13 +5,12 @@
     - ansible-os-hardening
   vars:
     os_security_users_allow: change_user
-    os_security_kernel_enable_core_dump: true
+    os_security_kernel_enable_core_dump: false
     os_security_suid_sgid_remove_from_unknown: true
     os_auth_pam_passwdqc_enable: false
     os_desktop_enable: true
     os_env_extra_user_paths: ['/home']
     os_auth_allow_homeless: true
-    os_security_kernel_enable_core_dump: true
     os_security_suid_sgid_blacklist: ['/bin/umount']
     os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
 

kitchen_vagrant_block.rb

@@ -0,0 +1,15 @@
+# This is a Vagrant block to allow proxy settings to be carried into Kitchen
+# You need this for all of yum/apt etc. to work!
+unless ENV['http_proxy'].empty? || Vagrant.has_plugin?("vagrant-proxyconf")
+  raise "Missing required plugin 'vagrant-proxyconf' to support HTTP(S) proxies, run `vagrant plugin install vagrant-proxyconf`"
+end
+
+Vagrant.configure(2) do |config|
+  config.proxy.http     = "#{ENV['http_proxy']}"
+  config.proxy.https    = "#{ENV['https_proxy']}"
+  config.proxy.no_proxy = "localhost,127.0.0.1"
+
+  # You may have vagrant-vbguest plugin installed to keep your images up to date
+  # - but will probably have VBoxAddition build issues with the foreign boxes listed in .kitchen.vagrant.yml
+  config.vbguest.auto_update = false
+end

tasks/main.yml

@@ -35,10 +35,9 @@
   tags: rhosts
 
 - include: yum.yml
-  when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
+  when: ansible_os_family == 'RedHat'
   tags: yum
 
 - include: apt.yml
   when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
   tags: apt
-

tasks/pam.yml

@@ -12,7 +12,7 @@
 
 - name: remove pam ccreds on Redhat systems
   yum: name='{{os_packages_pam_ccreds}}' state=absent
-  when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
+  when: ansible_os_family == 'RedHat'
 
 - name: remove pam_cracklib, because it does not play nice with passwdqc
   apt: name='{{os_packages_pam_cracklib}}' state=absent
@@ -44,19 +44,15 @@
 
 - name: remove pam_cracklib, because it does not play nice with passwdqc
   yum: name='{{os_packages_pam_cracklib}}' state='absent'
-  when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' and ansible_distribution_version <= '7')) and os_auth_pam_passwdqc_enable
+  when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7') and os_auth_pam_passwdqc_enable
 
 - name: install the package for strong password checking
   yum: name='{{os_packages_pam_passwdqc}}' state='installed'
-  when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' and ansible_distribution_version <= '7')) and os_auth_pam_passwdqc_enable
-
-- name: install pam_pwquality on rhel7, replacement for pam_passwdqc and pam_cracklib
-  yum: name='{{os_packages_pam_pwquality}}' state='installed'
-  when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' and ansible_distribution_version >= '7')) and os_auth_pam_passwdqc_enable
+  when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7') and os_auth_pam_passwdqc_enable
 
 - name: remove passwdqc
   yum: name='{{os_packages_pam_passwdqc}}' state='absent'
-  when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux') and not os_auth_pam_passwdqc_enable
+  when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable
 
 - name: configure passwdqc and tally via central system-auth confic
   template: src='rhel_system_auth.j2' dest='/etc/pam.d/system-auth-ac' mode=0640 owner=root group=root

templates/rhel_system_auth.j2

@@ -19,15 +19,16 @@ account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 
 {% if os_auth_pam_passwdqc_enable %}
-  {% if ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' and ansible_distribution_version >= '7' %}
+  {%- if ansible_os_family == 'RedHat' and ansible_distribution_version >= '7' %}
 password    required      pam_pwquality.so {{os_auth_pam_pwquality_options}}
-  {% else %}
+  {%- else %}
 password    requisite     pam_passwdqc.so {{os_auth_pam_passwdqc_options}}
-  {% endif %}
+  {%- endif %}
 {% else %}
 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 {% endif %}
 
+
 # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
 # NSA 2.3.3.6 Limit Password Reuse
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

vars/RedHat.yml

@@ -1,5 +1,4 @@
 os_packages_pam_ccreds: 'pam_ccreds'
 os_packages_pam_passwdqc: 'pam_passwdqc'
 os_packages_pam_cracklib: 'pam_cracklib'
-os_packages_pam_pwquality: 'pam_pwfamily'
 os_nologin_shell_path: '/sbin/nologin'