Addressed issue #190

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
ansible-lockdown · Apr 9, 2024 · 44911b8 · 44911b8
1 parent 7c53c0d
commit 44911b8
Showing 1 changed file with 64 additions and 12 deletions.
diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml
@@ -1,10 +1,28 @@
 ---
 
 - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
-  ansible.builtin.lineinfile:
-      path: /etc/login.defs
-      regexp: '^PASS_MAX_DAYS'
-      line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
+  block:
+      - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
+        ansible.builtin.lineinfile:
+            path: /etc/login.defs
+            regexp: '^PASS_MAX_DAYS'
+            line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
+
+      - name: "5.6.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS"
+        ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow"
+        changed_when: false
+        failed_when: false
+        register: discovered_max_days
+
+      - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
+        ansible.builtin.user:
+            name: "{{ item }}"
+            password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
+        loop: "{{ discovered_max_days.stdout_lines }}"
+        when:
+            - discovered_max_days.stdout_lines | length > 0
+            - item in discovered_interactive_usernames.stdout
+            - rhel9cis_force_user_maxdays
   when:
       - rhel9cis_rule_5_6_1_1
   tags:
@@ -15,10 +33,28 @@
       - rule_5.6.1.1
 
 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
-  ansible.builtin.lineinfile:
-      path: /etc/login.defs
-      regexp: '^PASS_MIN_DAYS'
-      line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
+  block:
+      - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | set login.defs"
+        ansible.builtin.lineinfile:
+            path: /etc/login.defs
+            regexp: '^PASS_MIN_DAYS'
+            line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
+
+      - name: "5.6.1.2 | AUDIT | Ensure minimum days between password changes is configured | Get existing users PASS_MIN_DAYS"
+        ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass['min_days'] }} {print $1}' /etc/shadow"
+        changed_when: false
+        failed_when: false
+        register: discovered_min_days
+
+      - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS"
+        ansible.builtin.user:
+            name: "{{ item }}"
+            password_expire_max: "{{ rhel9cis_pass['min_days'] }}"
+        loop: "{{ discovered_min_days.stdout_lines }}"
+        when:
+            - discovered_min_days.stdout_lines | length > 0
+            - item in discovered_interactive_usernames.stdout
+            - rhel9cis_force_user_mindays
   when:
       - rhel9cis_rule_5_6_1_2
   tags:
@@ -29,10 +65,26 @@
       - rule_5.6.1.2
 
 - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
-  ansible.builtin.lineinfile:
-      path: /etc/login.defs
-      regexp: '^PASS_WARN_AGE'
-      line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
+  block:
+      - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | set login.defs"
+        ansible.builtin.lineinfile:
+            path: /etc/login.defs
+            regexp: '^PASS_WARN_AGE'
+            line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
+
+      - name: "5.6.1.3 | AUDIT | Ensure password expiration warning days is 7 or more | Get existing users WARN_DAYS"
+        ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass['warn_age'] }} {print $1}' /etc/shadow"
+        changed_when: false
+        failed_when: false
+        register: discovered_warn_days
+
+      - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users WARN_DAYS"
+        ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
+        loop: "{{ discovered_warn_days.stdout_lines }}"
+        when:
+            - discovered_warn_days.stdout_lines | length > 0
+            - item in discovered_interactive_usernames.stdout
+            - rhel9cis_force_user_warnage
   when:
       - rhel9cis_rule_5_6_1_3
   tags: