ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Added a means to allow system users to have a shell

Browse source 
Signed-off-by: Jeffrey van Pelt <jeff@vanpelt.one>
This commit is contained in:
Jeffrey van Pelt 2024-11-11 17:38:04 +01:00
parent 3c75296d91
commit 28a35960d7
No known key found for this signature in database
GPG key ID: 39EFF6AA1F5B11A0
2 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
defaults/main.yml
View file

@ -1137,6 +1137,11 @@ rhel9cis_force_user_mindays: false
# This can break current connecting user access # This can break current connecting user access
rhel9cis_force_user_warnage: false rhel9cis_force_user_warnage: false
## Control 5.6.2 - Ensure system accounts are secured | Set nologin
# The system users on this list are allowed to have a shell (e.g. applications
# that require a shell to function)
rhel9cis_system_users_shell: []
## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less ## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less
# Session timeout setting file (TMOUT setting can be set in multiple files) # Session timeout setting file (TMOUT setting can be set in multiple files)
# Timeout value is in seconds. (60 seconds * 10 = 600) # Timeout value is in seconds. (60 seconds * 10 = 600)

1
tasks/section_5/cis_5.6.x.yml
View file

@ -13,6 +13,7 @@
- item.id != "shutdown" - item.id != "shutdown"
- item.id != "halt" - item.id != "halt"
- item.id != "nfsnobody" - item.id != "nfsnobody"
- item.id not in rhel9cis_system_users_shell
- item.uid < min_int_uid | int - item.uid < min_int_uid | int
- item.shell != "/bin/false" - item.shell != "/bin/false"
- item.shell != "/usr/sbin/nologin" - item.shell != "/usr/sbin/nologin"