mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-27 15:33:06 +00:00
Addressed issue #190
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
7c53c0d96e
commit
44911b81c3
1 changed files with 64 additions and 12 deletions
|
|
@ -1,10 +1,28 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
|
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
|
||||||
ansible.builtin.lineinfile:
|
block:
|
||||||
path: /etc/login.defs
|
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
|
||||||
regexp: '^PASS_MAX_DAYS'
|
ansible.builtin.lineinfile:
|
||||||
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
|
path: /etc/login.defs
|
||||||
|
regexp: '^PASS_MAX_DAYS'
|
||||||
|
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
|
||||||
|
|
||||||
|
- name: "5.6.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS"
|
||||||
|
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow"
|
||||||
|
changed_when: false
|
||||||
|
failed_when: false
|
||||||
|
register: discovered_max_days
|
||||||
|
|
||||||
|
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ item }}"
|
||||||
|
password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
|
||||||
|
loop: "{{ discovered_max_days.stdout_lines }}"
|
||||||
|
when:
|
||||||
|
- discovered_max_days.stdout_lines | length > 0
|
||||||
|
- item in discovered_interactive_usernames.stdout
|
||||||
|
- rhel9cis_force_user_maxdays
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_5_6_1_1
|
- rhel9cis_rule_5_6_1_1
|
||||||
tags:
|
tags:
|
||||||
|
|
@ -15,10 +33,28 @@
|
||||||
- rule_5.6.1.1
|
- rule_5.6.1.1
|
||||||
|
|
||||||
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
|
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
|
||||||
ansible.builtin.lineinfile:
|
block:
|
||||||
path: /etc/login.defs
|
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | set login.defs"
|
||||||
regexp: '^PASS_MIN_DAYS'
|
ansible.builtin.lineinfile:
|
||||||
line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
|
path: /etc/login.defs
|
||||||
|
regexp: '^PASS_MIN_DAYS'
|
||||||
|
line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
|
||||||
|
|
||||||
|
- name: "5.6.1.2 | AUDIT | Ensure minimum days between password changes is configured | Get existing users PASS_MIN_DAYS"
|
||||||
|
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass['min_days'] }} {print $1}' /etc/shadow"
|
||||||
|
changed_when: false
|
||||||
|
failed_when: false
|
||||||
|
register: discovered_min_days
|
||||||
|
|
||||||
|
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS"
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ item }}"
|
||||||
|
password_expire_max: "{{ rhel9cis_pass['min_days'] }}"
|
||||||
|
loop: "{{ discovered_min_days.stdout_lines }}"
|
||||||
|
when:
|
||||||
|
- discovered_min_days.stdout_lines | length > 0
|
||||||
|
- item in discovered_interactive_usernames.stdout
|
||||||
|
- rhel9cis_force_user_mindays
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_5_6_1_2
|
- rhel9cis_rule_5_6_1_2
|
||||||
tags:
|
tags:
|
||||||
|
|
@ -29,10 +65,26 @@
|
||||||
- rule_5.6.1.2
|
- rule_5.6.1.2
|
||||||
|
|
||||||
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
|
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
|
||||||
ansible.builtin.lineinfile:
|
block:
|
||||||
path: /etc/login.defs
|
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | set login.defs"
|
||||||
regexp: '^PASS_WARN_AGE'
|
ansible.builtin.lineinfile:
|
||||||
line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
|
path: /etc/login.defs
|
||||||
|
regexp: '^PASS_WARN_AGE'
|
||||||
|
line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
|
||||||
|
|
||||||
|
- name: "5.6.1.3 | AUDIT | Ensure password expiration warning days is 7 or more | Get existing users WARN_DAYS"
|
||||||
|
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass['warn_age'] }} {print $1}' /etc/shadow"
|
||||||
|
changed_when: false
|
||||||
|
failed_when: false
|
||||||
|
register: discovered_warn_days
|
||||||
|
|
||||||
|
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users WARN_DAYS"
|
||||||
|
ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
|
||||||
|
loop: "{{ discovered_warn_days.stdout_lines }}"
|
||||||
|
when:
|
||||||
|
- discovered_warn_days.stdout_lines | length > 0
|
||||||
|
- item in discovered_interactive_usernames.stdout
|
||||||
|
- rhel9cis_force_user_warnage
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_5_6_1_3
|
- rhel9cis_rule_5_6_1_3
|
||||||
tags:
|
tags:
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue