From 73dc65db12f003571b65aa5ded2b1aba0938bdfd Mon Sep 17 00:00:00 2001
From: "root@DERVISHx" <nuno.carvalho@siemens.com>
Date: Fri, 10 Nov 2023 15:03:04 +0000
Subject: [PATCH] Adding solution for users with passwords.

Signed-off-by: root@DERVISHx <nuno.carvalho@siemens.com>
---
 tasks/section_5/cis_5.6.1.x.yml | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml
index 3d59a16..1a54140 100644
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@@ -15,10 +15,25 @@
       - rule_5.5.1.1
 
 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
-  ansible.builtin.lineinfile:
-      path: /etc/login.defs
-      regexp: '^PASS_MIN_DAYS'
-      line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
+  block:
+    - name: "5.6.1.2 | PATCH | Set default."
+      ansible.builtin.lineinfile:
+        path: /etc/login.defs
+        regexp: '^PASS_MIN_DAYS'
+        line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
+      
+    - name: "5.6.1.2 | AUDIT | Get existing users"
+      ansible.builtin.getent:
+        database: shadow
+
+    - name: "5.6.1.2 | PATCH | Set existing users"
+      ansible.builtin.user:
+        name: "{{ item }}"
+        password_expire_min: "{{ rhel9cis_pass['min_days'] }}"
+      loop: "{{ getent_shadow | dict2items | map(attribute='key') | list  }}"
+      when: ( getent_shadow[item].0 != "!!" ) and
+            ( getent_shadow[item].0 != "!*" ) and
+            ( getent_shadow[item].0 != "*" )
   when:
       - rhel9cis_rule_5_6_1_2
   tags: