Ensure min/max days between password changes.

Signed-off-by: root@DERVISHx <nuno.carvalho@siemens.com>
2025-12-27 15:33:06 +00:00 · 2023-11-02 16:39:57 +00:00 · 2023-11-02 16:39:57 +00:00 · 9c12cc07b2
commit 9c12cc07b2
parent 0856639ab5
3 changed files with 30 additions and 7 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -601,6 +601,10 @@ rhel9cis_pass:
    min_days: 7
    warn_age: 7

+# 5.6.1.1/2 Variable to be adjust so the rule sets password min/max
+# This refers to the minimum UID that rule will start from
+usr_min_uid: 1000
+
 # 5.5.1
 ## PAM
 rhel9cis_pam_password:
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@ -28,11 +28,22 @@
      - password
      - rule_5.6.1.2

- name: "5.6.1.2 | PATCH | Set existing users"
-  ansible.builtin.shell: getent passwd | awk -F: '$3 >= {{ usr_min_uid}} { print "echo "$1";chage -m {{ min_days }} -M {{ min_days }}"$1}'
-        
+- name: "5.6.1.1/2 | PATCH | Set existing users with password rules"
+  block:
+      - name: "5.6.1.1/2 | AUDIT | Get existing users"
+        ansible.builtin.getent:
+            database: passwd
+
+      - name: "5.6.1.1/2 | PATCH | Update users higher than usr_min_uid"
+        ansible.builtin.user:
+          name: "{{ item }}"
+          password_expire_min: "{{ rhel9cis_pass['min_days'] }}"
+          password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
+        loop: "{{ getent_passwd | dict2items | map(attribute='key') | list  }}"
+        when: getent_passwd[item].1 | int >= usr_min_uid
  when:
      - rhel9cis_rule_5_6_1_2
+      - rhel9cis_rule_5_6_1_2_set_user
  tags:
      - level1-server
      - level1-workstation
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -7,13 +7,21 @@ os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) <security@redhat.com>
 # disable repo_gpgcheck due to OS default repos
 rhel9cis_rule_enable_repogpg: false

-# Vars setup for overiding main.yml
+# enable interactive users to be set min/max password change
+rhel9cis_rule_5_6_1_2_set_user: true
+
+# 5.6.1.1/2 Variable to be adjust so the rule sets password min/max
+# This refers to the minimum UID that rule will start from
+usr_min_uid: 1000
+
+# Vars setup for overiding main.yml for rule 5.3.2 
 rhel9cis_sshd:
    clientalivecountmax: 3
    clientaliveinterval: 900
    logingracetime: 60
+    # Group and user choose as being the default for this release
+    # Can also use;
    # allowusers: 
-    allowgroups: sshd wheel
-    # denyusers:
    # denygroups:
-    usr_min_uid: 1000
+    allowgroups: wheel
+    denyusers: nobody