ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-27 15:33:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Ensure min/max days between password changes.

Browse source 
Signed-off-by: root@DERVISHx <nuno.carvalho@siemens.com>
This commit is contained in:
root@DERVISHx 2023-11-02 16:39:57 +00:00
parent 0856639ab5
commit 9c12cc07b2
No known key found for this signature in database
GPG key ID: C68B144D8E6CCC46
3 changed files with 30 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
defaults/main.yml
View file

@ -601,6 +601,10 @@ rhel9cis_pass:
min_days: 7 min_days: 7
warn_age: 7 warn_age: 7
# 5.6.1.1/2 Variable to be adjust so the rule sets password min/max
# This refers to the minimum UID that rule will start from
usr_min_uid: 1000
# 5.5.1 # 5.5.1
## PAM ## PAM
rhel9cis_pam_password: rhel9cis_pam_password:

17
tasks/section_5/cis_5.6.1.x.yml
View file

@ -28,11 +28,22 @@
- password - password
- rule_5.6.1.2 - rule_5.6.1.2
- name: "5.6.1.2 | PATCH | Set existing users" - name: "5.6.1.1/2 | PATCH | Set existing users with password rules"
ansible.builtin.shell: getent passwd | awk -F: '$3 >= {{ usr_min_uid}} { print "echo "$1";chage -m {{ min_days }} -M {{ min_days }}"$1}' block:
- name: "5.6.1.1/2 | AUDIT | Get existing users"
ansible.builtin.getent:
database: passwd
- name: "5.6.1.1/2 | PATCH | Update users higher than usr_min_uid"
ansible.builtin.user:
name: "{{ item }}"
password_expire_min: "{{ rhel9cis_pass['min_days'] }}"
password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
loop: "{{ getent_passwd | dict2items | map(attribute='key') | list }}"
when: getent_passwd[item].1 | int >= usr_min_uid
when: when:
- rhel9cis_rule_5_6_1_2 - rhel9cis_rule_5_6_1_2
- rhel9cis_rule_5_6_1_2_set_user
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation

16
vars/RedHat.yml
View file

@ -7,13 +7,21 @@ os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) <security@redhat.com>
# disable repo_gpgcheck due to OS default repos # disable repo_gpgcheck due to OS default repos
rhel9cis_rule_enable_repogpg: false rhel9cis_rule_enable_repogpg: false
# Vars setup for overiding main.yml # enable interactive users to be set min/max password change
rhel9cis_rule_5_6_1_2_set_user: true
# 5.6.1.1/2 Variable to be adjust so the rule sets password min/max
# This refers to the minimum UID that rule will start from
usr_min_uid: 1000
# Vars setup for overiding main.yml for rule 5.3.2
rhel9cis_sshd: rhel9cis_sshd:
clientalivecountmax: 3 clientalivecountmax: 3
clientaliveinterval: 900 clientaliveinterval: 900
logingracetime: 60 logingracetime: 60
# Group and user choose as being the default for this release
# Can also use;
# allowusers: # allowusers:
allowgroups: sshd wheel
# denyusers:
# denygroups: # denygroups:
usr_min_uid: 1000 allowgroups: wheel
denyusers: nobody