diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 8d082bc..505b732 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -1,10 +1,28 @@ --- - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MAX_DAYS' - line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" + block: + - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Setting in login.defs file" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_MAX_DAYS' + line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" + + - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Setting for all users via chage tool" + ansible.builtin.user: + name: "{{ item.id }}" + password_expire_max: "{{ rhel9cis_pass['max_days'] }}" + when: + - item.id != "halt" + - item.id != "shutdown" + - item.id != "sync" + - item.id != "nfsnobody" + - item.shell != "/usr/sbin/nologin" + - item.shell != "/sbin/nologin" + - item.id == "root" or item.uid >= min_int_uid | int + loop: "{{ rhel9cis_passwd }}" + loop_control: + label: "{{ item.id }}" when: - rhel9cis_rule_5_6_1_1 tags: @@ -15,10 +33,28 @@ - rule_5.6.1.1 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MIN_DAYS' - line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" + block: + - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Setting in login.defs file" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_MIN_DAYS' + line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" + + - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Setting for all users via chage tool" + ansible.builtin.user: + name: "{{ item.id }}" + password_expire_min: "{{ rhel9cis_pass['min_days'] }}" + when: + - item.id != "halt" + - item.id != "shutdown" + - item.id != "sync" + - item.id != "nfsnobody" + - item.shell != "/usr/sbin/nologin" + - item.shell != "/sbin/nologin" + - item.id == "root" or item.uid >= min_int_uid | int + loop: "{{ rhel9cis_passwd }}" + loop_control: + label: "{{ item.id }}" when: - rhel9cis_rule_5_6_1_2 tags: @@ -29,10 +65,26 @@ - rule_5.6.1.2 - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_WARN_AGE' - line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" + block: + - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Setting in login.defs file" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_WARN_AGE' + line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" + + - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Setting for all users via chage tool" + ansible.builtin.shell: chage --warndays "{{ rhel9cis_pass['warn_age'] }}" "{{ item.id }}" + when: + - item.id != "halt" + - item.id != "shutdown" + - item.id != "sync" + - item.id != "nfsnobody" + - item.shell != "/usr/sbin/nologin" + - item.shell != "/sbin/nologin" + - item.id == "root" or item.uid >= min_int_uid | int + loop: "{{ rhel9cis_passwd }}" + loop_control: + label: "{{ item.id }}" when: - rhel9cis_rule_5_6_1_3 tags: