Chage tool related settings: max-days, min-days and warn-age, for getting CIS-Passes on rules 5.6.1.{1-3}

Signed-off-by: Pruteanu <ionut.pruteanu@siemens.com> Signed-off-by: z0042h2w <ionut.pruteanu@siemens.com>
2025-12-27 15:33:06 +00:00 · 2024-03-11 09:38:22 +02:00 · 2024-03-11 09:38:22 +02:00 · a233ccc96b
commit a233ccc96b
parent e87d637eb2
1 changed files with 64 additions and 12 deletions
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@ -1,10 +1,28 @@
 ---

 - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
+  block:
+      - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Setting in login.defs file"
        ansible.builtin.lineinfile:
            path: /etc/login.defs
            regexp: '^PASS_MAX_DAYS'
            line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
+
+      - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Setting for all users via chage tool"
+        ansible.builtin.user:
+            name: "{{ item.id }}"
+            password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ rhel9cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
  when:
      - rhel9cis_rule_5_6_1_1
  tags:
@ -15,10 +33,28 @@
      - rule_5.6.1.1

 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
+  block:
+      - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Setting in login.defs file"
        ansible.builtin.lineinfile:
            path: /etc/login.defs
            regexp: '^PASS_MIN_DAYS'
            line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
+
+      - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Setting for all users via chage tool"
+        ansible.builtin.user:
+            name: "{{ item.id }}"
+            password_expire_min: "{{ rhel9cis_pass['min_days'] }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ rhel9cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
  when:
      - rhel9cis_rule_5_6_1_2
  tags:
@ -29,10 +65,26 @@
      - rule_5.6.1.2

 - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
+  block:
+      - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Setting in login.defs file"
        ansible.builtin.lineinfile:
            path: /etc/login.defs
            regexp: '^PASS_WARN_AGE'
            line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
+
+      - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Setting for all users via chage tool"
+        ansible.builtin.shell: chage --warndays "{{ rhel9cis_pass['warn_age'] }}"  "{{ item.id }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ rhel9cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
  when:
      - rhel9cis_rule_5_6_1_3
  tags: