Initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 22:23:06 +00:00 · 2022-01-07 09:06:18 +00:00 · 2022-01-07 09:06:18 +00:00 · a54b5216eb
commit a54b5216eb
87 changed files with 7693 additions and 0 deletions
--- a/tasks/section_5/cis_5.5.1.x.yml
+++ b/tasks/section_5/cis_5.5.1.x.yml
@ -0,0 +1,117 @@
+---
+
+- name: "5.5.1.1 | L1 | PATCH | Ensure password expiration is 365 days or less"
+  lineinfile:
+      state: present
+      dest: /etc/login.defs
+      regexp: '^PASS_MAX_DAYS'
+      line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
+  when:
+      - rhel9cis_rule_5_5_1_1
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.1.1
+
+- name: "5.5.1.2 | L1 | PATCH | Ensure minimum days between password changes is 7 or more"
+  lineinfile:
+      state: present
+      dest: /etc/login.defs
+      regexp: '^PASS_MIN_DAYS'
+      line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
+  when:
+      - rhel9cis_rule_5_5_1_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.1.2
+
+- name: "5.5.1.3 | L1 | PATCH | Ensure password expiration warning days is 7 or more"
+  lineinfile:
+      state: present
+      dest: /etc/login.defs
+      regexp: '^PASS_WARN_AGE'
+      line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
+  when:
+      - rhel9cis_rule_5_5_1_3
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.1.3
+
+- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less"
+  block:
+      - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings"
+        shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
+        changed_when: false
+        failed_when: false
+        check_mode: no
+        register: rhel9cis_5_5_1_4_inactive_settings
+
+      - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
+        command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
+        when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0
+
+      - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
+        shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1'
+        check_mode: no
+        register: rhel_09_5_5_1_4_audit
+        changed_when: false
+
+      - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
+        command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
+        with_items:
+            - "{{ rhel_09_5_5_1_4_audit.stdout_lines }}"
+  when:
+      - rhel9cis_rule_5_5_1_4
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.1.4
+
+- name: "5.5.1.5 | L1 |  PATCH | Ensure all users last password change date is in the past"
+  block:
+      - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
+        shell: echo $(($(date --utc --date "$1" +%s)/86400))
+        failed_when: false
+        changed_when: false
+        check_mode: no
+        register: rhel9cis_5_5_1_5_currentut
+
+      - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
+        shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_5_1_5_currentut.stdout }})print$1}'"
+        changed_when: false
+        failed_when: false
+        check_mode: no
+        register: rhel9cis_5_5_1_5_user_list
+
+      - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"
+        debug:
+            msg: "Good News! All accounts have PW change dates that are in the past"
+        when: rhel9cis_5_5_1_5_user_list.stdout | length == 0
+
+      - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
+        debug:
+            msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_5_1_5_user_list.stdout_lines }}"
+        when:
+            - rhel9cis_5_5_1_5_user_list.stdout | length > 0
+            - not rhel9cis_futurepwchgdate_autofix
+
+      - name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
+        command: passwd --expire {{ item }}
+        when:
+            - rhel9cis_5_5_1_5_user_list | length > 0
+            - rhel9cis_futurepwchgdate_autofix
+        with_items:
+            - "{{ rhel9cis_5_5_1_5_user_list.stdout_lines }}"
+  when:
+      - rhel9cis_rule_5_5_1_5
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.1.5