Chage tool related settings: max-days, min-days and warn-age, for getting CIS-Passes on rules 5.6.1.{1-3}

Signed-off-by: Pruteanu <ionut.pruteanu@siemens.com>

tasks/section_5/cis_5.6.1.x.yml

@@ -1,10 +1,28 @@
 ---
 
 - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
-  ansible.builtin.lineinfile:
+  block:
-      path: /etc/login.defs
+      - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Setting in login.defs file"
-      regexp: '^PASS_MAX_DAYS'
+        ansible.builtin.lineinfile:
-      line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
+            path: /etc/login.defs
+            regexp: '^PASS_MAX_DAYS'
+            line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
+
+      - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Setting for all users via chage tool"
+        ansible.builtin.user:
+            name: "{{ item.id }}"
+            password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ rhel9cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
   when:
       - rhel9cis_rule_5_6_1_1
   tags:
@@ -15,10 +33,28 @@
       - rule_5.6.1.1
 
 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
-  ansible.builtin.lineinfile:
+  block:
-      path: /etc/login.defs
+      - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Setting in login.defs file"
-      regexp: '^PASS_MIN_DAYS'
+        ansible.builtin.lineinfile:
-      line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
+            path: /etc/login.defs
+            regexp: '^PASS_MIN_DAYS'
+            line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
+
+      - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Setting for all users via chage tool"
+        ansible.builtin.user:
+            name: "{{ item.id }}"
+            password_expire_min: "{{ rhel9cis_pass['min_days'] }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ rhel9cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
   when:
       - rhel9cis_rule_5_6_1_2
   tags:
@@ -29,10 +65,26 @@
       - rule_5.6.1.2
 
 - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
-  ansible.builtin.lineinfile:
+  block:
-      path: /etc/login.defs
+      - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Setting in login.defs file"
-      regexp: '^PASS_WARN_AGE'
+        ansible.builtin.lineinfile:
-      line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
+            path: /etc/login.defs
+            regexp: '^PASS_WARN_AGE'
+            line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
+
+      - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Setting for all users via chage tool"
+        ansible.builtin.shell: chage --warndays "{{ rhel9cis_pass['warn_age'] }}"  "{{ item.id }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ rhel9cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
   when:
       - rhel9cis_rule_5_6_1_3
   tags: