From e54ddf59fa1dcf5eb7eb658b0060324e81950695 Mon Sep 17 00:00:00 2001
From: "root@DERVISHx" <nuno.carvalho@siemens.com>
Date: Fri, 10 Nov 2023 14:59:55 +0000
Subject: [PATCH] Adding solution for users with passwords.

Signed-off-by: root@DERVISHx <nuno.carvalho@siemens.com>
---
 tasks/section_5/cis_5.6.1.x.yml | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml
index 3d59a16..ee6e03e 100644
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@@ -1,10 +1,25 @@
 ---
 
 - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
-  ansible.builtin.lineinfile:
-      path: /etc/login.defs
-      regexp: '^PASS_MAX_DAYS'
-      line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
+ block:
+    - name: "5.6.1.1 | PATCH | Set default."
+      ansible.builtin.lineinfile:
+        path: /etc/login.defs
+        regexp: '^PASS_MAX_DAYS'
+        line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
+
+    - name: "5.6.1.1 | AUDIT | Get existing users"
+      ansible.builtin.getent:
+        database: shadow
+
+    - name: "5.6.1.1 | PATCH | Set existing users"
+      ansible.builtin.user:
+        name: "{{ item }}"
+        password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
+      loop: "{{ getent_shadow | dict2items | map(attribute='key') | list  }}"
+      when: ( getent_shadow[item].0 != "!!" ) and
+            ( getent_shadow[item].0 != "!*" ) and
+            ( getent_shadow[item].0 != "*" )
   when:
       - rhel9cis_rule_5_6_1_1
   tags: