sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

improved tests and updated

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-08-09 13:13:17 +01:00
parent 485a85db76
commit 265423eb0a
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
11 changed files with 171 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

16
tasks/section_5/cis_5.4.1.x.yml
View file

@ -19,10 +19,10 @@
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
line: "PASS_MAX_DAYS {{ rhel9cis_pass_max_days }}"
- name: "5.4.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass_max_days }} || $5< {{ rhel9cis_pass_max_days }} || $5 == -1)){print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: discovered_max_days
@ -34,7 +34,7 @@
- rhel9cis_force_user_maxdays
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
password_expire_max: "{{ rhel9cis_pass_max_days }}"
loop: "{{ discovered_max_days.stdout_lines }}"
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
@ -51,10 +51,10 @@
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MIN_DAYS'
line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
line: "PASS_MIN_DAYS {{ rhel9cis_pass_min_days }}"
- name: "5.4.1.2 | AUDIT | Ensure minimum password days is configured | Get existing users PASS_MIN_DAYS"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass['min_days'] }} {print $1}' /etc/shadow"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass_min_days }} {print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: discovered_min_days
@ -66,7 +66,7 @@
- rhel9cis_force_user_mindays
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['min_days'] }}"
password_expire_max: "{{ rhel9cis_pass_min_days }}"
loop: "{{ discovered_min_days.stdout_lines }}"
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
@ -83,10 +83,10 @@
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_WARN_AGE'
line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
line: "PASS_WARN_AGE {{ rhel9cis_pass_warn_age }}"
- name: "5.4.1.3 | AUDIT | Ensure password expiration warning days is configured | Get existing users WARN_DAYS"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass['warn_age'] }} {print $1}' /etc/shadow"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass_warn_age }} {print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: discovered_warn_days