From 88507f95166a0be477f87df1c71df15aa48ac489 Mon Sep 17 00:00:00 2001 From: polski-g Date: Thu, 28 Aug 2025 13:15:29 -0400 Subject: [PATCH] 5.4.1.1: shell command should run in check_mode Signed-off-by: polski-g --- tasks/section_5/cis_5.4.1.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 7fcfb0b..58cd936 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -24,6 +24,7 @@ ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass_max_days }} || $5< {{ rhel9cis_pass_max_days }} || $5 == -1)){print $1}' /etc/shadow" changed_when: false failed_when: false + check_mode: false register: discovered_max_days - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"