RHEL9-CIS/tasks/section_5/cis_5.6.1.x.yml

---

- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
  lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_MAX_DAYS'
      line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
  when:
      - rhel9cis_rule_5_6_1_1
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - password
      - rule_5.5.1.1

- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
  lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_MIN_DAYS'
      line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
  when:
      - rhel9cis_rule_5_6_1_2
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - password
      - rule_5.6.1.2

- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
  lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_WARN_AGE'
      line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
  when:
      - rhel9cis_rule_5_6_1_3
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - password
      - rule_5.5.1.3

- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less"
  block:
      - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings"
        shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
        changed_when: false
        failed_when: false
        check_mode: no
        register: rhel9cis_5_6_1_4_inactive_settings

      - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
        command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
        when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0

      - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
        shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
        changed_when: false
        check_mode: no
        register: rhel_8_5_6_1_4_user_list

      - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
        command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
        with_items:
            - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}"
  when:
      - rhel9cis_rule_5_6_1_4
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - password
      - rule_5.6.1.4

- name: "5.6.1.5 |  PATCH | Ensure all users last password change date is in the past"
  block:
      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
        shell: echo $(($(date --utc --date "$1" +%s)/86400))
        changed_when: false
        failed_when: false
        check_mode: no
        register: rhel9cis_5_6_1_5_currentut

      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
        shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'"
        changed_when: false
        failed_when: false
        check_mode: no
        register: rhel9cis_5_6_1_5_user_list

      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"
        debug:
            msg: "Good News! All accounts have PW change dates that are in the past"
        when: rhel9cis_5_6_1_5_user_list.stdout | length == 0

      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
        debug:
            msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
        when:
            - rhel9cis_5_6_1_5_user_list.stdout | length > 0
            - not rhel9cis_futurepwchgdate_autofix

      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count"
        set_fact:
            control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]"
            warn_count: "{{ warn_count|int + 1 }}"
        when:
            - rhel9cis_5_6_1_5_user_list.stdout | length > 0
            - not rhel9cis_futurepwchgdate_autofix

      - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
        command: passwd --expire {{ item }}
        when:
            - rhel9cis_5_6_1_5_user_list | length > 0
            - rhel9cis_futurepwchgdate_autofix
        with_items:
            - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
  when:
      - rhel9cis_rule_5_6_1_5
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.1.5