Commit for using the chage tool with 4.6.1.x, also some syntax fixes …

…for 4.6.x. Signed-off-by: Diana-Maria Dumitru <[email protected]>
ansible-lockdown · Mar 12, 2024 · b0091fc · b0091fc
1 parent b238cf5
commit b0091fc
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 16 deletions.
diff --git a/tasks/section_4/cis_4.6.1.x.yml b/tasks/section_4/cis_4.6.1.x.yml
@@ -1,10 +1,28 @@
 ---
 
 - name: "4.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
-  ansible.builtin.lineinfile:
-      path: /etc/login.defs
-      regexp: '^PASS_MAX_DAYS'
-      line: "PASS_MAX_DAYS {{ amzn2023cis_pass['max_days'] }}"
+  block:
+      - name: "4.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Setting in login.defs file"
+        ansible.builtin.lineinfile:
+            path: /etc/login.defs
+            regexp: '^PASS_MAX_DAYS'
+            line: "PASS_MAX_DAYS {{ amzn2023cis_pass['max_days'] }}"
+
+      - name: "4.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Setting for all users via chage tool"
+        ansible.builtin.user:
+            name: "{{ item.id }}"
+            password_expire_max: "{{ amzn2023cis_pass['max_days'] }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ amzn2023cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
   when:
       - amzn2023cis_rule_4_6_1_1
   tags:
@@ -19,10 +37,28 @@
       - nist_sp800-53r5_IA-5
 
 - name: "4.6.1.2 | PATCH | Ensure minimum days between password changes is configured"
-  ansible.builtin.lineinfile:
-      path: /etc/login.defs
-      regexp: '^PASS_MIN_DAYS'
-      line: "PASS_MIN_DAYS {{ amzn2023cis_pass['min_days'] }}"
+  block:
+      - name: "4.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Setting in login.defs file"
+        ansible.builtin.lineinfile:
+            path: /etc/login.defs
+            regexp: '^PASS_MIN_DAYS'
+            line: "PASS_MIN_DAYS {{ amzn2023cis_pass['min_days'] }}"
+
+      - name: "4.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Setting for all users via chage tool"
+        ansible.builtin.user:
+            name: "{{ item.id }}"
+            password_expire_min: "{{ amzn2023cis_pass['min_days'] }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ amzn2023cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
   when:
       - amzn2023cis_rule_4_6_1_2
   tags:
@@ -37,10 +73,26 @@
       - nist_sp800-53r5_IA-5
 
 - name: "4.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
-  ansible.builtin.lineinfile:
-      path: /etc/login.defs
-      regexp: '^PASS_WARN_AGE'
-      line: "PASS_WARN_AGE {{ amzn2023cis_pass['warn_age'] }}"
+  block:
+      - name: "4.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Setting in login.defs file"
+        ansible.builtin.lineinfile:
+            path: /etc/login.defs
+            regexp: '^PASS_WARN_AGE'
+            line: "PASS_WARN_AGE {{ amzn2023cis_pass['warn_age'] }}"
+
+      - name: "4.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Setting for all users via chage tool"
+        ansible.builtin.shell: chage --warndays "{{ amzn2023cis_pass['warn_age'] }}"  "{{ item.id }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ amzn2023cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
   when:
       - amzn2023cis_rule_4_6_1_3
   tags:

diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml
@@ -14,8 +14,8 @@
             - item.id != "halt"
             - item.id != "nfsnobody"
             - item.uid < min_int_uid | int
-            - item.shell != "      /bin/false"
-            - item.shell != "      /usr/sbin/nologin"
+            - item.shell != "/bin/false"
+            - item.shell != "/usr/sbin/nologin"
         loop_control:
             label: "{{ item.id }}"
 
@@ -31,8 +31,8 @@
             - item.id != "root"
             - item.id != "nfsnobody"
             - item.uid < min_int_uid | int
-            - item.shell != "      /bin/false"
-            - item.shell != "      /usr/sbin/nologin"
+            - item.shell != "/bin/false"
+            - item.shell != "/usr/sbin/nologin"
         loop_control:
             label: "{{ item.id }}"
   when: