From b0091fc2495750acf162d3b8589d459fd7986d3b Mon Sep 17 00:00:00 2001
From: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Date: Tue, 12 Mar 2024 08:08:32 +0200
Subject: [PATCH] Commit for using the chage tool with 4.6.1.x, also some
 syntax fixes for 4.6.x.

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
---
 tasks/section_4/cis_4.6.1.x.yml | 76 +++++++++++++++++++++++++++------
 tasks/section_4/cis_4.6.x.yml   |  8 ++--
 2 files changed, 68 insertions(+), 16 deletions(-)

diff --git a/tasks/section_4/cis_4.6.1.x.yml b/tasks/section_4/cis_4.6.1.x.yml
index 82094ba..09571a8 100644
--- a/tasks/section_4/cis_4.6.1.x.yml
+++ b/tasks/section_4/cis_4.6.1.x.yml
@@ -1,10 +1,28 @@
 ---
 
 - name: "4.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
-  ansible.builtin.lineinfile:
-      path: /etc/login.defs
-      regexp: '^PASS_MAX_DAYS'
-      line: "PASS_MAX_DAYS {{ amzn2023cis_pass['max_days'] }}"
+  block:
+      - name: "4.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Setting in login.defs file"
+        ansible.builtin.lineinfile:
+            path: /etc/login.defs
+            regexp: '^PASS_MAX_DAYS'
+            line: "PASS_MAX_DAYS {{ amzn2023cis_pass['max_days'] }}"
+
+      - name: "4.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Setting for all users via chage tool"
+        ansible.builtin.user:
+            name: "{{ item.id }}"
+            password_expire_max: "{{ amzn2023cis_pass['max_days'] }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ amzn2023cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
   when:
       - amzn2023cis_rule_4_6_1_1
   tags:
@@ -19,10 +37,28 @@
       - nist_sp800-53r5_IA-5
 
 - name: "4.6.1.2 | PATCH | Ensure minimum days between password changes is configured"
-  ansible.builtin.lineinfile:
-      path: /etc/login.defs
-      regexp: '^PASS_MIN_DAYS'
-      line: "PASS_MIN_DAYS {{ amzn2023cis_pass['min_days'] }}"
+  block:
+      - name: "4.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Setting in login.defs file"
+        ansible.builtin.lineinfile:
+            path: /etc/login.defs
+            regexp: '^PASS_MIN_DAYS'
+            line: "PASS_MIN_DAYS {{ amzn2023cis_pass['min_days'] }}"
+
+      - name: "4.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more | Setting for all users via chage tool"
+        ansible.builtin.user:
+            name: "{{ item.id }}"
+            password_expire_min: "{{ amzn2023cis_pass['min_days'] }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ amzn2023cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
   when:
       - amzn2023cis_rule_4_6_1_2
   tags:
@@ -37,10 +73,26 @@
       - nist_sp800-53r5_IA-5
 
 - name: "4.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
-  ansible.builtin.lineinfile:
-      path: /etc/login.defs
-      regexp: '^PASS_WARN_AGE'
-      line: "PASS_WARN_AGE {{ amzn2023cis_pass['warn_age'] }}"
+  block:
+      - name: "4.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Setting in login.defs file"
+        ansible.builtin.lineinfile:
+            path: /etc/login.defs
+            regexp: '^PASS_WARN_AGE'
+            line: "PASS_WARN_AGE {{ amzn2023cis_pass['warn_age'] }}"
+
+      - name: "4.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Setting for all users via chage tool"
+        ansible.builtin.shell: chage --warndays "{{ amzn2023cis_pass['warn_age'] }}"  "{{ item.id }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "nfsnobody"
+            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.id == "root" or item.uid >= min_int_uid | int
+        loop: "{{ amzn2023cis_passwd }}"
+        loop_control:
+            label: "{{ item.id }}"
   when:
       - amzn2023cis_rule_4_6_1_3
   tags:
diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml
index 67a4046..e90a07a 100644
--- a/tasks/section_4/cis_4.6.x.yml
+++ b/tasks/section_4/cis_4.6.x.yml
@@ -14,8 +14,8 @@
             - item.id != "halt"
             - item.id != "nfsnobody"
             - item.uid < min_int_uid | int
-            - item.shell != "      /bin/false"
-            - item.shell != "      /usr/sbin/nologin"
+            - item.shell != "/bin/false"
+            - item.shell != "/usr/sbin/nologin"
         loop_control:
             label: "{{ item.id }}"
 
@@ -31,8 +31,8 @@
             - item.id != "root"
             - item.id != "nfsnobody"
             - item.uid < min_int_uid | int
-            - item.shell != "      /bin/false"
-            - item.shell != "      /usr/sbin/nologin"
+            - item.shell != "/bin/false"
+            - item.shell != "/usr/sbin/nologin"
         loop_control:
             label: "{{ item.id }}"
   when: