5.6.1.2 Ensure minimum days between password changes is configured
brisky opened this issue · comments
Describe the Issue
CIS-CAT fails, if there is existing users prior the remediation runs, with set password .
For which the the config Ansible role sets up as default, won't touch.
New users, after lockdown ran, will be covered.
Expected Behavior
CIS-CAT Assessment pass.
Actual Behavior
CIS-CAT Assessment fail:
sername | String | Exists | brisky |
---|---|---|---|
Password | String | Exists |
|
Chg Lst | Int | Exists | 19620 |
Chg Allow | Int | Exists | 0 |
Chg Req | Int | Exists | 99999 |
Exp Warn | Int | Exists | 7 |
Exp Inact | Int | Exists | 30 |
Exp Date | Int | Does not exist | No Value |
Flag | String | Exists | No Value |
Encrypt Method | String | Exists | SHA-512 |
Control(s) Affected
5.6.1.1 Ensure password expiration is 365 days or less
5.6.1.2 Ensure minimum days between password changes is configured
Environment :
- branch being used: devel
- Ansible Version: 2.15.4
- Host Python Version: 3.9.6
- Ansible Server Python Version: 3.9.16
- Additional Details: N/A
Additional Notes
N/A
Possible Solution
The way to tackle this would be to create a new optional role, to take care of the existing users.
This would be achieved by targeting users Higher than UID 1000.
This could be easily achieved with getent passwd |awk -F: '$3 >= 1000 { print "echo "$1";chage -m 7 -M 365 "$1}'
Passing through shell, module. But will work on Ansible control.
Proper way to tackle the issue with ansible.
- name: "5.6.1.1/2 | PATCH | Set existing users with password rules"
block:
- name: "5.6.1.1/2 | AUDIT | Get existing users"
ansible.builtin.getent:
database: passwd
- name: "5.6.1.1/2 | PATCH | Update users higher than usr_min_uid"
ansible.builtin.user:
name: "{{ item }}"
password_expire_min: "{{ rhel9cis_pass['min_days'] }}"
password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
loop: "{{ getent_passwd | dict2items | map(attribute='key') | list }}"
when: getent_passwd[item].1 | int >= usr_min_uid
when:
- rhel9cis_rule_5_6_1_2
- rhel9cis_rule_5_6_1_2_set_user
tags:
- level1-server
- level1-workstation
- patch
- password
- rule_5.6.1.2
Notes:
- Now uses Ansible modules creating a list of users and working on it.
- Added
rhel9cis_rule_5_6_1_2_set_user
tag to enable/disable the feature. - Added
usr_min_uid
variable, needs to be set either in main.yml or in flavor.yml
Created new branch siemens/feat/Ensure_minimum_days_between_password_changes_5_6_1_2
For specific issue.
Added in block
- name: "5.6.1.2 | AUDIT | Get existing users"
ansible.builtin.getent:
database: shadow
- name: "5.6.1.2 | PATCH | Set existing users"
ansible.builtin.user:
name: "{{ item }}"
password_expire_min: "{{ rhel9cis_pass['min_days'] }}"
loop: "{{ getent_shadow | dict2items | map(attribute='key') | list }}"
when: ( getent_shadow[item].0 != "!!" ) and
( getent_shadow[item].0 != "!*" ) and
( getent_shadow[item].0 != "*" )