5.6.1.2 Ensure minimum days between password changes is configured

Question

5.6.1.2 Ensure minimum days between password changes is configured

brisky opened this issue a year ago · comments

Describe the Issue
CIS-CAT fails, if there is existing users prior the remediation runs, with set password .
For which the the config Ansible role sets up as default, won't touch.
New users, after lockdown ran, will be covered.

Expected Behavior
CIS-CAT Assessment pass.

Actual Behavior
CIS-CAT Assessment fail:

sername	String	Exists	brisky
Password	String	Exists	$6$[OBFUSCATED HASHED PWD]
Chg Lst	Int	Exists	19620
Chg Allow	Int	Exists	0
Chg Req	Int	Exists	99999
Exp Warn	Int	Exists	7
Exp Inact	Int	Exists	30
Exp Date	Int	Does not exist	No Value
Flag	String	Exists	No Value
Encrypt Method	String	Exists	SHA-512

Control(s) Affected
5.6.1.1 Ensure password expiration is 365 days or less
5.6.1.2 Ensure minimum days between password changes is configured

Environment :

branch being used: devel
Ansible Version: 2.15.4
Host Python Version: 3.9.6
Ansible Server Python Version: 3.9.16
Additional Details: N/A

Additional Notes
N/A

Possible Solution
The way to tackle this would be to create a new optional role, to take care of the existing users.
This would be achieved by targeting users Higher than UID 1000.

This could be easily achieved with getent passwd |awk -F: '$3 >= 1000 { print "echo "$1";chage -m 7 -M 365 "$1}'
Passing through shell, module. But will work on Ansible control.

Nuno Carvalho · Answer 1 · Tue Nov 14 2023 01:01:55 GMT+0800 (China Standard Time)

Proper way to tackle the issue with ansible.

 - name: "5.6.1.1/2 | PATCH | Set existing users with password rules"
  block:
      - name: "5.6.1.1/2 | AUDIT | Get existing users"
        ansible.builtin.getent:
            database: passwd

      - name: "5.6.1.1/2 | PATCH | Update users higher than usr_min_uid"
        ansible.builtin.user:
          name: "{{ item }}"
          password_expire_min: "{{ rhel9cis_pass['min_days'] }}"
          password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
        loop: "{{ getent_passwd | dict2items | map(attribute='key') | list  }}"
        when: getent_passwd[item].1 | int >= usr_min_uid
  when:
      - rhel9cis_rule_5_6_1_2
      - rhel9cis_rule_5_6_1_2_set_user
  tags:
      - level1-server
      - level1-workstation
      - patch
      - password
      - rule_5.6.1.2

Notes:

Now uses Ansible modules creating a list of users and working on it.
Added rhel9cis_rule_5_6_1_2_set_user tag to enable/disable the feature.
Added usr_min_uid variable, needs to be set either in main.yml or in flavor.yml

Nuno Carvalho · Answer 2 · Tue Nov 14 2023 19:23:49 GMT+0800 (China Standard Time)

Created new branch siemens/feat/Ensure_minimum_days_between_password_changes_5_6_1_2
For specific issue.

Added in block

   - name: "5.6.1.2 | AUDIT | Get existing users"
     ansible.builtin.getent:
       database: shadow

   - name: "5.6.1.2 | PATCH | Set existing users"
     ansible.builtin.user:
       name: "{{ item }}"
       password_expire_min: "{{ rhel9cis_pass['min_days'] }}"
     loop: "{{ getent_shadow | dict2items | map(attribute='key') | list  }}"
     when: ( getent_shadow[item].0 != "!!" ) and
           ( getent_shadow[item].0 != "!*" ) and
           ( getent_shadow[item].0 != "*" )

uk-bolly · Answer 3 · Mon Feb 19 2024 20:02:00 GMT+0800 (China Standard Time)

hi @brisky

I have noted that the PR for this issue is closed, i will close this issue as stale , i assume this has been addressed or you have found a different way to work this?

many thanks

uk-bolly