5.6.1.1 Ensure password expiration is 365 days or less
brisky opened this issue · comments
Describe the Issue
CIS-CAT fails, if there is existing users prior the remediation runs, with set password .
For which the the config Ansible role sets up as default, won't touch.
New users, after lockdown ran, will be covered.
Expected Behavior
CIS-CAT Assessment pass.
Actual Behavior
CIS-CAT Assessment fail:
| Name | Type | Status | Value |
|---|---|---|---|
| Username | String | Exists | brisky |
| Password | String | Exists |
|
| Chg Lst | Int | Exists | 19620 |
| Chg Allow | Int | Exists | 0 |
| Chg Req | Int | Exists | 99999 |
| Exp Warn | Int | Exists | 7 |
| Exp Inact | Int | Exists | 30 |
| Exp Date | Int | Does not exist | No Value |
| Flag | String | Exists | No Value |
| Encrypt Method | String | Exists | SHA-512 |
Control(s) Affected
5.6.1.1 Ensure password expiration is 365 days or less
Environment :
- branch being used: devel
- Ansible Version: 2.15.4
- Host Python Version: 3.9.6
- Ansible Server Python Version: 3.9.16
- Additional Details: N/A
Additional Notes
N/A
Possible Solution
The way to tackle this would be to create a role, to take care of the existing users.
This would be achieved by targeting users with password set.
Created new Branch siemens/feat/Ensure_password_expiration_is_365_days_5_6_1_1
Included in block for remediation.
- name: "5.6.1.1 | AUDIT | Get existing users"
ansible.builtin.getent:
database: shadow
- name: "5.6.1.1 | PATCH | Set existing users"
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
loop: "{{ getent_shadow | dict2items | map(attribute='key') | list }}"
when: ( getent_shadow[item].0 != "!!" ) and
( getent_shadow[item].0 != "!*" ) and
( getent_shadow[item].0 != "*" )