brisky
commented
11 months ago Created new Branch siemens/feat/Ensure_password_expiration_is_365_days_5_6_1_1
Included in block for remediation.
- name: "5.6.1.1 | AUDIT | Get existing users"
ansible.builtin.getent:
database: shadow
- name: "5.6.1.1 | PATCH | Set existing users"
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
loop: "{{ getent_shadow | dict2items | map(attribute='key') | list }}"
when: ( getent_shadow[item].0 != "!!" ) and
( getent_shadow[item].0 != "!*" ) and
( getent_shadow[item].0 != "*" )
Describe the Issue CIS-CAT fails, if there is existing users prior the remediation runs, with set password . For which the the config Ansible role sets up as default, won't touch. New users, after lockdown ran, will be covered.
Expected Behavior CIS-CAT Assessment pass.
Actual Behavior CIS-CAT Assessment fail:
Name | Type | Status | Value -- | -- | -- | -- Username | String | Exists | brisky Password | String | Exists | $6$[OBFUSCATED HASHED PWD] Chg Lst | Int | Exists | 19620 Chg Allow | Int | Exists | 0 Chg Req | Int | Exists | 99999 Exp Warn | Int | Exists | 7 Exp Inact | Int | Exists | 30 Exp Date | Int | Does not exist | No Value Flag | String | Exists | No Value Encrypt Method | String | Exists | SHA-512Control(s) Affected 5.6.1.1 Ensure password expiration is 365 days or less
Environment :
Additional Notes N/A
Possible Solution The way to tackle this would be to create a role, to take care of the existing users. This would be achieved by targeting users with password set.