search

ansible-lockdown / RHEL9-CIS

Ansible role for Red Hat 9 CIS Baseline
https://ansible-lockdown.readthedocs.io
MIT License
109 stars 86 forks source link

Chage tool related settings: max-days, min-days and warn-age, for get… #190

Closed ipruteanu-sie closed 4 months ago

ipruteanu-sie commented 5 months ago

5.6.1.{1-3} rules - chage impl

Overall Review of Changes: Adding chage settings for users

Issue Fixes:

189

Enhancements: Completing rules 5.6.1-3

How has this been tested?: Tested on VM

ipruteanu-sie commented 5 months ago

L.E.: About newest comit:

As one may notice below, value for the shells have no leading spaces, therefore the below conditional

"/usr/sbin/nologin" != "      /bin/false"

will be evaluated as True, forcing the conditionals to not work as intended.

changed: [192.168.126.152] => (item=root) => {
    "ansible_loop_var": "item",
    "changed": true,
    "cmd": "chage --warndays \"7\"  \"root\"",
    "delta": "0:00:00.091259",
    "end": "2024-03-11 10:47:30.783333",
    "invocation": {
        "module_args": {
            "_raw_params": "chage --warndays \"7\"  \"root\"",
            "_uses_shell": true,
            "argv": null,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "stdin": null,
            "stdin_add_newline": true,
            "strip_empty_ends": true,
            "warn": false
        }
    },
    "item": {
        "dir": "/root",
        "gecos": "root",
        "gid": 0,
        "id": "root",
        "password": "x",
        "shell": "/bin/bash",
        "uid": 0
    },
    "msg": "",
    "rc": 0,
    "start": "2024-03-11 10:47:30.692074",
    "stderr": "",
    "stderr_lines": [],
    "stdout": "",
    "stdout_lines": []
}
skipping: [192.168.126.152] => (item=bin)  => {
    "ansible_loop_var": "item",
    "changed": false,
    "item": {
        "dir": "/bin",
        "gecos": "bin",
        "gid": 1,
        "id": "bin",
        "password": "x",
        "shell": "/usr/sbin/nologin",
        "uid": 1
    },
    "skip_reason": "Conditional result was False"
}
skipping: [192.168.126.152] => (item=daemon)  => {
    "ansible_loop_var": "item",
    "changed": false,
    "item": {
        "dir": "/sbin",
        "gecos": "daemon",
        "gid": 2,
        "id": "daemon",
        "password": "x",
        "shell": "/usr/sbin/nologin",
        "uid": 2
    },
    "skip_reason": "Conditional result was False"
}
...
}
uk-bolly commented 5 months ago

hi @ipruteanu-sie

Thank you as always for the PR and feedback, i'm trying to undertsnad how you have so many commits when so many are already in place. We seem to be adding files and changes that are already committed back in meaning that we are checking thing through multiple times.

Is there any chance you could pull the latest and just make the changes you need? That should hopefully mean we are only looking at the files you are trying to change.

Many thanks as always

uk-bolly

ipruteanu-sie commented 4 months ago

Hi @uk-bolly: #196 was created instead of current one.