search

ansible-lockdown / Windows-2022-CIS

CIS Baseline Ansible Role for Windows 2022
MIT License
71 stars 30 forks source link

Rule 1.1.3 Ensure Minimum password age is set to 1 or more days #50

Open msachikanta opened 2 months ago

msachikanta commented 2 months ago

Describe the Issue The when condition include win22cis_maximum_password_age instead of win22cis_minimum_password_age as shown below:

- name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days"
  block:
      - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Warning check for minimum password age."
        ansible.builtin.debug:
            msg:
                - "Warning!! You have an invalid age set for win22cis_maximum_password_age please read"
                - "the notes for the variable and make the necessary change to the variable to be in compliance."
        when:
            - win22cis_maximum_password_age > 999 or
              win22cis_maximum_password_age == 0

      - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Set warning count."
        ansible.builtin.import_tasks:
            file: warning_facts.yml
        vars:
            warn_control_id: '1.1.3'
        when:
            - win22cis_maximum_password_age > 999 or
              win22cis_maximum_password_age == 0

      - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days. | Set Variable."
        community.windows.win_security_policy:
            section: System Access
            key: MinimumPasswordAge
            value: "{{ win22cis_minimum_password_age }}"
        when:
            - win22cis_maximum_password_age <= 999 or
              win22cis_maximum_password_age > 0

Expected Behavior The when condition should include win22cis_minimum_password_age as shown below:

- name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days"
  block:
      - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Warning check for minimum password age."
        ansible.builtin.debug:
            msg:
                - "Warning!! You have an invalid age set for win22cis_minimum_password_age please read"
                - "the notes for the variable and make the necessary change to the variable to be in compliance."
        when:
            - win22cis_minimum_password_age > 999 or
              win22cis_minimum_password_age == 1

      - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Set warning count."
        ansible.builtin.import_tasks:
            file: warning_facts.yml
        vars:
            warn_control_id: '1.1.3'
        when:
            - win22cis_minimum_password_age > 999 or
              win22cis_minimum_password_age == 1

      - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days. | Set Variable."
        community.windows.win_security_policy:
            section: System Access
            key: MinimumPasswordAge
            value: "{{ win22cis_minimum_password_age }}"
        when:
            - win22cis_minimum_password_age <= 999 or
              win22cis_minimum_password_age > 1

Environment (please complete the following information):

Additional Notes If this issue can be fixed at earliest, that will be really great.

Possible Solution Possible solution:

- name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days"
  block:
      - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Warning check for minimum password age."
        ansible.builtin.debug:
            msg:
                - "Warning!! You have an invalid age set for win22cis_minimum_password_age please read"
                - "the notes for the variable and make the necessary change to the variable to be in compliance."
        when:
            - win22cis_minimum_password_age > 999 or
              win22cis_minimum_password_age == 1

      - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Set warning count."
        ansible.builtin.import_tasks:
            file: warning_facts.yml
        vars:
            warn_control_id: '1.1.3'
        when:
            - win22cis_minimum_password_age > 999 or
              win22cis_minimum_password_age == 1

      - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days. | Set Variable."
        community.windows.win_security_policy:
            section: System Access
            key: MinimumPasswordAge
            value: "{{ win22cis_minimum_password_age }}"
        when:
            - win22cis_minimum_password_age <= 999 or
              win22cis_minimum_password_age > 1