Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

5.6.1.{1-3} rules are only partially implemented, the chage options are missing #189

Open
ipruteanu-sie opened this issue Mar 11, 2024 · 0 comments
Open

5.6.1.{1-3} rules are only partially implemented, the chage options are missing #189

ipruteanu-sie opened this issue Mar 11, 2024 · 0 comments
Assignees
@uk-bolly
Labels
bug Something isn't working

Comments

@ipruteanu-sie
Copy link
Contributor

Describe the Issue
5.6.1.1 - Ensure password expiration is 365 days or less
5.6.1.2 - Ensure minimum days between password changes is configured
5.6.1.3 - Ensure password expiration warning days is 7 or more
CIS rules are advising users not only to add the proper values in /etc/login.defs(which is currently implemented via this role), but also to modify user params via chage tool.

Expected Behavior
Complete implementation of rules.

Actual Behavior
Partial implementation of rules.

Control(s) Affected
5.6.1.1, 5.6.1.2, 5.6.1.3

Environment (please complete the following information):

  • branch being used: [e.g. devel]
  • Ansible Version: [e.g. 2.13]
  • Additional Details:

Additional Notes
PR will take advantage of current ansible.builtin.user options:

shell: chage --warndays "{{ rhel9cis_pass['warn_age'] }}"  "{{ item.id }}"

since the password_expire_warn was added in ansible-core 2.16

Possible Solution
PR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uk-bolly @ipruteanu-sie