Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

password ageing not enforced #570

Closed
DonEstefan opened this issue Aug 25, 2022 · 1 comment · Fixed by #582
Closed

password ageing not enforced #570

DonEstefan opened this issue Aug 25, 2022 · 1 comment · Fixed by #582
Labels
enhancement help wanted

Comments

@DonEstefan
Copy link
Contributor

Describe the bug

"os_auth_pw_min_age" and "os_auth_pw_max_age" of the linux_hardening role affect only newly created user - not existing users.

Since "logins.def" is used to enforce the settings, https://manpages.ubuntu.com/manpages/bionic/en/man5/login.defs.5.html shows a relevant limitation:

PASS_MAX_DAYS, PASS_MIN_DAYS are only used at the time of account creation. Any changes to these settings won't affect existing accounts.

Expected behavior
the linux_hardening role should also apply the pw age settings to existing users

Actual behavior

settings are not applied to exisiting users

Ansible Version

$ ansible --version
ansible [core 2.12.2]
  config file = /home/sela/ansible-proxy/ansible.cfg
  configured module search path = ['/home/sela/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  ansible collection location = /home/sela/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.12 (default, Apr 21 2022, 07:55:08) [GCC 8.5.0 20210514 (Red Hat 8.5.0-10)]
  jinja version = 2.10.3
  libyaml = True

Role Version

7.14.3

Additional context
I guess you'd have to iterate through all the users that are not systems accounts (which are handled separately).
It might be a good idea to introduce an additional variable users_without_password_ageing if someone does not like this.
Password ageing for user(s) with UID=0 might need to be handled separately (password_ageing_for_root_users=false).
I have not tested this, but I think this code (copied + adjusted from your handling of system accounts) could be a starting point:

- name: Get all regular user accounts
  command: awk -F'':'' '{ if ( $3 > {{ uid_max|quote }} ) print $1}' /etc/passwd
  args:
    removes: /etc/passwd
  changed_when: false
  check_mode: false
  register: non_sys_accs

# set age settings for regular non-system accounts
- name: Set password ageing for user {{ item }}
  user:
    name: "{{ item }}"
    password_expire_min: {{ os_auth_pw_min_age }}
    password_expire_max: {{ os_auth_pw_max_age }}
  with_flattened:
    - '{{ non_sys_accs | default([]) | difference(users_without_password_ageing | default([])) | list }}'  

- name: Get all user accounts with UID 0
  command: awk -F'':'' '{ if ( $3 == 0 ) print $1}' /etc/passwd
  args:
    removes: /etc/passwd
  changed_when: false
  check_mode: false
  register: root_accs
  when: password_ageing_for_root_users=true

- name: Set password ageing for user with UID 0
  user:
    name: "{{ item }}"
    password_expire_min: {{ os_auth_pw_min_age }}
    password_expire_max: {{ os_auth_pw_max_age }}
  with_flattened:
    - '{{ uid0_accs | default([]) | list }}'
  when: password_ageing_for_root_users=true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
2 participants
@rndmh3ro @DonEstefan