Verify password age limits [+Docs]
This patch checks for user accounts that have a maximum password age of more than 60 days. It also extends the `get_users` module to retrieve shadow database information. Implements: blueprint security-rhel7-stig Change-Id: Ida3fd56ee9133dab73f65d47a6934b5596e95b69
This commit is contained in:
parent
d5ee4c331c
commit
0e8feaf9eb
@ -1,7 +1,9 @@
|
|||||||
---
|
---
|
||||||
id: RHEL-07-010230
|
id: RHEL-07-010230
|
||||||
status: not implemented
|
status: implemented
|
||||||
tag: misc
|
tag: auth
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
If any users have a maximum password age on their current password set to a
|
||||||
|
length of over 60 days, a list of those users is provided in the Ansible
|
||||||
|
output.
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
|
|
||||||
import grp
|
import grp
|
||||||
import pwd
|
import pwd
|
||||||
|
import spwd
|
||||||
from ansible.module_utils.basic import AnsibleModule
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
|
|
||||||
|
|
||||||
@ -53,7 +54,8 @@ def make_user_dict(user_record):
|
|||||||
'gecos': user_record.pw_gecos,
|
'gecos': user_record.pw_gecos,
|
||||||
'dir': user_record.pw_dir,
|
'dir': user_record.pw_dir,
|
||||||
'shell': user_record.pw_shell,
|
'shell': user_record.pw_shell,
|
||||||
'group': make_group_dict(user_record.pw_gid)
|
'group': make_group_dict(user_record.pw_gid),
|
||||||
|
'shadow': make_shadow_dict(user_record.pw_name)
|
||||||
}
|
}
|
||||||
return user_dict
|
return user_dict
|
||||||
|
|
||||||
@ -73,6 +75,24 @@ def make_group_dict(gid):
|
|||||||
return group_dict
|
return group_dict
|
||||||
|
|
||||||
|
|
||||||
|
def make_shadow_dict(username):
|
||||||
|
"""Create a dictionary of user shadow password database attributes."""
|
||||||
|
try:
|
||||||
|
shadow_record = spwd.getspnam(username)
|
||||||
|
except KeyError:
|
||||||
|
return False
|
||||||
|
|
||||||
|
shadow_dict = {
|
||||||
|
'last_changed': shadow_record.sp_lstchg,
|
||||||
|
'min_days': shadow_record.sp_min,
|
||||||
|
'max_days': shadow_record.sp_max,
|
||||||
|
'warn_days': shadow_record.sp_warn,
|
||||||
|
'inact_days': shadow_record.sp_inact,
|
||||||
|
'expire_days': shadow_record.sp_expire,
|
||||||
|
}
|
||||||
|
return shadow_dict
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
"""Ansible calls this function."""
|
"""Ansible calls this function."""
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
|
@ -142,6 +142,21 @@
|
|||||||
- medium
|
- medium
|
||||||
- RHEL-07-010240
|
- RHEL-07-010240
|
||||||
|
|
||||||
|
- name: RHEL-07-010230 - Existing passwords must be restricted to a 60-day maximum lifetime.
|
||||||
|
debug:
|
||||||
|
msg: |
|
||||||
|
The following user accounts have an existing password with a lifetime of
|
||||||
|
greater than 60 days:
|
||||||
|
{%- for user in user_list.users %}
|
||||||
|
{% if user['shadow']['max_days'] > 60 %}
|
||||||
|
{{ user['name'] }} has an expiration of {{ user['shadow']['max_days'] }} days
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
tags:
|
||||||
|
- auth
|
||||||
|
- medium
|
||||||
|
- RHEL-07-010230
|
||||||
|
|
||||||
- name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
|
- name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ pam_auth_file }}"
|
dest: "{{ pam_auth_file }}"
|
||||||
|
Loading…
x
Reference in New Issue
Block a user