Actually set min/max password lifetime for account

This patch changes the tasks for V-71927 and V-71931 to actually set
the minimum password age on user accounts rather than printing
useless debug messages.

Change-Id: I3e085160baef1ecc12a3c96f08ede3845c68449f

defaults/main.yml

@@ -375,6 +375,11 @@ security_unattended_upgrades_notifications: false
 #
 ###############################################################################
 
+## Accounts (accounts)
+# Set minimum password lifetime to 1 day for interactive accounts.
+security_set_minimum_password_lifetime: no                   # V-71927
+security_set_maximum_password_lifetime: no                   # V-71931
+
 ## AIDE (aide)
 # Initialize the AIDE database immediately (may take time).
 security_rhel7_initialize_aide: no                           # V-71973

doc/metadata/rhel7/V-71927.rst

@@ -1,10 +1,19 @@
 ---
 id: V-71927
-status: implemented
+status: opt-in
 tag: accounts
 ---
 
-The tasks in the security role search for accounts with a minimum lifetime
+Setting a minimum password lifetime on interactive user accounts provides
-under 24 hours and display the usernames associated with those accounts.
+security benefits by limiting the frequency of password changes. However, this
-Ubuntu, CentOS, and Red Hat Enterprise Linux set the minimum life time to
+can cause login problems for users without proper communication and
-unlimited by default.
+coordination.
+
+Deployers can opt-in for this change by setting the following Ansible variable:
+
+.. code-block::
+
+    security_set_minimum_password_lifetime: yes
+
+The tasks will examine each interactive user account and set the minimum
+password age if the existing setting is not equal to one day.

doc/metadata/rhel7/V-71931.rst

@@ -1,9 +1,21 @@
 ---
 id: V-71931
-status: implemented
+status: opt-in
 tag: accounts
 ---
 
-If any users have a maximum password age on their current password set to a
+Although the STIG requires that a maximum password lifetime is set for all
-length of over 60 days, a list of those users is provided in the Ansible
+interactive user accounts, the security benefits of this configuration are
-output.
+debatable. The `draft of NIST Publication 800-63B`_ argues that password
+rotation may reduce overall security in some situations.
+
+Deployers can opt-in for this change by setting the following Ansible variable:
+
+.. code-block::
+
+    security_set_maximum_password_lifetime: yes
+
+The tasks will examine each interactive user account and set the maximum
+password age if the existing setting is not equal to 60 days.
+
+.. _draft of NIST Publication 800-63B: https://pages.nist.gov/800-63-3/sp800-63b.html

tasks/rhel7stig/accounts.yml

@@ -79,39 +79,25 @@
     - medium
     - V-71923
 
-- name: Get all user accounts with a password lifetime limit under 24 hours
+- name: Set minimum password lifetime limit to 24 hours for interactive accounts
-  shell: "awk -F: '$4 < 1 {print $1}' /etc/shadow"
+  shell: "chage -m 1 {{ item.name }}"
-  check_mode: no
-  changed_when: False
-  register: password_lifetime_check
-  tags:
-    - accounts
-    - medium
-    - V-71927
-    - skip_ansible_lint
-
-- name: Print warning about accounts with password lifetimes under 24 hours
-  debug:
-    msg: |
-      Accounts were found with a minimum password lifetime limit under 24 hours:
-      {{ password_lifetime_check.stdout_lines | join(', ') }}
   when:
-    - password_lifetime_check.stdout_lines is defined
+    - item.shadow.min_days != 1
+    - security_set_minimum_password_lifetime
+  with_items:
+    - "{{ interactive_user_list.users }}"
   tags:
     - accounts
     - medium
     - V-71927
 
-- name: Print warning for accounts with a password lifetime over 60 days
+- name: Set maximum password lifetime limit to 60 days for interactive accounts
-  debug:
+  shell: "chage -M 60 {{ item.name }}"
-    msg: |
+  when:
-      The following user accounts have an existing password with a lifetime of
+    - item.shadow.max_days > 60
-      greater than 60 days:
+    - security_set_maximum_password_lifetime
-      {%- for user in user_list.users %}
+  with_items:
-      {% if user['shadow']['max_days'] > 60 %}
+    - "{{ interactive_user_list.users }}"
-          {{ user['name'] }} has an expiration of {{ user['shadow']['max_days'] }} days
-      {% endif %}
-      {% endfor %}
   tags:
     - accounts
     - medium

tests/test.yml

@@ -93,6 +93,7 @@
     security_rhel7_remove_shosts_files: yes
     security_search_for_invalid_owner: yes
     security_search_for_invalid_group_owner: yes
+    security_set_minimum_password_lifetime: yes
     security_unattended_upgrades_enabled: yes
     security_unattended_upgrades_notifications: yes
     # NOTE(mhayden): clamav is only available if EPEL is installed. There needs