V-3869{2,4}: Lock inactive accounts

Implements: blueprint security-hardening

Change-Id: I96ff7de8398c1fb60c73e169e597dd354121c05e

defaults/main.yml

@@ -179,6 +179,8 @@ admin_space_left_action: SUSPEND                  # V-54381
 # V-38684 - Setting the maximum number of simultaneous logins per user. The
 # STIG sets a limit of 10.
 #max_simultaneous_logins: 10                      # V-38684
+# V-38692 - Lock accounts that are inactive for 35 days.
+#inactive_account_lock_days: 35                   # V-38692
 
 ## Kernel modules
 # Set these booleans to 'yes' to disable the kernel module (following the

doc/source/developer-notes/V-38692.rst

@@ -0,0 +1,10 @@
+**Opt-in required**
+
+By default, Ubuntu doesn't require that inactive accounts are locked after a
+period of time. The STIG requires that accounts with 35 days of activity are
+locked.
+
+Deployers must opt-in for this change by setting the
+``inactive_account_lock_days`` Ansible variable. The STIG requires this to be
+set to 35 days at a maximum. The Ansible tasks will not make any changes to
+``/etc/default/useradd`` unless ``inactive_account_lock_days`` is set.

doc/source/developer-notes/V-38694.rst

@@ -0,0 +1 @@
+V-38692.rst

tasks/auth.yml

@@ -300,3 +300,14 @@
     - auth
     - cat3
     - V-38681
+
+- name: V-38692 - Lock inactive accounts
+  lineinfile:
+    dest: /etc/default_useradd
+    regexp: "^(#)?INACTIVE"
+    line: "INACTIVE {{ inactive_account_lock_days }}"
+  when: inactive_account_lock_days is defined
+  tags:
+    - auth
+    - cat3
+    - V-38692