Merge pull request #10173 from rumch-se/fix_accounts_password_min_max…

…_life_existing Fixes related to SLE 12/15 for the rules set_min/max_life_existing
ComplianceAsCode · Feb 10, 2023 · 772ea9d · 772ea9d
2 parents 4416dfe + c2dfe8a
commit 772ea9d
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 8 deletions.
diff --git a/...strictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml b/...strictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml
@@ -11,13 +11,16 @@
   register: user_names
 
 - name: Change the maximum time period between password changes
-{{% if product not in ["rhel7", "ol7"] %}}
+{{% if product in ["rhel7", "ol7"] %}}
+  ansible.builtin.command:
+    cmd: chage -M {{ var_accounts_maximum_age_login_defs }} {{ item }}
+{{% elif product in ["sle12","sle15"] %}}    
+  ansible.builtin.command:
+    cmd:  passwd -q -x {{ var_accounts_maximum_age_login_defs }} {{ item }}
+{{% else %}}        
   ansible.builtin.user:
     user: '{{ item }}'
     password_expire_max: '{{ var_accounts_maximum_age_login_defs }}'
-{{% else %}}
-  ansible.builtin.command:
-    cmd: chage -M {{ var_accounts_maximum_age_login_defs }} {{ item }}
 {{% endif %}}
   with_items: '{{ user_names.stdout_lines }}'
   when: user_names.stdout_lines | length > 0
diff --git a/...s-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh b/...s-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh
@@ -6,6 +6,14 @@
 
 {{{ bash_instantiate_variables("var_accounts_maximum_age_login_defs") }}}
 
+{{% if product in ["sle12", "sle15"] %}}
+usrs_max_pass_age=( "$(awk -F: '$5 > $var_accounts_maximum_age_login_defs || $5 == "" {print $1}' /etc/shadow)" )
+for i in "${usrs_max_pass_age[@]}"
+do
+  passwd -q -x $((var_accounts_maximum_age_login_defs)) $i
+done
+{{% else %}}
 {{% call iterate_over_command_output("i", "awk -v var=\"$var_accounts_maximum_age_login_defs\" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == \"\")) {print $1}' /etc/shadow") -%}}
 chage -M $var_accounts_maximum_age_login_defs $i
 {{%- endcall %}}
+{{% endif %}}
diff --git a/...ccounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/...ccounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
@@ -55,8 +55,15 @@ ocil: |-
 
 fixtext: |-
     Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
-
-    passwd -x {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}} [user]
+    {{% if product not in ["sle12", "sle15"] %}}
+    passwd -q -x {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}} [user]
+    {{% else %}}
+    usrs_max_pass_age=( "$(awk -F: '$5 > $var_accounts_maximum_age_login_defs || $5 == "" {print $1}' /etc/shadow)" )
+    for i in "${usrs_max_pass_age[@]}"
+    do
+        passwd -q -x $((var_accounts_maximum_age_login_defs)) $i
+    done    
+    {{% endif %}}
 
 srg_requirement: |-
     {{{ full_name }}} user account passwords must have a 60-day maximum password lifetime restriction.
diff --git a/...strictions/password_expiration/accounts_password_set_min_life_existing/ansible/shared.yml b/...strictions/password_expiration/accounts_password_set_min_life_existing/ansible/shared.yml
@@ -4,13 +4,20 @@
 # complexity = low
 # disruption = low
 
+{{{ ansible_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
+
 - name: Collect users with not correct minimum time period between password changes
   command: >
-    awk -F: '(/^[^:]+:[^!*]/ && ($4 < 1 || $4 == "")) {print $1}' /etc/shadow
+    awk -F':' '(/^[^:]+:[^!*]/ && ($4 < {{ var_accounts_minimum_age_login_defs }} || $4 == "")) {print $1}' /etc/shadow
   register: user_names
 
 - name: Change the minimum time period between password changes
+{{% if product in ["sle12", "sle15"] %}}
+  command: >
+    passwd -q -n {{ var_accounts_minimum_age_login_defs }} {{ item }}
+{{% else %}}
   command: >
     chage -m 1 {{ item }}
+{{% endif %}}    
   with_items: "{{ user_names.stdout_lines }}"
   when: user_names.stdout_lines | length > 0
diff --git a/...s-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh b/...s-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh
@@ -6,6 +6,14 @@
 
 {{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
 
+{{% if product in ["sle12", "sle15"] %}}
+usrs_min_pass_age=( "$(awk -F: '$4 < $var_accounts_minimum_age_login_defs || $4 == "" {print $1}' /etc/shadow)" )
+for i in "${usrs_min_pass_age[@]}"
+do
+  passwd -q -n $((var_accounts_minimum_age_login_defs)) $i
+done
+{{% else %}}
 {{% call iterate_over_command_output("i", "awk -v var=\"$var_accounts_minimum_age_login_defs\" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == \"\")) {print $1}' /etc/shadow") -%}}
 chage -m $var_accounts_minimum_age_login_defs $i
 {{%- endcall %}}
+{{% endif %}}
diff --git a/...ccounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/...ccounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
@@ -54,8 +54,15 @@ ocil: |-
 
 fixtext: |-
     Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
-
+    {{% if product not in ["sle12", "sle15"] %}}
     $ sudo chage -m {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}} [user]
+    {{% else %}}
+    usrs_min_pass_age=( "$(awk -F: '$4 < $var_accounts_minimum_age_login_defs || $4 == "" {print $1}' /etc/shadow)" )
+    for i in "${usrs_min_pass_age[@]}"
+    do
+      passwd -q -n $((var_accounts_minimum_age_login_defs)) $i
+    done
+    {{% endif %}}
 
 srg_requirement: |-
     {{{ full_name }}} passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.