diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml index 0af6018b4a0..e387ed75678 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml @@ -11,13 +11,16 @@ register: user_names - name: Change the maximum time period between password changes -{{% if product not in ["rhel7", "ol7"] %}} +{{% if product in ["rhel7", "ol7"] %}} + ansible.builtin.command: + cmd: chage -M {{ var_accounts_maximum_age_login_defs }} {{ item }} +{{% elif product in ["sle12","sle15"] %}} + ansible.builtin.command: + cmd: passwd -q -x {{ var_accounts_maximum_age_login_defs }} {{ item }} +{{% else %}} ansible.builtin.user: user: '{{ item }}' password_expire_max: '{{ var_accounts_maximum_age_login_defs }}' -{{% else %}} - ansible.builtin.command: - cmd: chage -M {{ var_accounts_maximum_age_login_defs }} {{ item }} {{% endif %}} with_items: '{{ user_names.stdout_lines }}' when: user_names.stdout_lines | length > 0 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh index d8149ebbccd..c3c548861df 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh @@ -6,6 +6,14 @@ {{{ bash_instantiate_variables("var_accounts_maximum_age_login_defs") }}} +{{% if product in ["sle12", "sle15"] %}} +usrs_max_pass_age=( "$(awk -F: '$5 > $var_accounts_maximum_age_login_defs || $5 == "" {print $1}' /etc/shadow)" ) +for i in "${usrs_max_pass_age[@]}" +do + passwd -q -x $((var_accounts_maximum_age_login_defs)) $i +done +{{% else %}} {{% call iterate_over_command_output("i", "awk -v var=\"$var_accounts_maximum_age_login_defs\" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == \"\")) {print $1}' /etc/shadow") -%}} chage -M $var_accounts_maximum_age_login_defs $i {{%- endcall %}} +{{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml index 93fd76aaccc..c376d3a0ea9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml @@ -55,8 +55,15 @@ ocil: |- fixtext: |- Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction. - - passwd -x {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}} [user] + {{% if product not in ["sle12", "sle15"] %}} + passwd -q -x {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}} [user] + {{% else %}} + usrs_max_pass_age=( "$(awk -F: '$5 > $var_accounts_maximum_age_login_defs || $5 == "" {print $1}' /etc/shadow)" ) + for i in "${usrs_max_pass_age[@]}" + do + passwd -q -x $((var_accounts_maximum_age_login_defs)) $i + done + {{% endif %}} srg_requirement: |- {{{ full_name }}} user account passwords must have a 60-day maximum password lifetime restriction. diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/ansible/shared.yml index 22a93c8bfc4..8f702d4437e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/ansible/shared.yml @@ -4,13 +4,20 @@ # complexity = low # disruption = low +{{{ ansible_instantiate_variables("var_accounts_minimum_age_login_defs") }}} + - name: Collect users with not correct minimum time period between password changes command: > - awk -F: '(/^[^:]+:[^!*]/ && ($4 < 1 || $4 == "")) {print $1}' /etc/shadow + awk -F':' '(/^[^:]+:[^!*]/ && ($4 < {{ var_accounts_minimum_age_login_defs }} || $4 == "")) {print $1}' /etc/shadow register: user_names - name: Change the minimum time period between password changes +{{% if product in ["sle12", "sle15"] %}} + command: > + passwd -q -n {{ var_accounts_minimum_age_login_defs }} {{ item }} +{{% else %}} command: > chage -m 1 {{ item }} +{{% endif %}} with_items: "{{ user_names.stdout_lines }}" when: user_names.stdout_lines | length > 0 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh index 7b4f2c3e0cc..da8cb6dc365 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh @@ -6,6 +6,14 @@ {{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}} +{{% if product in ["sle12", "sle15"] %}} +usrs_min_pass_age=( "$(awk -F: '$4 < $var_accounts_minimum_age_login_defs || $4 == "" {print $1}' /etc/shadow)" ) +for i in "${usrs_min_pass_age[@]}" +do + passwd -q -n $((var_accounts_minimum_age_login_defs)) $i +done +{{% else %}} {{% call iterate_over_command_output("i", "awk -v var=\"$var_accounts_minimum_age_login_defs\" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == \"\")) {print $1}' /etc/shadow") -%}} chage -m $var_accounts_minimum_age_login_defs $i {{%- endcall %}} +{{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml index a133b6e69db..ba3ff97aaf5 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml @@ -54,8 +54,15 @@ ocil: |- fixtext: |- Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: - + {{% if product not in ["sle12", "sle15"] %}} $ sudo chage -m {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}} [user] + {{% else %}} + usrs_min_pass_age=( "$(awk -F: '$4 < $var_accounts_minimum_age_login_defs || $4 == "" {print $1}' /etc/shadow)" ) + for i in "${usrs_min_pass_age[@]}" + do + passwd -q -n $((var_accounts_minimum_age_login_defs)) $i + done + {{% endif %}} srg_requirement: |- {{{ full_name }}} passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.