Include accounts_set_post_pw_existing rule in CIS RHEL

controls/cis_rhel7.yml

@@ -2014,10 +2014,11 @@ controls:
     levels:
     - l1_server
     - l1_workstation
-    status: partial # we do not check /et/shadow
+    status: automated
     rules:
-    - account_disable_post_pw_expiration
-    - var_account_disable_post_pw_expiration=30
+      - account_disable_post_pw_expiration
+      - var_account_disable_post_pw_expiration=30
+      - accounts_set_post_pw_existing
 
   - id: 5.5.1.5
     title: Ensure all users last password change date is in the past (Automated)

controls/cis_rhel8.yml

@@ -2308,17 +2308,16 @@ controls:
       - accounts_password_warn_age_login_defs
       - var_accounts_password_warn_age_login_defs=7
 
-  # NEEDS RULE
-  # https://github.com/ComplianceAsCode/content/issues/5536
   - id: 5.6.1.4
     title: Ensure inactive password lock is 30 days or less (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial  # The rule below does not validate wheter all current users' INACTIVE setting conforms to the control.
+    status: automated
     rules:
       - account_disable_post_pw_expiration
       - var_account_disable_post_pw_expiration=30
+      - accounts_set_post_pw_existing
 
   - id: 5.6.1.5
     title: Ensure all users last password change date is in the past (Automated)

controls/cis_rhel9.yml

@@ -2159,17 +2159,16 @@ controls:
       - accounts_password_warn_age_login_defs
       - var_accounts_password_warn_age_login_defs=7
 
-  # NEEDS RULE
-  # https://github.com/ComplianceAsCode/content/issues/5536
   - id: 5.6.1.4
     title: Ensure inactive password lock is 30 days or less (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial  # The rule below does not validate wheter all current users' INACTIVE setting conforms to the control.
+    status: automated
     rules:
       - account_disable_post_pw_expiration
       - var_account_disable_post_pw_expiration=30
+      - accounts_set_post_pw_existing
 
   - id: 5.6.1.5
     title: Ensure all users last password change date is in the past (Automated)

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/ansible/shared.yml

@@ -1,20 +1,19 @@
-# platform = multi_platform_sle
-# reboot = false
-# strategy = restrict
+# platform = multi_platform_all
 # complexity = low
 # disruption = low
+# reboot = false
+# strategy = restrict
 
 {{{ ansible_instantiate_variables("var_account_disable_post_pw_expiration") }}}
 
 - name: Collect users with not correct INACTIVE parameter set 
   ansible.builtin.command:
-    cmd: awk -F':' '$7 > {{ var_account_disable_post_pw_expiration }} || $7 == "" {print $1}' /etc/shadow
+    cmd: awk -F':' '(($7 > {{ var_account_disable_post_pw_expiration }} || $7 == "") && $2 ~ /^\$/) {print $1}' /etc/shadow
   register: user_names
+  changed_when: false
 
 - name: Change the period of inactivity 
-{{% if product in ["sle12", "sle15"] %}}
   ansible.builtin.command:
     cmd: chage --inactive {{ var_account_disable_post_pw_expiration }} {{ item }}
-{{% endif %}}
   with_items: '{{ user_names.stdout_lines }}'
   when: user_names.stdout_lines | length > 0

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/bash/shared.sh

@@ -1,11 +1,11 @@
-# platform = multi_platform_sle
-# reboot = false
-# strategy = restrict
+# platform = multi_platform_all
 # complexity = low
 # disruption = low
+# reboot = false
+# strategy = restrict
 
 {{{ bash_instantiate_variables("var_account_disable_post_pw_expiration") }}}
 
-{{% call iterate_over_command_output("i", "awk -v var=\"$var_account_disable_post_pw_expiration\" -F: '$7 > var || $7 == \"\" {print $1}' /etc/shadow") -%}}
+{{% call iterate_over_command_output("i", "awk -v var=\"$var_account_disable_post_pw_expiration\" -F: '(($7 > var || $7 == \"\") && $2 ~ /^\$/) {print $1}' /etc/shadow") -%}}
 chage --inactive $var_account_disable_post_pw_expiration $i
 {{%- endcall %}}

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/oval/shared.xml

@@ -1,33 +1,42 @@
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
-      {{{ oval_metadata("Set existing passwords a period of inactivity before they been locked") }}}
-    <criteria >
-      <criterion comment="Passwords must be configured to the appropriate period of inactivity for existing accounts." test_ref="test_password_post_pw_existing" />
+    {{{ oval_metadata("Set existing passwords a period of inactivity before they been locked") }}}
+    <criteria operator="OR">
+      <criterion test_ref="test_accounts_set_post_pw_existing"
+        comment="Passwords must be configured to the appropriate period of inactivity."/>
+      <criterion test_ref="test_accounts_set_post_pw_existing_no_pass"
+        comment="There is no password defined in /etc/shadow"/>
     </criteria>      
   </definition>
 
-  <!-- Define 1st test for the shadow file for non-system accounts to look for INACTIVE parameter  . -->
-  <unix:shadow_test id="test_password_post_pw_existing" version="1"
+  <unix:shadow_test id="test_accounts_set_post_pw_existing" version="1"
     check="all" check_existence="at_least_one_exists"
     comment="Password INACTIVE parameter is no more than 30 days.">
     <unix:object object_ref="object_shadow_password_users_post_pw_existing"/>
     <unix:state state_ref="inactive_param_for_passwords_change"/>
   </unix:shadow_test>
 
-
   <unix:shadow_object id="object_shadow_password_users_post_pw_existing" version="1">
     <unix:username operation="pattern match">.*</unix:username>
+    <filter action="exclude">state_accounts_set_post_pw_existing_no_password</filter>
   </unix:shadow_object>
+
+  <unix:shadow_state id="state_accounts_set_post_pw_existing_no_password" version="1">
+      <unix:password operation="pattern match">^(!|!!|!\*|\*|!locked)$</unix:password>
+  </unix:shadow_state>
 
   <unix:shadow_state id="inactive_param_for_passwords_change" version="1"
     comment="change INACTIVE parameter for passwords to the recommended value">
     <unix:exp_inact operation="less than or equal" datatype="int"
       var_ref="var_account_disable_post_pw_expiration"/>
   </unix:shadow_state>
 
-
-  <!-- this external variable is defined at the group level,
-       reusing the account-level definitions. -->
   <external_variable id="var_account_disable_post_pw_expiration" datatype="int" version="1"
-                     comment="Number of days after an user account that has been inactive can be automatically disabled"/>
+    comment="Number of days after an inactive user account can be automatically disabled"/>
+
+  <unix:shadow_test id="test_accounts_set_post_pw_existing_no_pass" version="1"
+    check="all" check_existence="none_exist"
+    comment="Check the inexistence of users with a password defined">
+    <unix:object object_ref="object_shadow_password_users_post_pw_existing"/>
+  </unix:shadow_test>
 </def-group>

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15
+prodtype: rhel7,rhel8,rhel9,sle12,sle15
 
 title: 'Set existing passwords a period of inactivity before they been locked'
 
@@ -9,18 +9,23 @@ description: |-
     to be automatically disabled by running the following command:
     <pre>$ sudo chage --inactive 30<i>USER</i></pre>
 
-
 rationale: |-
     Inactive accounts pose a threat to system security since the users are not logging in to
     notice failed login attempts or other anomalies.
 
 severity: medium
 
 identifiers:
+    cce@rhel7: CCE-86757-2
+    cce@rhel8: CCE-86758-0
+    cce@rhel9: CCE-86759-8
     cce@sle12: CCE-92322-7
     cce@sle15: CCE-92480-3
 
 references:
+    cis@rhel7: 5.5.1.4
+    cis@rhel8: 5.6.1.4
+    cis@rhel9: 5.6.1.4
     cis@sle12: 5.4.1.5
     cis@sle15: 5.4.1.5
     cis@ubuntu2004: 5.4.1.4
@@ -37,7 +42,6 @@ references:
     pcidss: Req-8.1.4
     srg: SRG-OS-000118-GPOS-00060
 
-
 ocil_clause: 'the value of INACTIVE is greater than the expected value or is -1'
 
 ocil: |-

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/tests/correct_set_post_pw.pass.sh

@@ -1,11 +1,16 @@
 #!/bin/bash
+# variables = var_account_disable_post_pw_expiration=30
 
-# platform = multi_platform_sle
+INACTIVE_VALUE=30
+TEST_USER="cac_testuser"
 
-SECURE_INACTIVE=30
+# create valid testuser entry in /etc/shadow
+useradd $TEST_USER
+sed -E -i "s/($TEST_USER:)(.*)/\1\$6\$exIFis0tobKRcGBk\$b.UR.Z8h96FdxJ1bgA\/vhdnp0Lsm488swdILNguQX\/5qH5hdmClyYb5xk3TpELXWzr4JOiTlHfRkPsXSjMPjv0:19396:1:60:7:$INACTIVE_VALUE::/" /etc/shadow
 
-users_to_set=( $(awk -v var=\"$SECURE_INACTIVE\" -F: '$7 > var || $7 == "" {print $1}' /etc/shadow) )
-for i in ${users_to_set[@]};
+# ensure existing users with a password defined also have the correct value defined
+users_to_set=($(awk -v var=\"$INACTIVE_VALUE\" -F: '(($7 > var || $7 == \"\") && $2 ~ /^\$/) {print $1}' /etc/shadow))
+for user in ${users_to_set[@]};
 do
-   chage --inactive $SECURE_INACTIVE $i
+   chage --inactive $INACTIVE_VALUE $user
 done

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/tests/incorrect_set_post_pw.fail.sh

@@ -1,12 +1,16 @@
 #!/bin/bash
+# variables = var_account_disable_post_pw_expiration=30
 
-# packages = passwd
+INACTIVE_VALUE=60
+TEST_USER="cac_testuser"
 
-BAD_INACTIVE=60
+# create valid testuser entry in /etc/shadow
+useradd $TEST_USER
+sed -E -i "s/($TEST_USER:)(.*)/\1\$6\$exIFis0tobKRcGBk\$b.UR.Z8h96FdxJ1bgA\/vhdnp0Lsm488swdILNguQX\/5qH5hdmClyYb5xk3TpELXWzr4JOiTlHfRkPsXSjMPjv0:19396:1:60:7:$INACTIVE_VALUE::/" /etc/shadow
 
-# Configure the OS to disable INACTIVE setting of each accout  
-system_users=( $(awk -F: '{print $1}' /etc/shadow) )
-for i in ${system_users[@]};
+# ensure existing users with a password defined also have the incorrect value defined
+users_to_set=($(awk -v var=\"$INACTIVE_VALUE\" -F: '(($7 <= var || $7 == \"\") && $2 ~ /^\$/) {print $1}' /etc/shadow))
+for user in ${users_to_set[@]};
 do
-  chage --inactive $BAD_INACTIVE $i
+   chage --inactive $INACTIVE_VALUE $user
 done

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/tests/no_password_defined.pass.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -E -i 's/(\w*:)(\$[^:]*)(:.*)/\1!!\3/' /etc/shadow

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/tests/one_incorrect_set_post_pw.fail.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# variables = var_account_disable_post_pw_expiration=30
+
+INACTIVE_VALUE=30
+INCORRECT_VALUE=60
+TEST_USER="cac_testuser"
+
+# ensure existing users with a password defined have the correct value defined
+users_to_set=($(awk -v var=\"$INACTIVE_VALUE\" -F: '(($7 <= var || $7 == \"\") && $2 ~ /^\$/) {print $1}' /etc/shadow))
+for user in ${users_to_set[@]};
+do
+   chage --inactive $INACTIVE_VALUE $user
+done
+
+# create valid testuser entry in /etc/shadow with the incorrect value defined
+useradd $TEST_USER
+sed -E -i "s/($TEST_USER:)(.*)/\1\$6\$exIFis0tobKRcGBk\$b.UR.Z8h96FdxJ1bgA\/vhdnp0Lsm488swdILNguQX\/5qH5hdmClyYb5xk3TpELXWzr4JOiTlHfRkPsXSjMPjv0:19396:1:60:7:$INCORRECT_VALUE::/" /etc/shadow

shared/references/cce-redhat-avail.txt

@@ -495,9 +495,6 @@ CCE-86753-1
 CCE-86754-9
 CCE-86755-6
 CCE-86756-4
-CCE-86757-2
-CCE-86758-0
-CCE-86759-8
 CCE-86760-6
 CCE-86761-4
 CCE-86762-2