You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Additional context
I guess you'd have to iterate through all the users that are not systems accounts (which are handled separately).
It might be a good idea to introduce an additional variable users_without_password_ageing if someone does not like this.
Password ageing for user(s) with UID=0 might need to be handled separately (password_ageing_for_root_users=false).
I have not tested this, but I think this code (copied + adjusted from your handling of system accounts) could be a starting point:
- name: Get all regular user accounts
command: awk -F'':'' '{ if ( $3 > {{ uid_max|quote }} ) print $1}' /etc/passwd
args:
removes: /etc/passwd
changed_when: false
check_mode: false
register: non_sys_accs
# set age settings for regular non-system accounts
- name: Set password ageing for user {{ item }}
user:
name: "{{ item }}"
password_expire_min: {{ os_auth_pw_min_age }}
password_expire_max: {{ os_auth_pw_max_age }}
with_flattened:
- '{{ non_sys_accs | default([]) | difference(users_without_password_ageing | default([])) | list }}'
- name: Get all user accounts with UID 0
command: awk -F'':'' '{ if ( $3 == 0 ) print $1}' /etc/passwd
args:
removes: /etc/passwd
changed_when: false
check_mode: false
register: root_accs
when: password_ageing_for_root_users=true
- name: Set password ageing for user with UID 0
user:
name: "{{ item }}"
password_expire_min: {{ os_auth_pw_min_age }}
password_expire_max: {{ os_auth_pw_max_age }}
with_flattened:
- '{{ uid0_accs | default([]) | list }}'
when: password_ageing_for_root_users=true
The text was updated successfully, but these errors were encountered:
Describe the bug
"os_auth_pw_min_age" and "os_auth_pw_max_age" of the linux_hardening role affect only newly created user - not existing users.
Since "logins.def" is used to enforce the settings, https://manpages.ubuntu.com/manpages/bionic/en/man5/login.defs.5.html shows a relevant limitation:
Expected behavior
the linux_hardening role should also apply the pw age settings to existing users
Actual behavior
settings are not applied to exisiting users
Ansible Version
Role Version
Additional context
I guess you'd have to iterate through all the users that are not systems accounts (which are handled separately).
It might be a good idea to introduce an additional variable
users_without_password_ageing
if someone does not like this.Password ageing for user(s) with UID=0 might need to be handled separately (
password_ageing_for_root_users=false
).I have not tested this, but I think this code (copied + adjusted from your handling of system accounts) could be a starting point:
The text was updated successfully, but these errors were encountered: