Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apply password age settings to existing regular users #582

Merged
merged 7 commits into from
Jan 23, 2023
Merged

apply password age settings to existing regular users #582

merged 7 commits into from
Jan 23, 2023

Conversation

DonEstefan
Copy link
Contributor

This fixes #570

Before merging you might want to spend some extra thoughts on:

  • testing (I tested RHEL8 only)
  • default values for newly introduced vars and changed existing vars
  • deprecation of either os_always_ignore_users or os_ignore_users variable. They seem to do exactly the same thing..?

@rndmh3ro
Copy link
Member

Can you please resolve the merge conflicts?

@DonEstefan
Copy link
Contributor Author

I fixed the conflicts. I hope I got it all right.

@DonEstefan
Copy link
Contributor Author

I just realized that this needs some more adjustments for accounts that have no password set at all (ssh-key login only). I was not aware that linux forces those users to create a password when max_age is reached - which is not desirable. I'll think about a workaround for this.
This might also be relevant for #579

@DonEstefan
Copy link
Contributor Author

This should be good to go now.

@rndmh3ro rndmh3ro force-pushed the introduce_password_ageing branch from bbc665b to 5750ca2 Compare January 19, 2023 14:44
schurzi
schurzi requested changes Jan 22, 2023
View reviewed changes
Copy link
Contributor

@schurzi schurzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks OK to me. When the linter and remaining CI test are green, this can be merged.

molecule/os_hardening/prepare.yml Outdated Show resolved Hide resolved
molecule/os_hardening/verify.yml Outdated Show resolved Hide resolved
molecule/os_hardening/verify_tasks/pw_ageing.yml Outdated Show resolved Hide resolved
molecule/os_hardening/verify_tasks/pw_ageing.yml Outdated Show resolved Hide resolved
molecule/os_hardening/verify_tasks/pw_ageing.yml Outdated Show resolved Hide resolved
molecule/os_hardening/verify_tasks/pw_ageing.yml Outdated Show resolved Hide resolved
roles/os_hardening/tasks/user_accounts.yml Outdated Show resolved Hide resolved
roles/os_hardening/tasks/user_accounts.yml Outdated Show resolved Hide resolved
Sebastian Gumprich and others added 5 commits January 23, 2023 08:50
add tests for password ageing
5810e01 
Signed-off-by: Sebastian Gumprich <[email protected]>
add debugging vars
1546a9e 
Signed-off-by: Sebastian Gumprich <[email protected]>
add tests for password ageing
34673ed 
Signed-off-by: Sebastian Gumprich <[email protected]>
add tests for password ageing
3614a88 
Signed-off-by: Sebastian Gumprich <[email protected]>
@rndmh3ro @schurzi
Apply suggestions from code review
f557d21 
Co-authored-by: schurzi <[email protected]>
@rndmh3ro rndmh3ro force-pushed the introduce_password_ageing branch from fbb7c80 to f557d21 Compare January 23, 2023 07:50
add additional condtion for regular users
202dd51 
Signed-off-by: Sebastian Gumprich <[email protected]>
@rndmh3ro rndmh3ro merged commit 674be6d into dev-sec:master Jan 23, 2023
rndmh3ro added a commit that referenced this pull request Jan 23, 2023
@DonEstefan @rndmh3ro @schurzi
apply password age settings to exisiting regular users (#582)
0291543 
* apply password age settings to regular users

* add tests for password ageing

Signed-off-by: Sebastian Gumprich <[email protected]>

* add debugging vars

Signed-off-by: Sebastian Gumprich <[email protected]>

* add tests for password ageing

Signed-off-by: Sebastian Gumprich <[email protected]>

* add tests for password ageing

Signed-off-by: Sebastian Gumprich <[email protected]>

* Apply suggestions from code review

Co-authored-by: schurzi <[email protected]>

* add additional condtion for regular users

Signed-off-by: Sebastian Gumprich <[email protected]>

Signed-off-by: Sebastian Gumprich <[email protected]>
Co-authored-by: DonEstefan <[email protected]>
Co-authored-by: Sebastian Gumprich <[email protected]>
Co-authored-by: Sebastian Gumprich <[email protected]>
Co-authored-by: schurzi <[email protected]>
@schurzi schurzi changed the title apply password age settings to exisiting regular users apply password age settings to existing regular users Apr 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schurzi schurzi schurzi requested changes

Assignees
No one assigned
Labels
enhancement minor os_hardening
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

password ageing not enforced
3 participants
@DonEstefan @rndmh3ro @schurzi