From 2f60b44ccaa1fc8772d8e7848a5ce1eaa9ce55db Mon Sep 17 00:00:00 2001 From: Norman Ziegner Date: Wed, 1 Feb 2023 16:17:36 +0100 Subject: [PATCH 1/2] os_hardening: Add variable to set the number of days of warning before user password expires Signed-off-by: Norman Ziegner --- roles/os_hardening/README.md | 3 +++ roles/os_hardening/defaults/main.yml | 1 + roles/os_hardening/templates/etc/login.defs.j2 | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index ac9605e7..2c06d176 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -107,6 +107,9 @@ We know that this is the case on Raspberry Pi. - `os_auth_pw_min_age` - Default: `7` - Description: minimum password age (before allowing any other password change). +- `os_auth_pw_warn_age` + - Default: `7` + - Description: number of days of warning before password expires. - `os_auth_pw_remember` - Default: `5` - Description: how many used passwords are record. diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 091c6d82..a0fe27fd 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -3,6 +3,7 @@ os_desktop_enable: false os_env_extra_user_paths: [] os_auth_pw_max_age: 60 os_auth_pw_min_age: 7 # Discourage password cycling +os_auth_pw_warn_age: 7 os_auth_pw_remember: 5 # Specify how many used passwords are record os_auth_retries: 5 os_auth_lockout_time: 600 # Seconds (600 = 10min) diff --git a/roles/os_hardening/templates/etc/login.defs.j2 b/roles/os_hardening/templates/etc/login.defs.j2 index 9ac298ab..f357167f 100644 --- a/roles/os_hardening/templates/etc/login.defs.j2 +++ b/roles/os_hardening/templates/etc/login.defs.j2 @@ -110,7 +110,7 @@ PASS_MAX_DAYS {{ os_auth_pw_max_age }} PASS_MIN_DAYS {{ os_auth_pw_min_age }} # Number of days warning given before a password expires. -PASS_WARN_AGE 7 +PASS_WARN_AGE {{ os_auth_pw_warn_age }} # Min/max values for automatic uid selection in useradd UID_MIN {{ os_auth_uid_min }} From c594a1fe6a648df0efcadb001e2701233d32fb72 Mon Sep 17 00:00:00 2001 From: Norman Ziegner Date: Wed, 1 Feb 2023 16:19:18 +0100 Subject: [PATCH 2/2] os_hardening: Add test for setting password warning days via variable os_auth_pw_warn_age Signed-off-by: Norman Ziegner --- molecule/os_hardening/converge.yml | 1 + molecule/os_hardening/verify_tasks/pw_ageing.yml | 12 +++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/molecule/os_hardening/converge.yml b/molecule/os_hardening/converge.yml index 81fe30f6..4073b4db 100644 --- a/molecule/os_hardening/converge.yml +++ b/molecule/os_hardening/converge.yml @@ -29,6 +29,7 @@ os_filesystem_whitelist: [] os_yum_repo_file_whitelist: ['foo.repo'] os_users_without_password_ageing: ['pw_no_ageing'] + os_auth_pw_warn_age: 7 os_netrc_enabled: false os_ignore_users: ["shell_sys_acc"] os_ignore_home_folder_users: ["user_with_777_home"] diff --git a/molecule/os_hardening/verify_tasks/pw_ageing.yml b/molecule/os_hardening/verify_tasks/pw_ageing.yml index 477c78b4..f801466d 100644 --- a/molecule/os_hardening/verify_tasks/pw_ageing.yml +++ b/molecule/os_hardening/verify_tasks/pw_ageing.yml @@ -14,9 +14,19 @@ changed_when: false register: expiry_date -- name: Check that the expiry date of pw_ageing is 30 days +- name: Check that the expiry date of pw_ageing is 60 days ansible.builtin.assert: # this uses the date from the expire_date variable and subtracts the current date. # it should be bigger that the password_expire_min of the user "pw_no_ageing" that: - "{{ ( expiry_date.stdout | trim | to_datetime('%b %d, %Y') - ansible_date_time.date | to_datetime('%Y-%m-%d')).days }} == 60" + +- name: Get Password Expiry warning days for pw_ageing + ansible.builtin.shell: chage -l pw_ageing | grep "warning before password expires" | cut -d ":" -f 2 + changed_when: false + register: expiry_warndays + +- name: Check that number of days of warning before password expires is 7 days + ansible.builtin.assert: + that: + - "expiry_warndays.stdout | trim == '7'"