Verify password age limits [+Docs]

This patch checks for user accounts that have a maximum password age of more than 60 days. It also extends the `get_users` module to retrieve shadow database information. Implements: blueprint security-rhel7-stig Change-Id: Ida3fd56ee9133dab73f65d47a6934b5596e95b69
2016-12-02 14:43:59 -06:00 · 2016-12-02 14:43:59 -06:00 · 0e8feaf9eb
commit 0e8feaf9eb
parent d5ee4c331c
3 changed files with 41 additions and 4 deletions
--- a/doc/metadata/rhel7/RHEL-07-010230.rst
+++ b/doc/metadata/rhel7/RHEL-07-010230.rst
@ -1,7 +1,9 @@
 ---
 id: RHEL-07-010230
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---

-This STIG requirement is not yet implemented.
+If any users have a maximum password age on their current password set to a
+length of over 60 days, a list of those users is provided in the Ansible
+output.
--- a/library/get_users
+++ b/library/get_users
@ -16,6 +16,7 @@

 import grp
 import pwd
+import spwd
 from ansible.module_utils.basic import AnsibleModule


@ -53,7 +54,8 @@ def make_user_dict(user_record):
        'gecos': user_record.pw_gecos,
        'dir': user_record.pw_dir,
        'shell': user_record.pw_shell,
-        'group': make_group_dict(user_record.pw_gid)
+        'group': make_group_dict(user_record.pw_gid),
+        'shadow': make_shadow_dict(user_record.pw_name)
    }
    return user_dict

@ -73,6 +75,24 @@ def make_group_dict(gid):
    return group_dict


+def make_shadow_dict(username):
+    """Create a dictionary of user shadow password database attributes."""
+    try:
+        shadow_record = spwd.getspnam(username)
+    except KeyError:
+        return False
+
+    shadow_dict = {
+        'last_changed': shadow_record.sp_lstchg,
+        'min_days': shadow_record.sp_min,
+        'max_days': shadow_record.sp_max,
+        'warn_days': shadow_record.sp_warn,
+        'inact_days': shadow_record.sp_inact,
+        'expire_days': shadow_record.sp_expire,
+    }
+    return shadow_dict
+
+
 def main():
    """Ansible calls this function."""
    module = AnsibleModule(
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@ -142,6 +142,21 @@
    - medium
    - RHEL-07-010240

+- name: RHEL-07-010230 - Existing passwords must be restricted to a 60-day maximum lifetime.
+  debug:
+    msg: |
+      The following user accounts have an existing password with a lifetime of
+      greater than 60 days:
+      {%- for user in user_list.users %}
+      {% if user['shadow']['max_days'] > 60 %}
+          {{ user['name'] }} has an expiration of {{ user['shadow']['max_days'] }} days
+      {% endif %}
+      {% endfor %}
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010230
+
 - name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
  lineinfile:
    dest: "{{ pam_auth_file }}"