Actually set min/max password lifetime for account

This patch changes the tasks for V-71927 and V-71931 to actually set the minimum password age on user accounts rather than printing useless debug messages. Change-Id: I3e085160baef1ecc12a3c96f08ede3845c68449f
2017-05-25 10:02:27 -05:00 · 2017-05-25 10:02:27 -05:00 · 3699f90710
commit 3699f90710
parent 6c9c7fad66
5 changed files with 49 additions and 36 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -375,6 +375,11 @@ security_unattended_upgrades_notifications: false
 #
 ###############################################################################

+## Accounts (accounts)
+# Set minimum password lifetime to 1 day for interactive accounts.
+security_set_minimum_password_lifetime: no                   # V-71927
+security_set_maximum_password_lifetime: no                   # V-71931
+
 ## AIDE (aide)
 # Initialize the AIDE database immediately (may take time).
 security_rhel7_initialize_aide: no                           # V-71973
--- a/doc/metadata/rhel7/V-71927.rst
+++ b/doc/metadata/rhel7/V-71927.rst
@ -1,10 +1,19 @@
 ---
 id: V-71927
-status: implemented
+status: opt-in
 tag: accounts
 ---

-The tasks in the security role search for accounts with a minimum lifetime
-under 24 hours and display the usernames associated with those accounts.
-Ubuntu, CentOS, and Red Hat Enterprise Linux set the minimum life time to
-unlimited by default.
+Setting a minimum password lifetime on interactive user accounts provides
+security benefits by limiting the frequency of password changes. However, this
+can cause login problems for users without proper communication and
+coordination.
+
+Deployers can opt-in for this change by setting the following Ansible variable:
+
+.. code-block::
+
+    security_set_minimum_password_lifetime: yes
+
+The tasks will examine each interactive user account and set the minimum
+password age if the existing setting is not equal to one day.
--- a/doc/metadata/rhel7/V-71931.rst
+++ b/doc/metadata/rhel7/V-71931.rst
@ -1,9 +1,21 @@
 ---
 id: V-71931
-status: implemented
+status: opt-in
 tag: accounts
 ---

-If any users have a maximum password age on their current password set to a
-length of over 60 days, a list of those users is provided in the Ansible
-output.
+Although the STIG requires that a maximum password lifetime is set for all
+interactive user accounts, the security benefits of this configuration are
+debatable. The `draft of NIST Publication 800-63B`_ argues that password
+rotation may reduce overall security in some situations.
+
+Deployers can opt-in for this change by setting the following Ansible variable:
+
+.. code-block::
+
+    security_set_maximum_password_lifetime: yes
+
+The tasks will examine each interactive user account and set the maximum
+password age if the existing setting is not equal to 60 days.
+
+.. _draft of NIST Publication 800-63B: https://pages.nist.gov/800-63-3/sp800-63b.html
--- a/tasks/rhel7stig/accounts.yml
+++ b/tasks/rhel7stig/accounts.yml
@ -79,39 +79,25 @@
    - medium
    - V-71923

- name: Get all user accounts with a password lifetime limit under 24 hours
-  shell: "awk -F: '$4 < 1 {print $1}' /etc/shadow"
-  check_mode: no
-  changed_when: False
-  register: password_lifetime_check
-  tags:
-    - accounts
-    - medium
-    - V-71927
-    - skip_ansible_lint
-
- name: Print warning about accounts with password lifetimes under 24 hours
-  debug:
-    msg: |
-      Accounts were found with a minimum password lifetime limit under 24 hours:
-      {{ password_lifetime_check.stdout_lines | join(', ') }}
+- name: Set minimum password lifetime limit to 24 hours for interactive accounts
+  shell: "chage -m 1 {{ item.name }}"
  when:
-    - password_lifetime_check.stdout_lines is defined
+    - item.shadow.min_days != 1
+    - security_set_minimum_password_lifetime
+  with_items:
+    - "{{ interactive_user_list.users }}"
  tags:
    - accounts
    - medium
    - V-71927

- name: Print warning for accounts with a password lifetime over 60 days
-  debug:
-    msg: |
-      The following user accounts have an existing password with a lifetime of
-      greater than 60 days:
-      {%- for user in user_list.users %}
-      {% if user['shadow']['max_days'] > 60 %}
-          {{ user['name'] }} has an expiration of {{ user['shadow']['max_days'] }} days
-      {% endif %}
-      {% endfor %}
+- name: Set maximum password lifetime limit to 60 days for interactive accounts
+  shell: "chage -M 60 {{ item.name }}"
+  when:
+    - item.shadow.max_days > 60
+    - security_set_maximum_password_lifetime
+  with_items:
+    - "{{ interactive_user_list.users }}"
  tags:
    - accounts
    - medium
--- a/tests/test.yml
+++ b/tests/test.yml
@ -93,6 +93,7 @@
    security_rhel7_remove_shosts_files: yes
    security_search_for_invalid_owner: yes
    security_search_for_invalid_group_owner: yes
+    security_set_minimum_password_lifetime: yes
    security_unattended_upgrades_enabled: yes
    security_unattended_upgrades_notifications: yes
    # NOTE(mhayden): clamav is only available if EPEL is installed. There needs