openstack/ansible-hardening
Code Issues Proposed changes

Skip shadow checks for users w/o shadow data

Browse Source 
Users that are attached to a Kerberos realm do not have shadow data
on the system. This breaks two accounts-related tasks.

This patch cause Ansible to skip over any users that do not have
shadow data on the system. Without this patch, the playbook fails
with an error.

Closes-Bug: 1659232
Change-Id: Ibbd275681e65ba7ccfc4477caa499247ed052649
This commit is contained in:
Major Hayden 2017-07-06 15:11:58 -05:00
parent ff7d7668df
commit d031846d34
No known key found for this signature in database
GPG Key ID: 737051E0C1011FB1
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
tasks/rhel7stig/accounts.yml
View File

@ -79,11 +79,15 @@
- medium
- V-71923
# NOTE(mhayden): The "is mapping" check is required below because some users
# may be attached to a Kerberos realm and they may not have shadow data on the
# system. See bug 1659232 for more details.
- name: Set minimum password lifetime limit to 24 hours for interactive accounts
shell: "chage -m 1 {{ item.name }}"
when:
- item.shadow is mapping
- item.shadow.min_days != 1
- security_set_minimum_password_lifetime
- security_set_minimum_password_lifetime | bool
with_items:
- "{{ interactive_user_list.users }}"
tags:
@ -91,11 +95,15 @@
- medium
- V-71927
# NOTE(mhayden): The "is mapping" check is required below because some users
# may be attached to a Kerberos realm and they may not have shadow data on the
# system. See bug 1659232 for more details.
- name: Set maximum password lifetime limit to 60 days for interactive accounts
shell: "chage -M 60 {{ item.name }}"
when:
- item.shadow is mapping
- item.shadow.max_days > 60
- security_set_maximum_password_lifetime
- security_set_maximum_password_lifetime | bool
with_items:
- "{{ interactive_user_list.users }}"
tags: