ansible-collection-hardening icon indicating copy to clipboard operation
ansible-collection-hardening copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

password ageing not enforced

Open DonEstefan opened this issue 1 year ago • 1 comments

Describe the bug

"os_auth_pw_min_age" and "os_auth_pw_max_age" of the linux_hardening role affect only newly created user - not existing users.

Since "logins.def" is used to enforce the settings, https://manpages.ubuntu.com/manpages/bionic/en/man5/login.defs.5.html shows a relevant limitation:

PASS_MAX_DAYS, PASS_MIN_DAYS are only used at the time of account creation. Any changes to these settings won't affect existing accounts.

Expected behavior the linux_hardening role should also apply the pw age settings to existing users

Actual behavior

settings are not applied to exisiting users

Ansible Version

$ ansible --version
ansible [core 2.12.2]
  config file = /home/sela/ansible-proxy/ansible.cfg
  configured module search path = ['/home/sela/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  ansible collection location = /home/sela/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.12 (default, Apr 21 2022, 07:55:08) [GCC 8.5.0 20210514 (Red Hat 8.5.0-10)]
  jinja version = 2.10.3
  libyaml = True

Role Version

7.14.3

Additional context I guess you'd have to iterate through all the users that are not systems accounts (which are handled separately). It might be a good idea to introduce an additional variable users_without_password_ageing if someone does not like this. Password ageing for user(s) with UID=0 might need to be handled separately (password_ageing_for_root_users=false). I have not tested this, but I think this code (copied + adjusted from your handling of system accounts) could be a starting point:

- name: Get all regular user accounts
  command: awk -F'':'' '{ if ( $3 > {{ uid_max|quote }} ) print $1}' /etc/passwd
  args:
    removes: /etc/passwd
  changed_when: false
  check_mode: false
  register: non_sys_accs

# set age settings for regular non-system accounts
- name: Set password ageing for user {{ item }}
  user:
    name: "{{ item }}"
    password_expire_min: {{ os_auth_pw_min_age }}
    password_expire_max: {{ os_auth_pw_max_age }}
  with_flattened:
    - '{{ non_sys_accs | default([]) | difference(users_without_password_ageing | default([])) | list }}'  

- name: Get all user accounts with UID 0
  command: awk -F'':'' '{ if ( $3 == 0 ) print $1}' /etc/passwd
  args:
    removes: /etc/passwd
  changed_when: false
  check_mode: false
  register: root_accs
  when: password_ageing_for_root_users=true

- name: Set password ageing for user with UID 0
  user:
    name: "{{ item }}"
    password_expire_min: {{ os_auth_pw_min_age }}
    password_expire_max: {{ os_auth_pw_max_age }}
  with_flattened:
    - '{{ uid0_accs | default([]) | list }}'
  when: password_ageing_for_root_users=true

DonEstefan avatar Aug 25 '22 14:08 DonEstefan

This sounds like a good idea!

Any help here is appreciated.

rndmh3ro avatar Aug 29 '22 14:08 rndmh3ro