Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

All passwords are expired during hardening #22

Closed
fgierlinger opened this issue Aug 22, 2022 · 2 comments
Closed

All passwords are expired during hardening #22

fgierlinger opened this issue Aug 22, 2022 · 2 comments
Assignees
Labels
bug Something isn't working

Comments

@fgierlinger
Copy link

Describe the Issue
Because of an error in the task conditional, all user accounts passwords are expired. The task 5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future should only be run if the password expiration date is in the future.

- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
debug:
msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
when:
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
command: passwd --expire {{ item }}
when:
- rhel9cis_5_6_1_5_user_list | length > 0
- rhel9cis_futurepwchgdate_autofix
with_items:
- "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"

Comparing the conditionals of Alert on accounts with pw change in the future and Fix accounts with pw change in the future reveals, that on the latter no rhel9cis_5_6_1_5_user_list.stdout | length > 0 is used, instead only rhel9cis_5_6_1_5_user_list | length > 0 (missing .stdout). I am pretty confident that the misbehaviour is due to the conditional, because the step before (Alert on accounts with pw change in the future) is skipped in the playbook execution.

TASK [ansible-lockdown.rhel9-cis : 5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future] ***
ok: [lithium]

TASK [ansible-lockdown.rhel9-cis : 5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist] ***
skipping: [lithium]

TASK [ansible-lockdown.rhel9-cis : 5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future] ***
skipping: [lithium]

TASK [ansible-lockdown.rhel9-cis : 5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future] ***
changed: [lithium] => (item=root)
changed: [lithium] => (item=bin)
changed: [lithium] => (item=daemon)
changed: [lithium] => (item=adm)
changed: [lithium] => (item=lp)
changed: [lithium] => (item=sync)
changed: [lithium] => (item=shutdown)
changed: [lithium] => (item=halt)
changed: [lithium] => (item=mail)
changed: [lithium] => (item=operator)
changed: [lithium] => (item=games)
changed: [lithium] => (item=ftp)
...

Expected Behavior
Only user accounts with a password expiration date in the future should be expired.

Actual Behavior
All user accounts passwords are expired.

Control(s) Affected
5.6.1.5

Environment (please complete the following information):

  • branch being used: level
  • Ansible Version: 4.10.0 (core 2.11.12)
  • Host Python Version: 3.9.10
  • Ansible Server Python Version: 3.6.8
  • Additional Details: -

Additional Notes

Possible Solution
Replace line 109ff with the following code:

      - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
        command: passwd --expire {{ item }}
        when:
            - rhel9cis_5_6_1_5_user_list.stdout | length > 0
            - rhel9cis_futurepwchgdate_autofix
        with_items:
            - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
@fgierlinger fgierlinger added the bug Something isn't working label Aug 22, 2022
uk-bolly added a commit that referenced this issue Aug 23, 2022
@uk-bolly uk-bolly self-assigned this Aug 23, 2022
@uk-bolly
Copy link
Member

uk-bolly commented Aug 23, 2022

hi @fgierlinger

Thank you again for the feedback on this new repository, prior to the PR approval i have managed to add this correction in aswell.

Many thanks once again
uk-bolly

@uk-bolly
Copy link
Member

hi @fgierlinger

I hope this is now working as expected for you?
Please let us know if this has not resolved your issue.

many thanks agains for your feedback

uk-bolly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants