You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the Issue
Because of an error in the task conditional, all user accounts passwords are expired. The task 5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future should only be run if the password expiration date is in the future.
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
debug:
msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
when:
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
command: passwd --expire {{ item }}
when:
- rhel9cis_5_6_1_5_user_list | length > 0
- rhel9cis_futurepwchgdate_autofix
with_items:
- "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
Comparing the conditionals of Alert on accounts with pw change in the future and Fix accounts with pw change in the future reveals, that on the latter no rhel9cis_5_6_1_5_user_list.stdout | length > 0 is used, instead only rhel9cis_5_6_1_5_user_list | length > 0 (missing .stdout). I am pretty confident that the misbehaviour is due to the conditional, because the step before (Alert on accounts with pw change in the future) is skipped in the playbook execution.
TASK [ansible-lockdown.rhel9-cis : 5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future] ***
ok: [lithium]
TASK [ansible-lockdown.rhel9-cis : 5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist] ***
skipping: [lithium]
TASK [ansible-lockdown.rhel9-cis : 5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future] ***
skipping: [lithium]
TASK [ansible-lockdown.rhel9-cis : 5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future] ***
changed: [lithium] => (item=root)
changed: [lithium] => (item=bin)
changed: [lithium] => (item=daemon)
changed: [lithium] => (item=adm)
changed: [lithium] => (item=lp)
changed: [lithium] => (item=sync)
changed: [lithium] => (item=shutdown)
changed: [lithium] => (item=halt)
changed: [lithium] => (item=mail)
changed: [lithium] => (item=operator)
changed: [lithium] => (item=games)
changed: [lithium] => (item=ftp)
...
Expected Behavior
Only user accounts with a password expiration date in the future should be expired.
Actual Behavior
All user accounts passwords are expired.
Control(s) Affected
5.6.1.5
Environment (please complete the following information):
branch being used: level
Ansible Version: 4.10.0 (core 2.11.12)
Host Python Version: 3.9.10
Ansible Server Python Version: 3.6.8
Additional Details: -
Additional Notes
Possible Solution
Replace line 109ff with the following code:
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"command: passwd --expire {{ item }}when:
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
- rhel9cis_futurepwchgdate_autofixwith_items:
- "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
The text was updated successfully, but these errors were encountered:
Describe the Issue
Because of an error in the task conditional, all user accounts passwords are expired. The task
5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future
should only be run if the password expiration date is in the future.RHEL9-CIS/tasks/section_5/cis_5.6.1.x.yml
Lines 102 to 115 in f769197
Comparing the conditionals of Alert on accounts with pw change in the future and Fix accounts with pw change in the future reveals, that on the latter no
rhel9cis_5_6_1_5_user_list.stdout | length > 0
is used, instead onlyrhel9cis_5_6_1_5_user_list | length > 0
(missing.stdout
). I am pretty confident that the misbehaviour is due to the conditional, because the step before (Alert on accounts with pw change in the future) is skipped in the playbook execution.Expected Behavior
Only user accounts with a password expiration date in the future should be expired.
Actual Behavior
All user accounts passwords are expired.
Control(s) Affected
5.6.1.5
Environment (please complete the following information):
Additional Notes
Possible Solution
Replace line 109ff with the following code:
The text was updated successfully, but these errors were encountered: