Skip to content

Commit

Permalink
Merge pull request #628 from Normo/add-password-warn-age-option
Browse files Browse the repository at this point in the history
Set number of warning days before user password expires
  • Loading branch information
schurzi authored Feb 4, 2023
2 parents 1b1b0e1 + c594a1f commit 0705a9c
Show file tree
Hide file tree
Showing 5 changed files with 17 additions and 2 deletions.
1 change: 1 addition & 0 deletions molecule/os_hardening/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
os_filesystem_whitelist: []
os_yum_repo_file_whitelist: ['foo.repo']
os_users_without_password_ageing: ['pw_no_ageing']
os_auth_pw_warn_age: 7
os_netrc_enabled: false
os_ignore_users: ["shell_sys_acc"]
os_ignore_home_folder_users: ["user_with_777_home"]
Expand Down
12 changes: 11 additions & 1 deletion molecule/os_hardening/verify_tasks/pw_ageing.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,19 @@
changed_when: false
register: expiry_date

- name: Check that the expiry date of pw_ageing is 30 days
- name: Check that the expiry date of pw_ageing is 60 days
ansible.builtin.assert:
# this uses the date from the expire_date variable and subtracts the current date.
# it should be bigger that the password_expire_min of the user "pw_no_ageing"
that:
- "{{ ( expiry_date.stdout | trim | to_datetime('%b %d, %Y') - ansible_date_time.date | to_datetime('%Y-%m-%d')).days }} == 60"

- name: Get Password Expiry warning days for pw_ageing
ansible.builtin.shell: chage -l pw_ageing | grep "warning before password expires" | cut -d ":" -f 2
changed_when: false
register: expiry_warndays

- name: Check that number of days of warning before password expires is 7 days
ansible.builtin.assert:
that:
- "expiry_warndays.stdout | trim == '7'"
3 changes: 3 additions & 0 deletions roles/os_hardening/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,9 @@ We know that this is the case on Raspberry Pi.
- `os_auth_pw_min_age`
- Default: `7`
- Description: minimum password age (before allowing any other password change).
- `os_auth_pw_warn_age`
- Default: `7`
- Description: number of days of warning before password expires.
- `os_auth_pw_remember`
- Default: `5`
- Description: how many used passwords are record.
Expand Down
1 change: 1 addition & 0 deletions roles/os_hardening/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ os_desktop_enable: false
os_env_extra_user_paths: []
os_auth_pw_max_age: 60
os_auth_pw_min_age: 7 # Discourage password cycling
os_auth_pw_warn_age: 7
os_auth_pw_remember: 5 # Specify how many used passwords are record
os_auth_retries: 5
os_auth_lockout_time: 600 # Seconds (600 = 10min)
Expand Down
2 changes: 1 addition & 1 deletion roles/os_hardening/templates/etc/login.defs.j2
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ PASS_MAX_DAYS {{ os_auth_pw_max_age }}
PASS_MIN_DAYS {{ os_auth_pw_min_age }}

# Number of days warning given before a password expires.
PASS_WARN_AGE 7
PASS_WARN_AGE {{ os_auth_pw_warn_age }}

# Min/max values for automatic uid selection in useradd
UID_MIN {{ os_auth_uid_min }}
Expand Down

0 comments on commit 0705a9c

Please sign in to comment.