Set lifetime limits for passwords [+Docs]
This patch sets minimum/maximum limits for password lifetimes and covers the following controls: - RHEL-07-010210 - RHEL-07-010220 Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: Ic142af891d615bc3dc703bdb60ea2a81fe9ffb0a
This commit is contained in:
Major Hayden
parent
06090a2bda
commit
637d0f3feb
|
|
@ -466,6 +466,8 @@ security_pwquality_limit_repeated_character_classes: yes # RHEL-07-010160
|
|||
security_require_sha512_password_storage: yes # RHEL-07-010180
|
||||
# Ensure user/group admin utilities only store encrypted passwords.
|
||||
security_libuser_crypt_style_sha512: yes # RHEL-07-010190
|
||||
# Set a maximum lifetime limit for user passwords.
|
||||
#security_password_max_lifetime_days: 60 # RHEL-07-010220
|
||||
|
||||
## File permissions (file_perms)
|
||||
# Reset file permissions and ownership for files installed via RPM packages.
|
||||
|
|
|
|||
|
|
@ -1,7 +1,10 @@
|
|||
---
|
||||
id: RHEL-07-010210
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
The tasks in the security role search for accounts with a minimum lifetime
|
||||
under 24 hours and display the usernames associated with those accounts.
|
||||
Ubuntu, CentOS, and Red Hat Enterprise Linux set the minimum life time to
|
||||
unlimited by default.
|
||||
|
|
|
|||
|
|
@ -1,7 +1,16 @@
|
|||
---
|
||||
id: RHEL-07-010220
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
Setting a limit on the lifetime for passwords might be disruptive for some
|
||||
users without proper communication explaining the change. Therefore, this
|
||||
change is **disabled by default**.
|
||||
|
||||
Deployers can opt in for this change and provide a maximum lifetime for user
|
||||
passwords (in days) by setting the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_password_max_lifetime_days: 60
|
||||
|
|
|
|||
|
|
@ -71,6 +71,41 @@
|
|||
- medium
|
||||
- RHEL-07-010190
|
||||
|
||||
- name: Get all user accounts with a password lifetime limit under 24 hours
|
||||
shell: "awk -F: '$4 < 1 {print $1}' /etc/shadow"
|
||||
check_mode: no
|
||||
changed_when: False
|
||||
register: password_lifetime_check
|
||||
tags:
|
||||
- auth
|
||||
- medium
|
||||
- RHEL-07-010210
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: RHEL-07-010210 - Passwords must be restricted to a 24 hours/1 day minimum lifetime.
|
||||
debug:
|
||||
msg: |
|
||||
Accounts were found with a minimum password lifetime limit under 24 hours:
|
||||
{{ password_lifetime_check.stdout_lines | join(', ') }}
|
||||
when:
|
||||
- password_lifetime_check.stdout_lines is defined
|
||||
tags:
|
||||
- auth
|
||||
- medium
|
||||
- RHEL-07-010210
|
||||
|
||||
- name: RHEL-07-010220 - Passwords for new users must be restricted to a 60-day maximum lifetime.
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
regexp: "^(#)?PASS_MAX_DAYS"
|
||||
line: "PASS_MAX_DAYS {{ security_password_max_lifetime_days }}"
|
||||
when:
|
||||
- security_password_max_lifetime_days is defined
|
||||
tags:
|
||||
- auth
|
||||
- medium
|
||||
- RHEL-07-010220
|
||||
|
||||
- name: RHEL-07-010260 - The system must not have accounts configured with blank or null passwords
|
||||
lineinfile:
|
||||
dest: "{{ pam_auth_file }}"
|
||||
|
|
|
|||
Loading…
Reference in New Issue