ComplianceAsCode · jan-cerny · Feb 10, 2023 · Feb 6, 2023 · Feb 8, 2023 · Feb 9, 2023
diff --git a/...strictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml b/...strictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml
@@ -11,13 +11,18 @@
   register: user_names
 
 - name: Change the maximum time period between password changes
-{{% if product not in ["rhel7", "ol7"] %}}
+{{% if product in ["rhel7", "ol7","sle12","sle15"] %}}
+{{% if product in ["rhel7", "ol7"] %}}
+  ansible.builtin.command:
+    cmd: chage -M {{ var_accounts_maximum_age_login_defs }} {{ item }}
+{{% else %}}
+  ansible.builtin.command:
+    cmd:  passwd -q -x {{ var_accounts_maximum_age_login_defs }} {{ item }}
+{{% endif %}}        
+{{% else %}}
   ansible.builtin.user:
     user: '{{ item }}'
     password_expire_max: '{{ var_accounts_maximum_age_login_defs }}'
-{{% else %}}
-  ansible.builtin.command:
-    cmd: chage -M {{ var_accounts_maximum_age_login_defs }} {{ item }}
 {{% endif %}}
   with_items: '{{ user_names.stdout_lines }}'
   when: user_names.stdout_lines | length > 0
diff --git a/...s-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh b/...s-restrictions/password_expiration/accounts_password_set_max_life_existing/bash/shared.sh
@@ -6,6 +6,14 @@
 
 {{{ bash_instantiate_variables("var_accounts_maximum_age_login_defs") }}}
 
+{{% if product not in ["sle12", "sle15"] %}}
 {{% call iterate_over_command_output("i", "awk -v var=\"$var_accounts_maximum_age_login_defs\" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == \"\")) {print $1}' /etc/shadow") -%}}
 chage -M $var_accounts_maximum_age_login_defs $i
 {{%- endcall %}}
+{{% else %}}
+usrs_max_pass_age=( $(awk -F: '$5 > $var_accounts_maximum_age_login_defs || $5 == "" {print $1}' /etc/shadow) )
+for i in ${usrs_max_pass_age[@]};
+do
+  passwd -q -x $((var_accounts_maximum_age_login_defs)) $i
+done
+{{% endif %}}
diff --git a/...ccounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/...ccounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
@@ -55,8 +55,15 @@ ocil: |-
 
 fixtext: |-
     Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
-
-    passwd -x {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}} [user]
+    {{% if product not in ["sle12", "sle15"] %}}
+    passwd -q -x {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}} [user]
+    {{% else %}}
+    usrs_max_pass_age=( $(awk -F: '$5 > $var_accounts_maximum_age_login_defs || $5 == "" {print $1}' /etc/shadow) )
+    for i in ${usrs_max_pass_age[@]};
+    do
+        passwd -q -x $((var_accounts_maximum_age_login_defs)) $i
+    done    
+    {{% endif %}}
 
 srg_requirement: |-
     {{{ full_name }}} user account passwords must have a 60-day maximum password lifetime restriction.
diff --git a/...strictions/password_expiration/accounts_password_set_min_life_existing/ansible/shared.yml b/...strictions/password_expiration/accounts_password_set_min_life_existing/ansible/shared.yml
@@ -4,13 +4,20 @@
 # complexity = low
 # disruption = low
 
+{{{ ansible_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
+
 - name: Collect users with not correct minimum time period between password changes
   command: >
-    awk -F: '(/^[^:]+:[^!*]/ && ($4 < 1 || $4 == "")) {print $1}' /etc/shadow
+    awk -F':' '(/^[^:]+:[^!*]/ && ($4 < {{ var_accounts_minimum_age_login_defs }} || $4 == "")) {print $1}' /etc/shadow
   register: user_names
 
 - name: Change the minimum time period between password changes
+{{% if product not in ["sle12", "sle15"] %}}
   command: >
     chage -m 1 {{ item }}
+{{% else %}}
+  command: >
+    passwd -q -n {{ var_accounts_minimum_age_login_defs }} {{ item }}
+{{% endif %}}    
   with_items: "{{ user_names.stdout_lines }}"
   when: user_names.stdout_lines | length > 0
diff --git a/...s-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh b/...s-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh
@@ -6,6 +6,14 @@
 
 {{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
 
+{{% if product not in ["sle12", "sle15"] %}}
 {{% call iterate_over_command_output("i", "awk -v var=\"$var_accounts_minimum_age_login_defs\" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == \"\")) {print $1}' /etc/shadow") -%}}
 chage -m $var_accounts_minimum_age_login_defs $i
 {{%- endcall %}}
+{{% else %}}
+usrs_min_pass_age=( $(awk -F: '$4 < $var_accounts_minimum_age_login_defs || $4 == "" {print $1}' /etc/shadow) )
+for i in ${usrs_min_pass_age[@]};
+do
+  passwd -q -n $((var_accounts_minimum_age_login_defs)) $i
+done
+{{% endif %}}
diff --git a/...ccounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/...ccounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
@@ -54,8 +54,15 @@ ocil: |-
 
 fixtext: |-
     Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
-
+    {{% if product not in ["sle12", "sle15"] %}}
     $ sudo chage -m {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}} [user]
+    {{% else %}}
+    usrs_min_pass_age=( $(awk -F: '$4 < $var_accounts_minimum_age_login_defs || $4 == "" {print $1}' /etc/shadow) )
+    for i in ${usrs_min_pass_age[@]};
+    do
+      passwd -q -n $((var_accounts_minimum_age_login_defs)) $i
+    done
+    {{% endif %}}
 
 srg_requirement: |-
     {{{ full_name }}} passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.