Set min age and inactive lock for sysadmin passwd

CIS Benchmark requires password min age of 1 day and max of no more than 365 days. Additionally, it also requires the inactive password lock is less than or equal to 45 days. This adds the missing minimum password age and sets up an inactive password lock for the sysadmin user, which means that after the password expires, the user has 45 days to change the password, or else it will be locked. Test Plan: PASS: Run build-pkgs -c -p puppet-manifests. PASS: Run build-image. PASS: Run fresh install of AIO-SX with complete bootstrap and unlock of the controller-0. PASS: Run fresh install of AIO-DX with complete bootstrap and unlock of controller-0 and controller-1. PASS: Run backup and restore and verify that the changes persist. PASS: Change system date and verify that the account is locked 45 days after the password expired. Story: 2011283 Task: 51441 Change-Id: Ica830fffc59acaa631d5cb717f33fa8daca8f35c Signed-off-by: Rodrigo Tavares <Rodrigo.DosSantosTavares@windriver.com>
2024-12-04 10:46:08 -03:00 · 2024-12-04 10:46:08 -03:00 · 4018b5b4bf
commit 4018b5b4bf
parent 99f2bd6b30
2 changed files with 18 additions and 0 deletions
--- a/puppet-manifests/src/hieradata/global.yaml
+++ b/puppet-manifests/src/hieradata/global.yaml
@ -10,6 +10,7 @@ platform::params::pxeboot_hostname: pxecontroller
 platform::params::security_feature: nopti nospectre_v2 nospectre_v1
 platform::amqp::auth_user: guest
 platform::users::params::sysadmin_password_max_age: 45
+platform::users::params::sysadmin_password_min_age: 1

 # mtce
 platform::mtce::params::sm_server_port: 2124
--- a/puppet-manifests/src/modules/platform/manifests/users.pp
+++ b/puppet-manifests/src/modules/platform/manifests/users.pp
@ -1,6 +1,7 @@
 class platform::users::params (
  $sysadmin_password = undef,
  $sysadmin_password_max_age = undef,
+  $sysadmin_password_min_age = undef,
 ) {}


@ -22,9 +23,17 @@ class platform::users
    home             => '/home/sysadmin',
    password         => $sysadmin_password,
    password_max_age => $sysadmin_password_max_age,
+    password_min_age => $sysadmin_password_min_age,
    shell            => '/bin/bash',
  }

+  # Set inactive password lock for sysadmin user to 45, only if it is
+  # unlimited (-1) or exceeds 45 days
+  -> exec { 'set inactive password lock for sysadmin':
+    command => 'chage --inactive 45 sysadmin',
+    unless  => 'sudo awk -F: \'/^sysadmin:/ {if ($7 < 0 || $7 > 45) exit 1}\' /etc/shadow'
+  }
+
  # Create a 'denyssh' group for ldap users
  # without ssh access
  -> group { $::platform::params::deny_ssh_group_name:
@ -49,9 +58,17 @@ class platform::users::bootstrap
    groups           => ['root', $::platform::params::protected_group_name],
    home             => '/home/sysadmin',
    password_max_age => $sysadmin_password_max_age,
+    password_min_age => $sysadmin_password_min_age,
    shell            => '/bin/bash',
  }

+  # Set inactive password lock for sysadmin user to 45, only if it is
+  # unlimited (-1) or exceeds 45 days
+  -> exec { 'set inactive password lock for sysadmin':
+    command => 'chage --inactive 45 sysadmin',
+    unless  => 'sudo awk -F: \'/^sysadmin:/ {if ($7 < 0 || $7 > 45) exit 1}\' /etc/shadow'
+  }
+
  # Create a 'denyssh' group for ldap users
  # without ssh access
  -> group { $::platform::params::deny_ssh_group_name: