accounts_password_set_max_life_existing does not exclude no passwords or locked accounts

[dodys]

Description:

• At least CIS for Ubuntu 22.04 this rule specifically has the following check in both audit and remediation: [^!*].
• Please confirm that this is also the case for other distros.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
@@ -4,4 +4,4 @@
 
 while IFS= read -r i; do
 chage -M $var_accounts_maximum_age_login_defs $i
-done < <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '$5 > var || $5 == "" {print $1}' /etc/shadow)
+done < <(awk -v var="$var_accounts_maximum_age_login_defs" -F: '(/^[^:]+:[^!*]/ && ($5 > var || $5 == "")) {print $1}' /etc/shadow)

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
@@ -6,8 +6,8 @@
 
 - name: Collect users with not correct maximum time period between password changes
 ansible.builtin.command:
- cmd: awk -F':' '$5 > {{ var_accounts_maximum_age_login_defs }} || $5 == "" {print
- $1}' /etc/shadow
+ cmd: awk -F':' '(/^[^:]+:[^!*]/ && ($5 > {{ var_accounts_maximum_age_login_defs
+ }} || $5 == "")) {print $1}' /etc/shadow
 register: user_names
 tags:
 - CCE-82473-0

[marcusburghardt]

The assessment and bash remediation are working fine. Could you also update the Ansible remediation, please?

[marcusburghardt]

The comments here are also valid for #9955 . After these small details I believe we they will be good to be merged.

[marcusburghardt]

The comments here are also valid for #9955 . After these small details I believe we they will be good to be merged.

[codeclimate]

Code Climate has analyzed commit 5eacd51 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 49.9% (0.1% change).

View more on Code Climate.

[marcusburghardt]

Thanks @dodys