ComplianceAsCode · marcusburghardt · Jan 6, 2023 · Dec 8, 2022 · Dec 8, 2022 · Dec 14, 2022
diff --git a/...strictions/password_expiration/accounts_password_set_min_life_existing/ansible/shared.yml b/...strictions/password_expiration/accounts_password_set_min_life_existing/ansible/shared.yml
@@ -4,13 +4,13 @@
 # complexity = low
 # disruption = low
 
-- name: Collect users with not correct minimum time period between password changes  
+- name: Collect users with not correct minimum time period between password changes
   command: >
-    awk -F: '$4 < 1 || $4 == "" {print $1}' /etc/shadow
+    awk -F: '(/^[^:]+:[^!*]/ && ($4 < 1 || $4 == "")) {print $1}' /etc/shadow
   register: user_names
-  
-- name: Change the minimum time period between password changes 
+
+- name: Change the minimum time period between password changes
   command: >
-    passwd -n 1 {{ item }}
+    chage -m 1 {{ item }}
   with_items: "{{ user_names.stdout_lines }}"
   when: user_names.stdout_lines | length > 0
diff --git a/...s-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh b/...s-restrictions/password_expiration/accounts_password_set_min_life_existing/bash/shared.sh
@@ -6,6 +6,6 @@
 
 {{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
 
-{{% call iterate_over_command_output("i", "awk -v var=\"$var_accounts_minimum_age_login_defs\" -F: '$4 < var || $4 == \"\" {print $1}' /etc/shadow") -%}}
-passwd -n $var_accounts_minimum_age_login_defs $i
+{{% call iterate_over_command_output("i", "awk -v var=\"$var_accounts_minimum_age_login_defs\" -F: '(/^[^:]+:[^!*]/ && ($4 < var || $4 == \"\")) {print $1}' /etc/shadow") -%}}
+chage -m $var_accounts_minimum_age_login_defs $i
 {{%- endcall %}}
diff --git a/...-restrictions/password_expiration/accounts_password_set_min_life_existing/oval/shared.xml b/...-restrictions/password_expiration/accounts_password_set_min_life_existing/oval/shared.xml
@@ -9,33 +9,40 @@
 
   <!-- Define a test for the shadow file for accounts with passwords to look for the minimum password change interval. -->
   <unix:shadow_test
-      id="test_password_min_life_existing" 
+      id="test_password_min_life_existing"
       check="all"
-      check_existence="at_least_one_exists"
-      version="1" 
+      check_existence="any_exist"
+      version="1"
       comment="Password minimum lifetime for existing accounts is at least what is defined by policy.">
     <unix:object object_ref="object_shadow_password_users_min_life_existing"/>
     <unix:state state_ref="min_password_change_interval"/>
   </unix:shadow_test>
 
   <!-- Define a second test to ensure the minimum password life is at less than the defined maximum. -->
-  <unix:shadow_test id="test_password_min_life_existing_maximum"  check="all" check_existence="at_least_one_exists" version="1" comment="Password minimum life entry is at mosta defined maximum">
+  <unix:shadow_test id="test_password_min_life_existing_maximum"  check="all" check_existence="any_exist" version="1" comment="Password minimum life entry is at mosta defined maximum">
     <unix:object object_ref="object_shadow_password_users_min_life_existing"/>
     <unix:state state_ref="max_min_password_change_interval"/>
   </unix:shadow_test>
 
   <unix:shadow_object id="object_shadow_password_users_min_life_existing" version="1">
     <unix:username operation="pattern match">.*</unix:username>
+    <filter action="include">filter_no_passwords_or_locked_accounts_min_life</filter>
   </unix:shadow_object>
 
+  <unix:shadow_state id="filter_no_passwords_or_locked_accounts_min_life" version="1">
+      <unix:password operation="pattern match">^[^\!\*]+$</unix:password>
+  </unix:shadow_state>
+
   <unix:shadow_state id="max_min_password_change_interval" version="1" comment="change passwords every maximum interval or less">
+    <unix:password operation="pattern match" mask="true">.*</unix:password>
     <unix:chg_allow
       operation="less than or equal"
       datatype="int"
       var_ref="var_accounts_maximum_age_login_defs"/>
   </unix:shadow_state>
 
   <unix:shadow_state id="min_password_change_interval" version="1" comment="change passwords at at the recommended interval or more">
+    <unix:password operation="pattern match" mask="true">.*</unix:password>
     <unix:chg_allow
       operation="greater than or equal"
       datatype="int"

diff --git a/...ctions/password_expiration/accounts_password_set_min_life_existing/policy/stig/shared.yml b/...ctions/password_expiration/accounts_password_set_min_life_existing/policy/stig/shared.yml
@@ -19,4 +19,4 @@ checktext: |-
 fixtext: |-
     Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
 
-    $ sudo passwd -n 1 [user]
+    $ sudo chage -m 1 [user]
diff --git a/...ccounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/...ccounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
@@ -52,7 +52,7 @@ ocil: |-
 fixtext: |-
     Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
 
-    $ sudo passwd -n {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}} [user]
+    $ sudo chage -m {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}} [user]
 
 srg_requirement: |-
     {{{ full_name }}} passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.
diff --git a/...word_expiration/accounts_password_set_min_life_existing/tests/correct_min_pas_age.pass.sh b/...word_expiration/accounts_password_set_min_life_existing/tests/correct_min_pas_age.pass.sh
@@ -1,11 +1,9 @@
 #!/bin/bash
+# variables = var_accounts_minimum_age_login_defs=1,var_accounts_maximum_age_login_defs=60
 
-# platform = multi_platform_sle
-
-SECURE_MIN_PASS_AGE=1
-
-usrs_min_pass_age=( $(awk -F: '$4 < SECURE_MIN_PASS_AGE || $4 == "" {print $1}' /etc/shadow) )
-for i in ${usrs_min_pass_age[@]};
-do
-  passwd -n $SECURE_MIN_PASS_AGE $i
+# make existing entries pass
+for acct in $(awk -F: '(/^[^:]+:[^!*]/ && ($4 < 1 || $4 == "")) {print $1}' /etc/shadow ); do
+    chage -m 1 -d $(date +%Y-%m-%d) $acct
 done
+echo 'max-test-user:$1$q.YkdxU1$ADmXcU4xwPrM.Pc.dclK81:18648:1:60::::' >> /etc/shadow
+echo "max-test-user:x:50000:1000::/:/usr/bin/bash" >> /etc/passwd
diff --git a/...tests/correct_stig_noninteractive.pass.sh → ...orrect_min_pas_age_noninteractive.pass.sh b/...tests/correct_stig_noninteractive.pass.sh → ...orrect_min_pas_age_noninteractive.pass.sh
@@ -1,9 +1,8 @@
 #!/bin/bash
-
 # variables = var_accounts_minimum_age_login_defs=1,var_accounts_maximum_age_login_defs=60
 
 # make existing entries pass
-for acct in $(awk -F: '{print $1}' /etc/shadow ); do
+for acct in $(awk -F: '(/^[^:]+:[^!*]/ && ($4 < 1 || $4 == "")) {print $1}' /etc/shadow ); do
     chage -m 1 -d $(date +%Y-%m-%d) $acct
 done
 # Noninteractive users are a pass

diff --git a/...ns/password_expiration/accounts_password_set_min_life_existing/tests/correct_stig.pass.sh b/...ns/password_expiration/accounts_password_set_min_life_existing/tests/correct_stig.pass.sh
diff --git a/...d_expiration/accounts_password_set_min_life_existing/tests/incorrect_min_pass_age.fail.sh b/...d_expiration/accounts_password_set_min_life_existing/tests/incorrect_min_pass_age.fail.sh
@@ -1,13 +1,11 @@
 #!/bin/bash
-
+# variables = var_accounts_minimum_age_login_defs=1
 # packages = passwd
 
-BAD_PAS_AGE=-1
-
-# Configure the OS to enforce a password age < 1 of each accout  
-
-system_users=( $(awk -F: '{print $1}' /etc/shadow) )
-for i in ${system_users[@]}; 
-do 
-  passwd -n $BAD_PAS_AGE $i
+# make existing entries pass
+for acct in $(awk -F: '(/^[^:]+:[^!*]/ && ($4 < 1 || $4 == "")) {print $1}' /etc/shadow ); do
+    chage -m 1 -d $(date +%Y-%m-%d) $acct
 done
+# add a failing entry
+echo 'max-test-user:$1$q.YkdxU1$ADmXcU4xwPrM.Pc.dclK81:18648:0:60::::' >> /etc/shadow
+echo "max-test-user:x:50000:1000::/:/usr/bin/bash" >> /etc/passwd
diff --git a/...isting/tests/incorrect_stig_blank.fail.sh → ...ests/incorrect_min_pass_age_blank.fail.sh b/...isting/tests/incorrect_stig_blank.fail.sh → ...ests/incorrect_min_pass_age_blank.fail.sh
@@ -1,10 +1,9 @@
 #!/bin/bash
-
 # variables = var_accounts_minimum_age_login_defs=1
 # packages = passwd
 
 # make existing entities pass
-for acct in $(awk -F: '{print $1}' /etc/shadow ); do
+for acct in $(awk -F: '(/^[^:]+:[^!*]/ && ($4 < 1 || $4 == "")) {print $1}' /etc/shadow ); do
     chage -m 1 -d $(date +%Y-%m-%d) $acct
 done
 # Add a failing item.

diff --git a/.../password_expiration/accounts_password_set_min_life_existing/tests/incorrect_stig.fail.sh b/.../password_expiration/accounts_password_set_min_life_existing/tests/incorrect_stig.fail.sh