23 lines
949 B
YAML
23 lines
949 B
YAML
---
|
|
# login.defs sets policy for future accounts; existing service accounts are intentionally not chage-aged.
|
|
- name: Configure password aging defaults
|
|
when: cis_effective_rules.password_expiry | default(false)
|
|
ansible.builtin.lineinfile:
|
|
path: /mnt/etc/login.defs
|
|
regexp: '^#?\s*{{ item.key }}\b'
|
|
line: "{{ item.key }}\t{{ item.value }}"
|
|
loop:
|
|
- {key: PASS_MAX_DAYS, value: "{{ cis_cfg.pass_max_days }}"}
|
|
- {key: PASS_MIN_DAYS, value: "{{ cis_cfg.pass_min_days }}"}
|
|
- {key: PASS_WARN_AGE, value: "{{ cis_cfg.pass_warn_age }}"}
|
|
loop_control:
|
|
label: "{{ item.key }}"
|
|
|
|
# account_disable_post_pw_expiration: lock accounts INACTIVE days after expiry.
|
|
- name: Set the default account inactivity lock period
|
|
when: cis_effective_rules.password_expiry | default(false)
|
|
ansible.builtin.lineinfile:
|
|
path: /mnt/etc/default/useradd
|
|
regexp: '^\s*#?\s*INACTIVE\s*='
|
|
line: "INACTIVE={{ cis_cfg.pass_inactive }}"
|