Merge "Disable accounts w/expired passwords [+Docs]"

2016-12-08 15:37:31 +00:00
parent eac30953e8 2a17cd18cd
commit 1a2dd1a12b
4 changed files with 27 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -483,7 +483,9 @@ security_shadow_utils_umask: 077                             # RHEL-07-020230
 # Create home directories for new users by default.
 security_shadow_utils_create_home: yes                       # RHEL-07-020630
 # How many old user password to remember to prevent password re-use.
-#security_password_remember_password: 5                       # RHEL-07-010240
+#security_password_remember_password: 5                      # RHEL-07-010240
+# Disable user accounts if the password expires.
+security_disable_account_if_password_expires: no             # RHEL-07-010280
 # Lock user accounts with excessive login failures. See documentation.
 security_pam_faillock_enable: no                             # RHEL-07-010371 / RHEL-07-010372 / RHEL-07-010373
 security_pam_faillock_interval: 900
--- a/doc/metadata/rhel7/RHEL-07-010280.rst
+++ b/doc/metadata/rhel7/RHEL-07-010280.rst
@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-010280
-status: not implemented
-tag: misc
+status: opt-in
+tag: auth
 ---

-This STIG requirement is not yet implemented.
+The STIG requires that user accounts are disabled when their password expires.
+This might be disruptive for some users or for automated processes. Therefore,
+the tasks in the security role do not apply this change by default.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_account_if_password_expires: yes
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -178,6 +178,18 @@
    - high
    - RHEL-07-010260

+- name: RHEL-07-010280 - The operating system must disable account identifiers if the password expires.
+  lineinfile:
+    dest: /etc/default/useradd
+    regexp: '^[#\s]*INACTIVE'
+    line: 'INACTIVE=0'
+  when:
+    - security_disable_account_if_password_expires | bool
+  tags:
+    - auth
+    - medium
+    - RHEL-07-010280
+
 - name: RHEL-07-010371 - If three unsuccessful logon attempts within 15 minutes occur the associated account must be locked.
  blockinfile:
    dest: pam_password_file
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -85,3 +85,4 @@
    security_search_for_invalid_group_owner: yes
    security_enable_firewalld: yes
    security_password_remember_password: 5
+    security_disable_account_if_password_expires: yes