---

{{ if .Vars.ubtu24cis_level_1 }}
  {{ if .Vars.ubtu24cis_rule_5_4_1_1 }}
file:
  login_defs_PASS_MAX_DAYS:
    title: 5.4.1.1 | Ensure password expiration is configured | logins.def
    path: /etc/login.defs
    exists: true
    contents:
    - '/^PASS_MAX_DAYS\s*{{ .Vars.ubtu24cis_pass.max_days }}/'
    - '!/^PASS_MAX_DAYS\s*(36[6-9]|[4-9][0-9][0-9]|[1-9][0-9]{3,})/'
    - '!/^PASS_MAX_DAYS\s*-1/'
    meta:
      server: 1
      workstation: 1
      CIS_ID:
      - 5.4.1.1
      CISv8: 5.2
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5:
      - CM-1
      - CM-2
      - CM-6
      - CM-7
      - IA-5
command:
  users_max_pw_expire:
    title: 5.4.1.1 | Ensure password expiration is 365 days or less | user_check
    exec: "awk -F: '(/^[^:]+:[^!*]/)  {print $5}' /etc/shadow"
    exit-status:
      or:
      - 0
      - 1
    stdout:
    - '/^(36[0-5]|3[0-5][0-9]|[1-2][0-9][0-9]|[0-9][0-9]|[1-9])$/'
    - '!/^(36[6-9]|3[7-9][0-9]|[4-9][0-9]{2,})$/'
    meta:
      server: 1
      workstation: 1
      CIS_ID:
      - 5.4.1.1
      CISv8: 5.2
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5:
      - CM-1
      - CM-2
      - CM-6
      - CM-7
      - IA-5
  {{ end }}
{{ end }}