colin
/
UBUNTU24-CIS-Audit
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS-Audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UBUNTU24-CIS-Audit/section_5/cis_5.4.1/cis_5.4.1.1.yml

57 lines
1.2 KiB
YAML
Raw Permalink Blame History

---
{{ if .Vars.ubtu24cis_level_1 }}
{{ if .Vars.ubtu24cis_rule_5_4_1_1 }}
file:
login_defs_PASS_MAX_DAYS:
title: 5.4.1.1 | Ensure password expiration is configured | logins.def
path: /etc/login.defs
exists: true
contents:
- '/^PASS_MAX_DAYS\s*{{ .Vars.ubtu24cis_pass.max_days }}/'
- '!/^PASS_MAX_DAYS\s*(36[6-9]|[4-9][0-9][0-9]|[1-9][0-9]{3,})/'
- '!/^PASS_MAX_DAYS\s*-1/'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.4.1.1
CISv8: 5.2
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
command:
users_max_pw_expire:
title: 5.4.1.1 | Ensure password expiration is 365 days or less | user_check
exec: "awk -F: '(/^[^:]+:[^!*]/) {print $5}' /etc/shadow"
exit-status:
or:
- 0
- 1
stdout:
- '/^(36[0-5]|3[0-5][0-9]|[1-2][0-9][0-9]|[0-9][0-9]|[1-9])$/'
- '!/^(36[6-9]|3[7-9][0-9]|[4-9][0-9]{2,})$/'
meta:
server: 1
workstation: 1
CIS_ID:
- 5.4.1.1
CISv8: 5.2
CISv8_IG1: true
CISv8_IG2: true
CISv8_IG3: true
NIST800-53R5:
- CM-1
- CM-2
- CM-6
- CM-7
- IA-5
{{ end }}
{{ end }}
Reference in New Issue View Git Blame Copy Permalink