From d031846d3485a41689eb0493873306b424dbdae4 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Thu, 6 Jul 2017 15:11:58 -0500 Subject: [PATCH] Skip shadow checks for users w/o shadow data Users that are attached to a Kerberos realm do not have shadow data on the system. This breaks two accounts-related tasks. This patch cause Ansible to skip over any users that do not have shadow data on the system. Without this patch, the playbook fails with an error. Closes-Bug: 1659232 Change-Id: Ibbd275681e65ba7ccfc4477caa499247ed052649 --- tasks/rhel7stig/accounts.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/tasks/rhel7stig/accounts.yml b/tasks/rhel7stig/accounts.yml index d66758c5..0a4d045b 100644 --- a/tasks/rhel7stig/accounts.yml +++ b/tasks/rhel7stig/accounts.yml @@ -79,11 +79,15 @@ - medium - V-71923 +# NOTE(mhayden): The "is mapping" check is required below because some users +# may be attached to a Kerberos realm and they may not have shadow data on the +# system. See bug 1659232 for more details. - name: Set minimum password lifetime limit to 24 hours for interactive accounts shell: "chage -m 1 {{ item.name }}" when: + - item.shadow is mapping - item.shadow.min_days != 1 - - security_set_minimum_password_lifetime + - security_set_minimum_password_lifetime | bool with_items: - "{{ interactive_user_list.users }}" tags: @@ -91,11 +95,15 @@ - medium - V-71927 +# NOTE(mhayden): The "is mapping" check is required below because some users +# may be attached to a Kerberos realm and they may not have shadow data on the +# system. See bug 1659232 for more details. - name: Set maximum password lifetime limit to 60 days for interactive accounts shell: "chage -M 60 {{ item.name }}" when: + - item.shadow is mapping - item.shadow.max_days > 60 - - security_set_maximum_password_lifetime + - security_set_maximum_password_lifetime | bool with_items: - "{{ interactive_user_list.users }}" tags: