Skip to content

Disables password expiration and inactivity policies #1106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jul 12, 2024
Merged

Disables password expiration and inactivity policies #1106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
be8fccb
Disables password expiration and inactivity policies
jovial Jun 21, 2024
e9ef236
Remove flag that configures password expiry warning
jovial Jul 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions etc/kayobe/ansible/cis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,17 @@
state: absent
when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'

- name: Ensure service accounts have no expiry options set
# This is to workaround an issue where we set the expiry to 365 days on kayobe
# service accounts in a previous iteration of the CIS benchmark hardening
# defaults. This should restore the defaults and can eventually be removed.
command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
become: true
changed_when: false
with_items:
- "{{ kayobe_ansible_user }}"
- "{{ kolla_ansible_user }}"

- include_role:
name: ansible-lockdown.rhel8_cis
when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
Expand Down
17 changes: 17 additions & 0 deletions etc/kayobe/inventory/group_vars/overcloud/cis
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,10 @@ rhel9cis_max_log_file_size: 1024
# `rhel9cis_bootloader_password_hash`
rhel9cis_set_boot_pass: false

# NOTICE: rule disabled otherwise rule will prevent access to accounts
# as it will expire passwords older than one year.
rhel9cis_rule_5_6_1_1: false

##############################################################################
# Ubuntu Jammy CIS Hardening Configuration

Expand Down Expand Up @@ -159,4 +163,17 @@ ubtu22cis_max_log_file_size: 1024
# ubtu22cis_bootloader_password_hash
ubtu22cis_rule_1_4_1: false
ubtu22cis_rule_1_4_3: false

# Disable: Ensure minimum days between password changes is configured
ubtu22cis_rule_5_5_1_1: false

# Disable: Ensure password expiration is 365 days or less
ubtu22cis_rule_5_5_1_2: false

# Disable: Ensure inactive password lock is 30 days or less
ubtu22cis_rule_5_5_1_4: false

# Disable: Ensure all users last password change date is in the past
ubtu22cis_rule_5_5_1_5: false

##############################################################################
7 changes: 7 additions & 0 deletions releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
critical:
- |
Disables password expiration and inactivity policies. This caused the kayobe
and kolla service accounts to be locked out of the system. You should re-apply
the CIS benchmark hardening playbook as soon as possible to avoid being locked
out of your system.
Loading