ComplianceAsCode · marcusburghardt · Mar 3, 2023 · Dec 21, 2022 · Feb 24, 2023 · Feb 27, 2023
@@ -1805,10 +1805,11 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: partially # missing rule for checking of /etc/shadow
+    status: automated
     rules:
       - accounts_password_warn_age_login_defs
       - var_accounts_password_warn_age_login_defs=7
+      - accounts_password_set_warn_age_existing
 
   - id: 5.4.1.5
     title: Ensure inactive password lock is 30 days or less (Automated)

@@ -1965,10 +1965,11 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    automated: partially # missing rule for checking of /etc/shadow
+    status: automated
     rules:
       - accounts_password_warn_age_login_defs
       - var_accounts_password_warn_age_login_defs=7
+      - accounts_password_set_warn_age_existing
 
   - id: 5.4.1.5
     title: Ensure inactive password lock is 30 days or less (Automated)

diff --git a/...strictions/password_expiration/accounts_password_set_warn_age_existing/ansible/shared.yml b/...strictions/password_expiration/accounts_password_set_warn_age_existing/ansible/shared.yml
@@ -0,0 +1,17 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
+
+- name: Collect users with not correct number of days of warning before password expires
+  ansible.builtin.command:
+    cmd: awk -F':' '$6 < {{ var_accounts_password_warn_age_login_defs }} || $6 == "" {print $1}' /etc/shadow
+  register: user_names
+
+- name: Change the number of days of warning before password expires
+  ansible.builtin.command:
+    cmd: chage --warndays {{ var_accounts_password_warn_age_login_defs }} {{ item }}
+  with_items: '{{ user_names.stdout_lines }}'
+  when: user_names.stdout_lines | length > 0
diff --git a/...s-restrictions/password_expiration/accounts_password_set_warn_age_existing/bash/shared.sh b/...s-restrictions/password_expiration/accounts_password_set_warn_age_existing/bash/shared.sh
@@ -0,0 +1,11 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
+
+{{% call iterate_over_command_output("i", "awk -v var=\"$var_accounts_password_warn_age_login_defs\" -F: '$6 < var || $6 == \"\" {print $1}' /etc/shadow") -%}}
+chage --warndays $var_accounts_password_warn_age_login_defs $i
+{{%- endcall %}}
diff --git a/...-restrictions/password_expiration/accounts_password_set_warn_age_existing/oval/shared.xml b/...-restrictions/password_expiration/accounts_password_set_warn_age_existing/oval/shared.xml
@@ -0,0 +1,32 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+      {{{ oval_metadata("Set Existing Passwords Warning Age") }}}
+    <criteria>
+        <criterion test_ref="test_password_warn_age_existing"
+          comment="Passwords must be configured to the appropriate warn age for existing accounts."/>
+    </criteria>
+  </definition>
+
+  <!-- Define a test for the shadow file for non-system accounts to look for the warn age . -->
+  <unix:shadow_test id="test_password_warn_age_existing" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Password warn age for existing accounts is no less than number of days of warning before password expires.">
+    <unix:object object_ref="object_shadow_password_users_warn_age_existing"/>
+    <unix:state state_ref="warn_age_for_passwords_change"/>
+  </unix:shadow_test>
+
+  <unix:shadow_object id="object_shadow_password_users_warn_age_existing" version="1">
+    <unix:username operation="pattern match">.*</unix:username>
+  </unix:shadow_object>
+
+  <unix:shadow_state id="warn_age_for_passwords_change" version="1"
+    comment="change warn age for passwords to the recommended value ">
+    <unix:exp_warn operation="greater than or equal" datatype="int"
+      var_ref="var_accounts_password_warn_age_login_defs"/>
+  </unix:shadow_state>
+
+  <!-- this external variable is defined at the group level,
+       reusing the account-level definitions. -->
+  <external_variable id="var_accounts_password_warn_age_login_defs" datatype="int" version="1"
+                     comment="Warning days before password expires"/>
+</def-group>
diff --git a/...ccounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml b/...ccounts-restrictions/password_expiration/accounts_password_set_warn_age_existing/rule.yml
@@ -0,0 +1,47 @@
+documentation_complete: true
+
+prodtype: sle12,sle15
+
+title: "Set Existing Passwords Warning Age"
+
+description: |-
+    To configure how many days prior to password expiration that a warning will be issued to users,
+    run the command
+    <pre>$ sudo chage --warndays {{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}} <i>USER</i></pre>
+    The DoD requirement is 7, and CIS recommendation is no less than 7 days.
+    The profile requirement is <tt>{{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}}</tt>.
+
+rationale: |-
+    Providing an advance warning that a password will be expiring gives users 
+    time to think of a secure password. Users caught unaware may choose a simple 
+    password or write it down where it may be discovered.
+
+severity: medium
+
+identifiers:
+    cce@sle12: CCE-92321-9
+    cce@sle15: CCE-92479-5
+
+references:
+    cis@sle12: 5.4.1.4
+    cis@sle15: 5.4.1.4
+    disa: CCI-000198
+    nist: IA-5(f),IA-5(1)(d),CM-6(a)
+    nist@sle15: IA-5(1).1(v)
+
+ocil_clause: 'any results are returned that are not associated with a system account'
+
+ocil: |-
+    Verify that {{{ full_name }}} has configured the warning that a password will be expiring for each user account 
+    is number of days or greater, according to the days specified with the variable 
+    var_accounts_password_warn_age_login_defs,  with the following command:
+
+    $ sudo awk -F: '$6 < {{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}} || $6 == "" {print $1}' /etc/shadow
+
+fixtext: |-
+    Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
+    usrs_pass_warn_age=( $(awk -F: '$6 < {{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}} || $6 == "" {print $1}' /etc/shadow) )
+    for i in ${usrs_pass_warn_age[@]};
+    do
+       chage --warndays {{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}} $i
+    done
diff --git a/...ord_expiration/accounts_password_set_warn_age_existing/tests/correct_pas_warn_age.pass.sh b/...ord_expiration/accounts_password_set_warn_age_existing/tests/correct_pas_warn_age.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_sle
+
+SECURE_PASS_WARN_AGE=7
+
+usrs_pass_warn_age=( $(awk -F: '$6 < $SECURE_PASS_WARN_AGE || $6 == "" {print $1}' /etc/shadow) )
+for i in ${usrs_pass_warn_age[@]};
+do
+  chage --warndays $SECURE_PASS_WARN_AGE $i
+done
diff --git a/...d_expiration/accounts_password_set_warn_age_existing/tests/incorrect_pas_warn_age.fail.sh b/...d_expiration/accounts_password_set_warn_age_existing/tests/incorrect_pas_warn_age.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+BAD_PAS_WARN_AGE=3
+
+# Configure the OS to enforce a PASS_WARN_AGE < 7 of each accout
+system_users=( $(awk -F: '{print $1}' /etc/shadow) )
+for i in ${system_users[@]};
+do
+  chage --warndays $BAD_PAS_WARN_AGE $i
+done
diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt
@@ -1,4 +1,3 @@
-CCE-92321-9
 CCE-92324-3
 CCE-92326-8
 CCE-92327-6

diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
@@ -1,4 +1,3 @@
-CCE-92479-5
 CCE-92481-1
 CCE-92483-7
 CCE-92484-5