xoxys.users/tasks/security.yml

---
- block:
    - name: Stat umask files
      stat:
        path: "{{ item }}"
      loop:
        - /etc/bashrc
        - /etc/csh.cshrc
        - /etc/profile
      register: __users_umask_files

    - name: Set global umask
      replace:
        path: "{{ item }}"
        regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'
        replace: \g<umask>{{ users_global_umask }}
      loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"

    - name: Set umask in /etc/login.defs
      lineinfile:
        path: /etc/login.defs
        regexp: '^(?P<umask>UMASK\s+).+'
        line: \g<umask>{{ users_global_umask }}
        backrefs: yes
        state: present

    - name: Enforce minimum password lifetime
      lineinfile:
        path: /etc/login.defs
        regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
        line: \g<passmin>{{ users_pass_min_day }}
        backrefs: yes
        state: present

    - name: Set default account expiration after inactivity
      lineinfile:
        path: /etc/default/useradd
        regexp: "^(?P<inactive>INACTIVE=).+"
        line: \g<inactive>{{ users_default_inactive }}
        backrefs: yes
        state: present
  become: True
  become_user: root
feat: add option to set account expiration after inactivity 2022-09-20 07:10:15 +00:00			`---`
			`- block:`
			`- name: Stat umask files`
			`stat:`
			`path: "{{ item }}"`
			`loop:`
			`- /etc/bashrc`
			`- /etc/csh.cshrc`
			`- /etc/profile`
			`register: __users_umask_files`

			`- name: Set global umask`
			`replace:`
			`path: "{{ item }}"`
			`regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'`
			`replace: \g<umask>{{ users_global_umask }}`
			`loop: "{{ __users_umask_files \| json_query('results[?stat.exists].item') }}"`

			`- name: Set umask in /etc/login.defs`
			`lineinfile:`
			`path: /etc/login.defs`
			`regexp: '^(?P<umask>UMASK\s+).+'`
			`line: \g<umask>{{ users_global_umask }}`
			`backrefs: yes`
			`state: present`

			`- name: Enforce minimum password lifetime`
			`lineinfile:`
			`path: /etc/login.defs`
			`regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'`
			`line: \g<passmin>{{ users_pass_min_day }}`
			`backrefs: yes`
			`state: present`

			`- name: Set default account expiration after inactivity`
			`lineinfile:`
			`path: /etc/default/useradd`
			`regexp: "^(?P<inactive>INACTIVE=).+"`
			`line: \g<inactive>{{ users_default_inactive }}`
			`backrefs: yes`
			`state: present`
			`become: True`
			`become_user: root`