xoxys.users/tasks/security.yml

---
- block:
    - name: Stat umask files
      stat:
        path: "{{ item }}"
      loop:
        - /etc/bashrc
        - /etc/csh.cshrc
        - /etc/profile
      register: __users_umask_files

    - name: Stat pwquality files
      stat:
        path: "/etc/security/pwquality.conf"
      register: __users_pwquality_file

    - name: Set global umask
      replace:
        path: "{{ item }}"
        regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'
        replace: \g<umask>{{ users_global_umask }}
      loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"

    - name: Set umask in /etc/login.defs
      lineinfile:
        path: /etc/login.defs
        regexp: '^(?P<umask>UMASK\s+).+'
        line: \g<umask>{{ users_global_umask }}
        backrefs: yes
        state: present

    - name: Enforce minimum password lifetime
      lineinfile:
        path: /etc/login.defs
        regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
        line: \g<passmin>{{ users_pass_min_day }}
        backrefs: yes
        state: present

    - name: Set default account expiration after inactivity
      lineinfile:
        path: /etc/default/useradd
        regexp: "^(?P<inactive>INACTIVE=).+"
        line: \g<inactive>{{ users_default_inactive }}
        backrefs: yes
        state: present

    - name: Set pwquality if available
      template:
        src: etc/security/pwquality.conf.j2
        dest: /etc/security/pwquality.conf
        owner: root
        group: root
        mode: 0644
      when: __users_pwquality_file.stat.exists | bool
  become: True
  become_user: root
feat: add option to set account expiration after inactivity 2022-09-20 07:10:15 +00:00			`---`
			`- block:`
			`- name: Stat umask files`
			`stat:`
			`path: "{{ item }}"`
			`loop:`
			`- /etc/bashrc`
			`- /etc/csh.cshrc`
			`- /etc/profile`
			`register: __users_umask_files`

feat: deploy pwpolicy if available 2022-09-20 08:01:40 +00:00			`- name: Stat pwquality files`
			`stat:`
			`path: "/etc/security/pwquality.conf"`
			`register: __users_pwquality_file`

feat: add option to set account expiration after inactivity 2022-09-20 07:10:15 +00:00			`- name: Set global umask`
			`replace:`
			`path: "{{ item }}"`
			`regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'`
			`replace: \g<umask>{{ users_global_umask }}`
			`loop: "{{ __users_umask_files \| json_query('results[?stat.exists].item') }}"`

			`- name: Set umask in /etc/login.defs`
			`lineinfile:`
			`path: /etc/login.defs`
			`regexp: '^(?P<umask>UMASK\s+).+'`
			`line: \g<umask>{{ users_global_umask }}`
			`backrefs: yes`
			`state: present`

			`- name: Enforce minimum password lifetime`
			`lineinfile:`
			`path: /etc/login.defs`
			`regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'`
			`line: \g<passmin>{{ users_pass_min_day }}`
			`backrefs: yes`
			`state: present`

			`- name: Set default account expiration after inactivity`
			`lineinfile:`
			`path: /etc/default/useradd`
			`regexp: "^(?P<inactive>INACTIVE=).+"`
			`line: \g<inactive>{{ users_default_inactive }}`
			`backrefs: yes`
			`state: present`
feat: deploy pwpolicy if available 2022-09-20 08:01:40 +00:00
			`- name: Set pwquality if available`
			`template:`
			`src: etc/security/pwquality.conf.j2`
			`dest: /etc/security/pwquality.conf`
			`owner: root`
			`group: root`
			`mode: 0644`
			`when: __users_pwquality_file.stat.exists \| bool`
feat: add option to set account expiration after inactivity 2022-09-20 07:10:15 +00:00			`become: True`
			`become_user: root`