Disables password expiration and inactivity policies (#1106)

jovial · web-flow · commit 6a5920c0db15 · 2024-07-12T18:56:20.000+01:00
* Disables password expiration and inactivity policies

This was causing the kayobe and kolla service accounts to be locked
out of the system.

* Remove flag that configures password expiry warning
diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml
@@ -18,6 +18,17 @@
         state: absent
       when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
 
+    - name: Ensure service accounts have no expiry options set
+      # This is to workaround an issue where we set the expiry to 365 days on kayobe
+      # service accounts in a previous iteration of the CIS benchmark hardening
+      # defaults. This should restore the defaults and can eventually be removed.
+      command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
+      become: true
+      changed_when: false
+      with_items:
+        - "{{ kayobe_ansible_user }}"
+        - "{{ kolla_ansible_user }}"
+
     - include_role:
         name: ansible-lockdown.rhel8_cis
       when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '8'
diff --git a/etc/kayobe/inventory/group_vars/overcloud/cis b/etc/kayobe/inventory/group_vars/overcloud/cis
@@ -75,6 +75,10 @@ rhel9cis_max_log_file_size: 1024
 # `rhel9cis_bootloader_password_hash`
 rhel9cis_set_boot_pass: false
 
+# NOTICE: rule disabled otherwise rule will prevent access to accounts
+# as it will expire passwords older than one year.
+rhel9cis_rule_5_6_1_1: false
+
 ##############################################################################
 # Ubuntu Jammy CIS Hardening Configuration
 
@@ -159,4 +163,17 @@ ubtu22cis_max_log_file_size: 1024
 # ubtu22cis_bootloader_password_hash
 ubtu22cis_rule_1_4_1: false
 ubtu22cis_rule_1_4_3: false
+
+# Disable: Ensure minimum days between password changes is configured
+ubtu22cis_rule_5_5_1_1: false
+
+# Disable: Ensure password expiration is 365 days or less
+ubtu22cis_rule_5_5_1_2: false
+
+# Disable: Ensure inactive password lock is 30 days or less
+ubtu22cis_rule_5_5_1_4: false
+
+# Disable: Ensure all users last password change date is in the past
+ubtu22cis_rule_5_5_1_5: false
+
 ##############################################################################
diff --git a/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml b/releasenotes/notes/disable-password-expiry-3c296c72d36cd9da.yaml
@@ -0,0 +1,7 @@
+---
+critical:
+  - |
+    Disables password expiration and inactivity policies. This caused the kayobe
+    and kolla service accounts to be locked out of the system. You should re-apply
+    the CIS benchmark hardening playbook as soon as possible to avoid being locked
+    out of your system.
