diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 88702455..ae334c38 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -771,6 +771,18 @@ changed_when: cracklib_passwords.rc != 0 when: ansible_os_family == "Debian" + - name: Verify username password list + environment: + PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + ansible.builtin.shell: | + set -o pipefail + grep "{{ ansible_user | default(lookup('ansible.builtin.env', 'USER')) }}" /usr/share/dict/passwords.local + args: + executable: /bin/bash + register: username_passwords + failed_when: username_passwords.rc != 0 + changed_when: username_passwords.rc != 0 + - name: Index blacklisted kernel modules environment: PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin diff --git a/tasks/password.yml b/tasks/password.yml index 5ae93054..9dc1980d 100644 --- a/tasks/password.yml +++ b/tasks/password.yml @@ -254,12 +254,6 @@ - cracklib - pam -- name: Get local accounts - ansible.builtin.command: - cmd: awk -F':' '{print $1}' /etc/passwd - changed_when: false - register: local_accounts - - name: Add local information to password list become: true ansible.builtin.lineinfile: @@ -276,7 +270,33 @@ loop: - "{{ ansible_hostname | lower }}" - "{{ ansible_os_family | lower }}" - - "{{ local_accounts.stdout | unique | trim }}" + tags: + - cracklib + - pam + +- name: Get all local user accounts + ansible.builtin.getent: + database: passwd + register: local_users + tags: + - cracklib + - pam + +- name: Add local usernames to password list + become: true + ansible.builtin.lineinfile: + dest: /usr/share/dict/passwords.local + mode: "0644" + owner: root + group: root + state: present + line: "{{ item }}" + changed_when: false + notify: + - Update Debian cracklib + - Update RedHat cracklib + with_items: + - "{{ local_users.ansible_facts.getent_passwd | list}}" tags: - cracklib - pam