split tasks for locking and setting shell

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
dev-sec · Jan 26, 2023 · 7f91dda · 7f91dda
1 parent 083fc7a
commit 7f91dda
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/roles/os_hardening/tasks/user_accounts.yml b/roles/os_hardening/tasks/user_accounts.yml
@@ -80,13 +80,21 @@
     - root_users|length > 1
     - item != "root"
 
-- name: Remove shell+password for linux system accounts
-  ansible.builtin.user:
+- name: remove shell for linux system accounts
+  user:
     name: '{{ item }}'
     shell: '{{ os_nologin_shell_path }}'
+    createhome: false
+  loop: "{{ system_users }}"
+
+- name: lock passwords from linux system accounts
+  user:
+    name: '{{ item }}'
     password: '*'
     createhome: false
   loop: "{{ system_users }}"
+  when:
+    - getent_shadow[item][0] is not match("\!") # password hashes containing illegal characters like "!" are unusable already (locked)
 
 - name: Get all home directories in /home, but skip ignored users
   ansible.builtin.find: