From 7f91ddaeae076cb869bad65f4d5b2f2259ae97af Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Thu, 26 Jan 2023 23:19:56 +0100
Subject: [PATCH] split tasks for locking and setting shell

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 roles/os_hardening/tasks/user_accounts.yml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/roles/os_hardening/tasks/user_accounts.yml b/roles/os_hardening/tasks/user_accounts.yml
index e3828ba39..f8bfb9e72 100644
--- a/roles/os_hardening/tasks/user_accounts.yml
+++ b/roles/os_hardening/tasks/user_accounts.yml
@@ -80,13 +80,21 @@
     - root_users|length > 1
     - item != "root"
 
-- name: Remove shell+password for linux system accounts
-  ansible.builtin.user:
+- name: remove shell for linux system accounts
+  user:
     name: '{{ item }}'
     shell: '{{ os_nologin_shell_path }}'
+    createhome: false
+  loop: "{{ system_users }}"
+
+- name: lock passwords from linux system accounts
+  user:
+    name: '{{ item }}'
     password: '*'
     createhome: false
   loop: "{{ system_users }}"
+  when:
+    - getent_shadow[item][0] is not match("\!") # password hashes containing illegal characters like "!" are unusable already (locked)
 
 - name: Get all home directories in /home, but skip ignored users
   ansible.builtin.find: