password_rules_policies – Manages password rules and policies

Synopsis

Manages password rules and policies by modifying stanza attributes in AIX config file - /etc/security/user using the chsec command.

Requirements

The below requirements are needed on the host that executes this module.

  • AIX

  • Python >= 2.7

  • Privileged user with authorizations

Parameters

state (optional, str, present)

If set to present all given attrs values will be set.

If set to absent all attrs provided will be un-set, regardless of value provided.

NB, this does not remove the entire stanza, only the provided attrs will be removed.

To remove a single attribute from the stanza set to present and set key to an empty value (key=).

All rules/allowed file-stanza combos/allowed files for the AIX chsec command apply here.

stanza (True, str, None)

Name of stanza to modify attributes of

account_locked (False, bool, None)

Indicates if the user account is locked.

admin (False, bool, None)

Defines the administrative status of the user.

admgroups (False, list, None)

Lists the groups the user administrates.

auditclasses (False, list, None)

Lists the user’s audit classes.

auth1 (False, list, None)

Lists additional mandatory methods for authenticating the user.

The auth1 attribute has been deprecated and may not be supported in a future release. The SYSTEM attribute should be used instead.

The authentication process will fail if any of the methods specified by the auth1 attribute fail.

auth2 (False, list, None)

Lists additional optional methods for authenticating the user.

The auth2 attribute has been deprecated and may not be supported in a future release. The SYSTEM attribute should be used instead.

The authentication process will not fail if any of the methods specified by the auth2 attribute fail.

core_compress (False, str, None)

Enables or disables core file compression.

If this attribute has a value of On, compression is enabled; otherwise, compression is disabled.

core_path (False, str, None)

Enables or disables core file path specification.

If this attribute has a value of On, core files will be placed in the directory specified by core_pathname (the feature is enabled);

If set to Off, core files are placed in the user’s current working directory.

core_pathname (False, str, None)

Specifies a location to be used to place core files, if the core_path attribute is set to On.

If this is not set and core_path=On, core files will be placed in the user’s current working directory.

This attribute is limited to 256 characters.

core_naming (False, str, None)

Selects a choice of core file naming strategies.

A value of On enables core file naming in the form core.pid.time

daemon (False, bool, None)

Indicates whether the user specified by the Name parameter can execute programs using the cron daemon or the src (system resource controller) daemon.

dce_export (False, bool, None)

Allows the DCE registry to overwrite the local user information with the DCE user information during a DCE export operation.

dictionlist (False, list, None)

Defines the password dictionaries used by the composition restrictions when checking new passwords.

minloweralpha (False, str, None)

Defines the minimum number of lower case alphabetic characters that must be in a new password.

minupperalpha (False, str, None)

Defines the minimum number of upper case alphabetic characters that must be in a new password.

mindigit (False, str, None)

Defines the minimum number of digits that must be in a new password.

minspecialchar (False, str, None)

Defines the minimum number of special characters that must be in a new password.

efs_adminks_access (False, str, None)

Defines the efs_admin keystore location.

This attribute is valid only if the system is EFS-enabled.

efs_allowksmodechangebyuser (False, str, None)

Defines whether the user can change the mode or not.

This attribute is valid only if the system is EFS-enabled.

efs_file_algo (False, str, None)

Defines the algorithm that is used to generate the file protection key.

This attribute is valid only if the system is EFS-enabled.

efs_initialks_mode (False, str, None)

Defines the initial mode of the user keystore.

This attribute is valid only if the system is EFS-enabled.

efs_keystore_access (False, str, None)

Defines the user keystore location.

This attribute is valid only if the system is EFS-enabled.

efs_keystore_algo (False, str, None)

Defines the user keystore location.

This attribute is valid only if the system is EFS-enabled.

expires (False, str, None)

Identifies the expiration date of the account.

The Value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038.

histexpire (False, str, None)

Designates the period of time (in weeks) that a user cannot reuse a password.

histsize (False, str, None)

Designates the number of previous passwords a user cannot reuse.

login (False, bool, None)

Indicates whether the user can log in to the system with the login command.

logintimes (False, str, None)

Specifies the times, days, or both, the user is allowed to access the system.

The day variable must be one digit between 0 and 6 that represents one of the days of the week. A 0 (zero) indicates Sunday and a 6 indicates Saturday.

The time variable is 24-hour military time (1700 is 5:00 p.m.). Leading zeroes are required. For example, you must enter 0800, not 800.

The date variable is a four digit string in the form mmdd. mm represents the calendar month and dd represents the day number.

Entries in this list specify times that a user is allowed or denied access to the system.

loginretries (False, str, None)

Defines the number of unsuccessful login attempts allowed after the last successful login before the system locks the account.

maxage (False, str, None)

Defines the maximum age (in weeks) of a password.

maxexpired (False, str, None)

Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password.

maxrepeats (False, str, None)

Defines the maximum number of times a character can be repeated in a new password.

minage (False, str, None)

Defines the minimum age (in weeks) a password must be before it can be changed.

minalpha (False, str, None)

Defines the minimum number of alphabetic characters that must be in a new password.

mindiff (False, str, None)

Defines the minimum number of characters required in a new password that were not in the old password.

minlen (False, str, None)

Defines the minimum length of a password.

minother (False, str, None)

Defines the minimum number of non-alphabetic characters that must be in a new password.

projects (False, list, None)

Defines the list of projects that the user’s processes can be assigned to.

pwdchecks (False, list, None)

Defines the password restriction methods enforced on new passwords.

pwdwarntime (False, str, None)

Defines the number of days before the system issues a warning that a password change is required.

registry (False, str, None)

Defines the authentication registry where the user is administered.

rlogin (False, bool, None)

Permits access to the account from a remote location with the telnet or rlogin commands.

su (False, bool, None)

Indicates whether another user can switch to the specified user account with the su command.

sugroups (False, str, None)

Lists the groups that can use the su command to switch to the specified user account.

SYSTEM (False, str, None)

Defines the system authentication mechanism for the user.

tpath (False, str, None)

Indicates the user’s trusted path status.

ttys (False, str, None)

Lists the terminals that can access the account specified by the Name parameter.

umask (False, str, None)

Determines file permissions. This value, along with the permissions of the creating process determines a file’s permissions when the file is created.

Notes

Note

Examples


Return Values

changed (always, bool, False)

Was this value changed

msg (always, str, Invalid parameter: install_list cannot be empty)

The execution message.

file (always, str, )

The file being modified

stanza (always, str, )

The stanza in file being modified

attrs (always, dict, )

For each attribute provided in the ‘attrs’ section, an entry (below) is returned

cmd (Only if attr requires change, str, )

Command that is run to update attr

stdout (only when cmd is run, str, )

The standard output of the command.

stderr (only when cmd is run, str, )

The standard error of the command.

rc (only when cmd is run, int, )

The command return code.

Status

Authors

  • Shreyansh Chamola (@schamola)