password_rules_policies – Manages password rules and policies
Synopsis
Manages password rules and policies by modifying stanza attributes in AIX config file - /etc/security/user using the chsec
command.
Requirements
The below requirements are needed on the host that executes this module.
AIX
Python >= 2.7
Privileged user with authorizations
Parameters
- state (optional, str, present)
If set to
present
all given attrs values will be set.If set to
absent
all attrs provided will be un-set, regardless of value provided.NB, this does not remove the entire stanza, only the provided attrs will be removed.
To remove a single attribute from the stanza set to
present
and set key to an empty value (key=).All rules/allowed file-stanza combos/allowed files for the AIX
chsec
command apply here.- stanza (True, str, None)
Name of stanza to modify attributes of
- account_locked (False, bool, None)
Indicates if the user account is locked.
- admin (False, bool, None)
Defines the administrative status of the user.
- admgroups (False, list, None)
Lists the groups the user administrates.
- auditclasses (False, list, None)
Lists the user’s audit classes.
- auth1 (False, list, None)
Lists additional mandatory methods for authenticating the user.
The auth1 attribute has been deprecated and may not be supported in a future release. The SYSTEM attribute should be used instead.
The authentication process will fail if any of the methods specified by the auth1 attribute fail.
- auth2 (False, list, None)
Lists additional optional methods for authenticating the user.
The auth2 attribute has been deprecated and may not be supported in a future release. The SYSTEM attribute should be used instead.
The authentication process will not fail if any of the methods specified by the auth2 attribute fail.
- core_compress (False, str, None)
Enables or disables core file compression.
If this attribute has a value of
On
, compression is enabled; otherwise, compression is disabled.- core_path (False, str, None)
Enables or disables core file path specification.
If this attribute has a value of
On
, core files will be placed in the directory specified by core_pathname (the feature is enabled);If set to
Off
, core files are placed in the user’s current working directory.- core_pathname (False, str, None)
Specifies a location to be used to place core files, if the core_path attribute is set to
On
.If this is not set and core_path=On, core files will be placed in the user’s current working directory.
This attribute is limited to 256 characters.
- core_naming (False, str, None)
Selects a choice of core file naming strategies.
A value of
On
enables core file naming in the form core.pid.time- daemon (False, bool, None)
Indicates whether the user specified by the Name parameter can execute programs using the cron daemon or the src (system resource controller) daemon.
- dce_export (False, bool, None)
Allows the DCE registry to overwrite the local user information with the DCE user information during a DCE export operation.
- dictionlist (False, list, None)
Defines the password dictionaries used by the composition restrictions when checking new passwords.
- minloweralpha (False, str, None)
Defines the minimum number of lower case alphabetic characters that must be in a new password.
- minupperalpha (False, str, None)
Defines the minimum number of upper case alphabetic characters that must be in a new password.
- mindigit (False, str, None)
Defines the minimum number of digits that must be in a new password.
- minspecialchar (False, str, None)
Defines the minimum number of special characters that must be in a new password.
- efs_adminks_access (False, str, None)
Defines the efs_admin keystore location.
This attribute is valid only if the system is EFS-enabled.
- efs_allowksmodechangebyuser (False, str, None)
Defines whether the user can change the mode or not.
This attribute is valid only if the system is EFS-enabled.
- efs_file_algo (False, str, None)
Defines the algorithm that is used to generate the file protection key.
This attribute is valid only if the system is EFS-enabled.
- efs_initialks_mode (False, str, None)
Defines the initial mode of the user keystore.
This attribute is valid only if the system is EFS-enabled.
- efs_keystore_access (False, str, None)
Defines the user keystore location.
This attribute is valid only if the system is EFS-enabled.
- efs_keystore_algo (False, str, None)
Defines the user keystore location.
This attribute is valid only if the system is EFS-enabled.
- expires (False, str, None)
Identifies the expiration date of the account.
The Value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038.
- histexpire (False, str, None)
Designates the period of time (in weeks) that a user cannot reuse a password.
- histsize (False, str, None)
Designates the number of previous passwords a user cannot reuse.
- login (False, bool, None)
Indicates whether the user can log in to the system with the login command.
- logintimes (False, str, None)
Specifies the times, days, or both, the user is allowed to access the system.
The day variable must be one digit between 0 and 6 that represents one of the days of the week. A 0 (zero) indicates Sunday and a 6 indicates Saturday.
The time variable is 24-hour military time (1700 is 5:00 p.m.). Leading zeroes are required. For example, you must enter 0800, not 800.
The date variable is a four digit string in the form mmdd. mm represents the calendar month and dd represents the day number.
Entries in this list specify times that a user is allowed or denied access to the system.
- loginretries (False, str, None)
Defines the number of unsuccessful login attempts allowed after the last successful login before the system locks the account.
- maxage (False, str, None)
Defines the maximum age (in weeks) of a password.
- maxexpired (False, str, None)
Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password.
- maxrepeats (False, str, None)
Defines the maximum number of times a character can be repeated in a new password.
- minage (False, str, None)
Defines the minimum age (in weeks) a password must be before it can be changed.
- minalpha (False, str, None)
Defines the minimum number of alphabetic characters that must be in a new password.
- mindiff (False, str, None)
Defines the minimum number of characters required in a new password that were not in the old password.
- minlen (False, str, None)
Defines the minimum length of a password.
- minother (False, str, None)
Defines the minimum number of non-alphabetic characters that must be in a new password.
- projects (False, list, None)
Defines the list of projects that the user’s processes can be assigned to.
- pwdchecks (False, list, None)
Defines the password restriction methods enforced on new passwords.
- pwdwarntime (False, str, None)
Defines the number of days before the system issues a warning that a password change is required.
- registry (False, str, None)
Defines the authentication registry where the user is administered.
- rlogin (False, bool, None)
Permits access to the account from a remote location with the telnet or rlogin commands.
- su (False, bool, None)
Indicates whether another user can switch to the specified user account with the su command.
- sugroups (False, str, None)
Lists the groups that can use the su command to switch to the specified user account.
- SYSTEM (False, str, None)
Defines the system authentication mechanism for the user.
- tpath (False, str, None)
Indicates the user’s trusted path status.
- ttys (False, str, None)
Lists the terminals that can access the account specified by the Name parameter.
- umask (False, str, None)
Determines file permissions. This value, along with the permissions of the creating process determines a file’s permissions when the file is created.
Notes
Note
If the registry is set to NIS or DCE, it can not be removed.
For removing an attribute, you need to provide a valid value along with state as absent.
Refer to the chsec manual page from the IBM Knowledge Center https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/c_commands/chsec
Refer to the lssec manual page from the IBM Knowledge Center https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/l_commands/lssec.html
Examples
Return Values
- changed (always, bool, False)
Was this value changed
- msg (always, str, Invalid parameter: install_list cannot be empty)
The execution message.
- file (always, str, )
The file being modified
- stanza (always, str, )
The stanza in file being modified
- attrs (always, dict, )
For each attribute provided in the ‘attrs’ section, an entry (below) is returned
- cmd (Only if attr requires change, str, )
Command that is run to update attr
- stdout (only when cmd is run, str, )
The standard output of the command.
- stderr (only when cmd is run, str, )
The standard error of the command.
- rc (only when cmd is run, int, )
The command return code.