stackhpc · bbezak · Dec 1, 2025 · Nov 28, 2025 · Dec 1, 2025
@@ -20,16 +20,26 @@
         state: present
       when: ansible_facts.distribution == 'Ubuntu'
 
+    - name: Gather passwd entries
+      ansible.builtin.getent:
+        database: passwd
+      become: true
+
     - name: Ensure service accounts have no expiry options set
       # This is to workaround an issue where we set the expiry to 365 days on kayobe
       # service accounts in a previous iteration of the CIS benchmark hardening
       # defaults. This should restore the defaults and can eventually be removed.
-      ansible.builtin.command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
+      ansible.builtin.user:
+        name: "{{ item }}"
+        password_expire_min: 0
+        password_expire_max: 99999
+        password_expire_warn: 7
+        expires: -1
       become: true
-      changed_when: false
-      with_items:
+      loop:
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
+      when: item in ansible_facts.getent_passwd
 
 - name: Security hardening
   hosts: cis-hardening

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    CIS hardening playbook skips service accounts that do not exist on the host
+    (e.g. kolla on non-Kolla/Ceph-only nodes) to avoid errors.