RHEL9-CIS/tasks/section_7/cis_7.2.x.yml

---

- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords"
  when:
    - rhel9cis_rule_7_2_1
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.1
    - user_accounts
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.1'
  block:
    - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords"
      ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd
      changed_when: false
      failed_when: false
      register: discovered_nonshadowed_users

    - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings"
      when: discovered_nonshadowed_users.stdout | length > 0
      ansible.builtin.debug:
        msg:
          - "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password"
          - "{{ discovered_nonshadowed_users.stdout_lines }}"

    - name: "7.2.1 | WARNING | Ensure accounts in /etc/passwd use shadowed passwords | warn_count"
      when: discovered_nonshadowed_users.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty"
  when:
    - rhel9cis_rule_7_2_2
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_7.2.2
    - user
    - permissions
    - NIST800-53R5_IA-5
  block:
    - name: "7.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password"
      ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow
      changed_when: false
      check_mode: false
      register: discovered_empty_password_acct

    - name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password"
      when: discovered_empty_password_acct.stdout | length > 0
      ansible.builtin.user:
        name: "{{ item }}"
        password_lock: true
      loop:
        - "{{ discovered_empty_password_acct.stdout_lines }}"

- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
  when:
    - rhel9cis_rule_7_2_3
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.3
    - groups
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.3'
  block:
    - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
      ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_passwd_gid_check

    - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
      when: discovered_passwd_gid_check.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join(', ') }}"

    - name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count"
      when: discovered_passwd_gid_check.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist"
  when:
    - rhel9cis_rule_7_2_4
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.4
    - user
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.4'
  block:
    - name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
      ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_user_uid_check

    - name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
      when: discovered_user_uid_check.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! The following users have UIDs that are duplicates: {{ discovered_user_uid_check.stdout_lines }}"

    - name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Set warning count"
      when: discovered_user_uid_check.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist"
  when:
    - rhel9cis_rule_7_2_5
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.5
    - groups
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.5'
  block:
    - name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
      ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_user_gid_check

    - name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
      when: discovered_user_gid_check.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! The following groups have duplicate GIDs: {{ discovered_user_gid_check.stdout_lines }}"

    - name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Set warning count"
      when: discovered_user_gid_check.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.6 | AUDIT | Ensure no duplicate user names exist"
  vars:
    warn_control_id: '7.2.6'
  when:
    - rhel9cis_rule_7_2_6
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.6
    - user
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
    - name: "7.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
      ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_username_check

    - name: "7.2.6 | WARNING | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
      when: discovered_username_check.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}"

    - name: "7.2.6 | WARNING | Ensure no duplicate user names exist | Set warning count"
      when: discovered_username_check.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist"
  when:
    - rhel9cis_rule_7_2_7
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.7
    - groups
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.7'
  block:
    - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
      ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_group_check

    - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
      when: discovered_group_check.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}"

    - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count"
      when: discovered_group_check.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured"
  when:
    - rhel9cis_rule_7_2_8
  tags:
    - level1-server
    - level1-workstation
    - patch
    - users
    - rule_7.2.8
  block:
    - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent"  # noqa risky-file-permissions
      ansible.builtin.file:
        path: "{{ item.dir }}"
        state: directory
        owner: "{{ item.id }}"
        group: "{{ item.gid }}"
      loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}"
      loop_control:
        label: "{{ item.id }}"

    # set default ACLs so the homedir has an effective umask of 0027
    - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set group ACL"
      when: not system_is_container
      ansible.posix.acl:
        path: "{{ item }}"
        default: true
        etype: group
        permissions: rx
        state: present
      loop: "{{ prelim_interactive_users_home.stdout_lines }}"

    - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set other ACL"
      when: not system_is_container
      ansible.posix.acl:
        path: "{{ item }}"
        default: true
        etype: other
        permissions: 0
        state: present
      loop: "{{ prelim_interactive_users_home.stdout_lines }}"

- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured"
  when:
    - rhel9cis_rule_7_2_9
    - rhel9cis_disruption_high
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_7.2.9
    - user
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.9'
  block:
    - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Check for files"
      ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w
      changed_when: false
      failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ]
      check_mode: false
      register: discovered_homedir_dot_files

    - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found"
      when:
        - discovered_homedir_dot_files.stdout | length > 0
        - rhel9cis_dotperm_ansiblemanaged
      ansible.builtin.debug:
        msg:
          - "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further."

    - name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Set warning count"
      when:
        - discovered_homedir_dot_files.stdout | length > 0
        - rhel9cis_dotperm_ansiblemanaged
      ansible.builtin.import_tasks:
        file: warning_facts.yml

    - name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured"
      when:
        - discovered_homedir_dot_files.stdout | length > 0
        - rhel9cis_dotperm_ansiblemanaged
      ansible.builtin.file:
        path: '{{ item }}'
        mode: 'go-w'
      with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"
section 7 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:01:10 +01:00			`---`

			`- name: "7.2.1 \| AUDIT \| Ensure accounts in /etc/passwd use shadowed passwords"`
			`when:`
			`- rhel9cis_rule_7_2_1`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- audit`
			`- rule_7.2.1`
			`- user_accounts`
			`- NIST800-53R5_IA-5`
			`vars:`
			`warn_control_id: '7.2.1'`
			`block:`
			`- name: "7.2.1 \| AUDIT \| Ensure accounts in /etc/passwd use shadowed passwords \| Get users not using shadowed passwords"`
			`ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd`
			`changed_when: false`
			`failed_when: false`
			`register: discovered_nonshadowed_users`

			`- name: "7.2.1 \| AUDIT \| Ensure accounts in /etc/passwd use shadowed passwords \| Warn on findings"`
			`when: discovered_nonshadowed_users.stdout \| length > 0`
			`ansible.builtin.debug:`
			`msg:`
			`- "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password"`
			`- "{{ discovered_nonshadowed_users.stdout_lines }}"`

			`- name: "7.2.1 \| WARNING \| Ensure accounts in /etc/passwd use shadowed passwords \| warn_count"`
			`when: discovered_nonshadowed_users.stdout \| length > 0`
			`ansible.builtin.import_tasks:`
			`file: warning_facts.yml`

			`- name: "7.2.2 \| PATCH \| Ensure /etc/shadow password fields are not empty"`
			`when:`
			`- rhel9cis_rule_7_2_2`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_7.2.2`
			`- user`
			`- permissions`
			`- NIST800-53R5_IA-5`
			`block:`
			`- name: "7.2.2 \| AUDIT \| Ensure /etc/shadow password fields are not empty \| Find users with no password"`
			`ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow`
			`changed_when: false`
			`check_mode: false`
			`register: discovered_empty_password_acct`

			`- name: "7.2.2 \| PATCH \| Ensure /etc/shadow password fields are not empty \| Lock users with empty password"`
			`when: discovered_empty_password_acct.stdout \| length > 0`
			`ansible.builtin.user:`
			`name: "{{ item }}"`
			`password_lock: true`
			`loop:`
			`- "{{ discovered_empty_password_acct.stdout_lines }}"`

			`- name: "7.2.3 \| AUDIT \| Ensure all groups in /etc/passwd exist in /etc/group"`
			`when:`
			`- rhel9cis_rule_7_2_3`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- audit`
			`- rule_7.2.3`
			`- groups`
			`- NIST800-53R5_CM-1`
			`- NIST800-53R5_CM-2`
			`- NIST800-53R5_CM-6`
			`- NIST800-53R5_CM-7`
			`- NIST800-53R5_IA-5`
			`vars:`
			`warn_control_id: '7.2.3'`
			`block:`
			`- name: "7.2.3 \| AUDIT \| Ensure all groups in /etc/passwd exist in /etc/group \| Check /etc/passwd entries"`
			`ansible.builtin.shell: pwck -r \| grep 'no group' \| awk '{ gsub("[:\47]",""); print $2}'`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: discovered_passwd_gid_check`

			`- name: "7.2.3 \| AUDIT \| Ensure all groups in /etc/passwd exist in /etc/group \| Print warning about users with invalid GIDs missing GID entries in /etc/group"`
			`when: discovered_passwd_gid_check.stdout \| length > 0`
			`ansible.builtin.debug:`
improvements Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-08-07 10:31:31 +01:00			`msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines \| join(', ') }}"`
section 7 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:01:10 +01:00
			`- name: "7.2.3 \| WARNING \| Ensure all groups in /etc/passwd exist in /etc/group \| warn_count"`
			`when: discovered_passwd_gid_check.stdout \| length > 0`
			`ansible.builtin.import_tasks:`
			`file: warning_facts.yml`

			`- name: "7.2.4 \| AUDIT \| Ensure no duplicate UIDs exist"`
			`when:`
			`- rhel9cis_rule_7_2_4`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- audit`
			`- rule_7.2.4`
			`- user`
			`- NIST800-53R5_CM-1`
			`- NIST800-53R5_CM-2`
			`- NIST800-53R5_CM-6`
			`- NIST800-53R5_CM-7`
			`- NIST800-53R5_IA-5`
			`vars:`
			`warn_control_id: '7.2.4'`
			`block:`
			`- name: "7.2.4 \| AUDIT \| Ensure no duplicate UIDs exist \| Check for duplicate UIDs"`
			`ansible.builtin.shell: "pwck -r \| awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: discovered_user_uid_check`

			`- name: "7.2.4 \| AUDIT \| Ensure no duplicate UIDs exist \| Print warning about users with duplicate UIDs"`
			`when: discovered_user_uid_check.stdout \| length > 0`
			`ansible.builtin.debug:`
			`msg: "Warning!! The following users have UIDs that are duplicates: {{ discovered_user_uid_check.stdout_lines }}"`

			`- name: "7.2.4 \| AUDIT \| Ensure no duplicate UIDs exist \| Set warning count"`
			`when: discovered_user_uid_check.stdout \| length > 0`
			`ansible.builtin.import_tasks:`
			`file: warning_facts.yml`

			`- name: "7.2.5 \| AUDIT \| Ensure no duplicate GIDs exist"`
			`when:`
			`- rhel9cis_rule_7_2_5`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- audit`
			`- rule_7.2.5`
			`- groups`
			`- NIST800-53R5_CM-1`
			`- NIST800-53R5_CM-2`
			`- NIST800-53R5_CM-6`
			`- NIST800-53R5_CM-7`
			`- NIST800-53R5_IA-5`
			`vars:`
			`warn_control_id: '7.2.5'`
			`block:`
			`- name: "7.2.5 \| AUDIT \| Ensure no duplicate GIDs exist \| Check for duplicate GIDs"`
			`ansible.builtin.shell: "pwck -r \| awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: discovered_user_gid_check`

			`- name: "7.2.5 \| AUDIT \| Ensure no duplicate GIDs exist \| Print warning about users with duplicate GIDs"`
			`when: discovered_user_gid_check.stdout \| length > 0`
			`ansible.builtin.debug:`
			`msg: "Warning!! The following groups have duplicate GIDs: {{ discovered_user_gid_check.stdout_lines }}"`

			`- name: "7.2.5 \| AUDIT \| Ensure no duplicate GIDs exist \| Set warning count"`
			`when: discovered_user_gid_check.stdout \| length > 0`
			`ansible.builtin.import_tasks:`
			`file: warning_facts.yml`

			`- name: "7.2.6 \| AUDIT \| Ensure no duplicate user names exist"`
			`vars:`
			`warn_control_id: '7.2.6'`
			`when:`
			`- rhel9cis_rule_7_2_6`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- audit`
			`- rule_7.2.6`
			`- user`
			`- NIST800-53R5_CM-1`
			`- NIST800-53R5_CM-2`
			`- NIST800-53R5_CM-6`
			`- NIST800-53R5_CM-7`
			`- NIST800-53R5_IA-5`
			`block:`
			`- name: "7.2.6 \| AUDIT \| Ensure no duplicate user names exist \| Check for duplicate User Names"`
			`ansible.builtin.shell: "pwck -r \| awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: discovered_username_check`

			`- name: "7.2.6 \| WARNING \| Ensure no duplicate user names exist \| Print warning about users with duplicate User Names"`
			`when: discovered_username_check.stdout \| length > 0`
			`ansible.builtin.debug:`
			`msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}"`

			`- name: "7.2.6 \| WARNING \| Ensure no duplicate user names exist \| Set warning count"`
			`when: discovered_username_check.stdout \| length > 0`
			`ansible.builtin.import_tasks:`
			`file: warning_facts.yml`

			`- name: "7.2.7 \| AUDIT \| Ensure no duplicate group names exist"`
			`when:`
			`- rhel9cis_rule_7_2_7`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- audit`
			`- rule_7.2.7`
			`- groups`
			`- NIST800-53R5_CM-1`
			`- NIST800-53R5_CM-2`
			`- NIST800-53R5_CM-6`
			`- NIST800-53R5_CM-7`
			`- NIST800-53R5_IA-5`
			`vars:`
			`warn_control_id: '7.2.7'`
			`block:`
			`- name: "7.2.7 \| AUDIT \| Ensure no duplicate group names exist \| Check for duplicate group names"`
			`ansible.builtin.shell: 'getent passwd \| cut -d: -f1 \| sort -n \| uniq -d'`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
			`register: discovered_group_check`

			`- name: "7.2.7 \| AUDIT \| Ensure no duplicate group names exist \| Print warning about users with duplicate group names"`
			`when: discovered_group_check.stdout \| length > 0`
			`ansible.builtin.debug:`
			`msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}"`

			`- name: "7.2.7 \| AUDIT \| Ensure no duplicate group names exist \| Set warning count"`
			`when: discovered_group_check.stdout \| length > 0`
			`ansible.builtin.import_tasks:`
			`file: warning_facts.yml`

			`- name: "7.2.8 \| PATCH \| Ensure local interactive user home directories are configured"`
			`when:`
			`- rhel9cis_rule_7_2_8`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- users`
			`- rule_7.2.8`
			`block:`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`- name: "7.2.8 \| PATCH \| Ensure local interactive user home directories are configured \| Create dir if absent" # noqa risky-file-permissions`
section 7 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:01:10 +01:00			`ansible.builtin.file:`
			`path: "{{ item.dir }}"`
			`state: directory`
			`owner: "{{ item.id }}"`
			`group: "{{ item.gid }}"`
improvements Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-08-07 10:31:31 +01:00			`loop: "{{ rhel9cis_passwd \| selectattr('uid', '>=', prelim_min_int_uid \| int) \| selectattr('uid', '<=', max_int_uid \| int) \| list }}"`
section 7 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:01:10 +01:00			`loop_control:`
			`label: "{{ item.id }}"`

			`# set default ACLs so the homedir has an effective umask of 0027`
			`- name: "7.2.8 \| PATCH \| Ensure local interactive user home directories are configured \| Set group ACL"`
			`when: not system_is_container`
			`ansible.posix.acl:`
			`path: "{{ item }}"`
			`default: true`
			`etype: group`
			`permissions: rx`
			`state: present`
			`loop: "{{ prelim_interactive_users_home.stdout_lines }}"`

			`- name: "7.2.8 \| PATCH \| Ensure local interactive user home directories are configured \| Set other ACL"`
			`when: not system_is_container`
			`ansible.posix.acl:`
			`path: "{{ item }}"`
			`default: true`
			`etype: other`
			`permissions: 0`
			`state: present`
			`loop: "{{ prelim_interactive_users_home.stdout_lines }}"`

			`- name: "7.2.9 \| PATCH \| Ensure local interactive user dot files access is configured"`
			`when:`
			`- rhel9cis_rule_7_2_9`
			`- rhel9cis_disruption_high`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_7.2.9`
			`- user`
			`- NIST800-53R5_CM-1`
			`- NIST800-53R5_CM-2`
			`- NIST800-53R5_CM-6`
			`- NIST800-53R5_CM-7`
			`- NIST800-53R5_IA-5`
			`vars:`
			`warn_control_id: '7.2.9'`
			`block:`
			`- name: "7.2.9 \| AUDIT \| Ensure local interactive user dot files access is configured \| Check for files"`
			`ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w`
			`changed_when: false`
			`failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ]`
			`check_mode: false`
			`register: discovered_homedir_dot_files`

			`- name: "7.2.9 \| AUDIT \| Ensure local interactive user dot files access is configured \| Warning on files found"`
			`when:`
			`- discovered_homedir_dot_files.stdout \| length > 0`
			`- rhel9cis_dotperm_ansiblemanaged`
			`ansible.builtin.debug:`
			`msg:`
			`- "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further."`

			`- name: "7.2.9 \| PATCH \| Ensure local interactive user dot files access is configured \| Set warning count"`
			`when:`
			`- discovered_homedir_dot_files.stdout \| length > 0`
			`- rhel9cis_dotperm_ansiblemanaged`
			`ansible.builtin.import_tasks:`
			`file: warning_facts.yml`

			`- name: "7.2.9 \| PATCH \| Ensure local interactive user dot files access is configured \| Changes files if configured"`
			`when:`
			`- discovered_homedir_dot_files.stdout \| length > 0`
			`- rhel9cis_dotperm_ansiblemanaged`
			`ansible.builtin.file:`
			`path: '{{ item }}'`
			`mode: 'go-w'`
			`with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"`