RHEL9-CIS/tasks/section_7/cis_7.2.x.yml

---

- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords"
  when:
    - rhel9cis_rule_7_2_1
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.1
    - user_accounts
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.1'
  block:
    - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords"
      ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd
      changed_when: false
      failed_when: false
      register: discovered_nonshadowed_users

    - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings"
      when: discovered_nonshadowed_users.stdout | length > 0
      ansible.builtin.debug:
        msg:
          - "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password"
          - "{{ discovered_nonshadowed_users.stdout_lines }}"

    - name: "7.2.1 | WARNING | Ensure accounts in /etc/passwd use shadowed passwords | warn_count"
      when: discovered_nonshadowed_users.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty"
  when:
    - rhel9cis_rule_7_2_2
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_7.2.2
    - user
    - permissions
    - NIST800-53R5_IA-5
  block:
    - name: "7.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password"
      ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow
      changed_when: false
      check_mode: false
      register: discovered_empty_password_acct

    - name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password"
      when: discovered_empty_password_acct.stdout | length > 0
      ansible.builtin.user:
        name: "{{ item }}"
        password_lock: true
      loop:
        - "{{ discovered_empty_password_acct.stdout_lines }}"

- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
  when:
    - rhel9cis_rule_7_2_3
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.3
    - groups
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.3'
  block:
    - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
      ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_passwd_gid_check

    - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
      when: discovered_passwd_gid_check.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join(', ') }}"

    - name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count"
      when: discovered_passwd_gid_check.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist"
  when:
    - rhel9cis_rule_7_2_4
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.4
    - user
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.4'
  block:
    - name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
      ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_user_uid_check

    - name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
      when: discovered_user_uid_check.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! The following users have UIDs that are duplicates: {{ discovered_user_uid_check.stdout_lines }}"

    - name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Set warning count"
      when: discovered_user_uid_check.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist"
  when:
    - rhel9cis_rule_7_2_5
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.5
    - groups
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.5'
  block:
    - name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
      ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_user_gid_check

    - name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
      when: discovered_user_gid_check.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! The following groups have duplicate GIDs: {{ discovered_user_gid_check.stdout_lines }}"

    - name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Set warning count"
      when: discovered_user_gid_check.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.6 | AUDIT | Ensure no duplicate user names exist"
  vars:
    warn_control_id: '7.2.6'
  when:
    - rhel9cis_rule_7_2_6
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.6
    - user
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
    - name: "7.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
      ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_username_check

    - name: "7.2.6 | WARNING | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
      when: discovered_username_check.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}"

    - name: "7.2.6 | WARNING | Ensure no duplicate user names exist | Set warning count"
      when: discovered_username_check.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist"
  when:
    - rhel9cis_rule_7_2_7
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.2.7
    - groups
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.7'
  block:
    - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
      ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_group_check

    - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
      when: discovered_group_check.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! The following group names are duplicates: {{ discovered_group_check.stdout_lines }}"

    - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count"
      when: discovered_group_check.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured"
  when:
    - rhel9cis_rule_7_2_8
  tags:
    - level1-server
    - level1-workstation
    - patch
    - users
    - rule_7.2.8
  block:
    - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent"  # noqa risky-file-permissions
      ansible.builtin.file:
        path: "{{ item.dir }}"
        state: directory
        owner: "{{ item.id }}"
        group: "{{ item.gid }}"
      loop: "{{ prelim_captured_passwd_data | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', prelim_max_int_uid | int) | list }}"
      loop_control:
        label: "{{ item.id }}"

    # set default ACLs so the homedir has an effective umask of 0027
    - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set group ACL"
      when: not system_is_container
      ansible.posix.acl:
        path: "{{ item }}"
        default: true
        etype: group
        permissions: rx
        state: present
      loop: "{{ prelim_interactive_users | map(attribute='home') | list }}"

    - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set other ACL"
      when: not system_is_container
      ansible.posix.acl:
        path: "{{ item }}"
        default: true
        etype: other
        permissions: 0
        state: present
      loop: "{{ prelim_interactive_users | map(attribute='home') | list }}"

- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured"
  when:
    - rhel9cis_rule_7_2_9
    - rhel9cis_disruption_high
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_7.2.9
    - user
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  vars:
    warn_control_id: '7.2.9'
  block:
    - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured"
      ansible.builtin.shell: find {{ prelim_interactive_users_home.stdout_lines | list | join(' ') }} -name "\.*" -type f
      changed_when: false
      failed_when: discovered_homedir_hidden_files.rc not in [ 0, 1 ]
      check_mode: false
      register: discovered_homedir_hidden_files

    - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found"
      when:
        - discovered_homedir_hidden_files.stdout | length > 0
        - not rhel9cis_dotperm_ansiblemanaged
      ansible.builtin.debug:
        msg:
          - "Warning!! Please investigate that hidden files found in users home directories match control requirements."

    - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Set warning count"
      when:
        - discovered_homedir_hidden_files.stdout | length > 0
        - not rhel9cis_dotperm_ansiblemanaged
      ansible.builtin.import_tasks:
        file: warning_facts.yml

    - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured"
      when:
        - discovered_homedir_hidden_files.stdout | length > 0
        - rhel9cis_dotperm_ansiblemanaged
      block:
        - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured .bash_history & .netrc"
          when:
            - discovered_homedir_hidden_files.stdout | length > 0
            - item | basename in ['.bash_history','.netrc']
          ansible.builtin.file:
            path: "{{ item }}"
            mode: 'u-x,go-rwx'
          failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
          register: discovered_dot_bash_history_to_change
          loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"

        - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured file mode"
          ansible.builtin.file:
            path: '{{ item }}'
            mode: 'u-x,go-wx'
          failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
          register: discovered_dot_bash_history_to_change
          loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"

        - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files ownerships"
          ansible.builtin.file:
            path: "{{ item }}"
            owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
            group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
          failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
          register: discovered_dot_bash_history_to_change
          loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"

        - name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured"
          ansible.builtin.file:
            path: '{{ item }}'
            mode: 'go-w'
            owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
            group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
          with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}"

        - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | rename .forward or .rhosts files"
          when:
            - item | basename in ['.forward','.rhosts']
            - item is not search ("CIS")
          ansible.builtin.command: "mv {{ item }} {{ item }}_CIS_TOBEREVIEWED"
          changed_when: true
          loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"