From 67c574d8a9a1a35fe53a72b8dad3084f23ee9e2e Mon Sep 17 00:00:00 2001
From: Frederick Witty <frederickw@mindpointgroup.com>
Date: Wed, 10 Sep 2025 12:57:50 -0400
Subject: [PATCH] Updates from Public

Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
---
 Changelog.md                    |  7 +++++++
 defaults/main.yml               |  4 +++-
 tasks/main.yml                  |  4 ++--
 tasks/prelim.yml                |  2 +-
 tasks/section_1/cis_1.4.x.yml   |  1 +
 tasks/section_1/cis_1.6.x.yml   | 13 ++++++++++---
 tasks/section_4/cis_4.3.x.yml   |  2 +-
 tasks/section_5/cis_5.1.x.yml   |  3 +++
 tasks/section_5/cis_5.4.1.x.yml |  3 ++-
 tasks/section_5/cis_5.4.2.x.yml |  4 ++--
 10 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index b25de77..c5870e9 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -2,6 +2,13 @@
 
 ## 2.0.3 - Based on CIS v2.0.0
 
+- Thank you @fragglexarmy
+  - addressed Public issue 387
+- Addressed Public issue 382 to improve regex logic on 5.4.2.4
+- Improvement on crypto policy managed controls with var logic
+- Thanks to @polski-g
+  - addressed issue 384
+- update command to shell module on tasks
 - Thanks to @numericillustration
   - Public PR 380
   - systemd_service rolled back to systemd for < ansible 2.14
diff --git a/defaults/main.yml b/defaults/main.yml
index bf40e8f..866a3f1 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -569,7 +569,9 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pr
 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
 rhel9cis_set_boot_pass: true
 
-## Control 1.6
+## Controls 1.6.x and Controls 5.1.x
+# This variable governs if current Ansible role should manage system-wide crypto policy.
+rhel9cis_crypto_policy_ansiblemanaged: true
 # This variable contains the value to be set as the system-wide crypto policy. Current rule enforces NOT USING
 # 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore
 # possible values for this variable are, as explained by RedHat docs:
diff --git a/tasks/main.yml b/tasks/main.yml
index ed2af41..da19416 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -52,7 +52,7 @@
 
 - name: "Check crypto-policy module input"
   when:
-    - rhel9cis_rule_1_6_1
+    - rhel9cis_crypto_policy_ansiblemanaged
     - rhel9cis_crypto_policy_module | length > 0
   tags:
     - rule_1.6.1
@@ -132,7 +132,7 @@
     - rule_5.4.2.4
   block:
     - name: "Ensure root password is set"
-      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)"
       changed_when: false
       failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
       register: prelim_root_passwd_set
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index 3e2d4cd..c39448b 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -136,7 +136,7 @@
   register: prelim_systemd_coredump
 
 - name: "PRELIM | PATCH | Setup crypto-policy"
-  when: rhel9cis_rule_1_6_1
+  when: rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml
index c6c3aac..5969dff 100644
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@@ -52,6 +52,7 @@
         - name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | efi based system | capture current state"
           ansible.builtin.shell: grep "^[^#;]" /etc/fstab | grep '/boot/efi' | awk -F" " '{print $4}'
           changed_when: false
+          check_mode: false
           register: discovered_efi_fstab
 
         - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"
diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml
index c418324..6662303 100644
--- a/tasks/section_1/cis_1.6.x.yml
+++ b/tasks/section_1/cis_1.6.x.yml
@@ -1,7 +1,9 @@
 ---
 
 - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy"
-  when: rhel9cis_rule_1_6_1
+  when:
+    - rhel9cis_rule_1_6_1
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -21,12 +23,14 @@
   tags:
     - level1-server
     - level1-workstation
+    - sshd
     - automated
     - patch
     - rule_1.6.2
     - NIST800-53R5_SC-8
     - NIST800-53R5_IA-5
-    - NIST800-53R5_AC-17- NIST800-53R5_SC-6
+    - NIST800-53R5_AC-17
+    - NIST800-53R5_SC-6
   ansible.builtin.lineinfile:
     path: /etc/sysconfig/sshd
     regexp: ^CRYPTO_POLICY\s*=
@@ -37,6 +41,7 @@
   when:
     - rhel9cis_rule_1_6_3
     - "'NO-SHA1' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -67,6 +72,7 @@
   when:
     - rhel9cis_rule_1_6_4
     - "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -76,7 +82,6 @@
     - rule_1.6.4
     - NIST800-53R5_SC-6
   block:
-
     - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion"
       ansible.builtin.template:
         src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
@@ -98,6 +103,7 @@
   when:
     - rhel9cis_rule_1_6_5
     - "'NO-SSHCBC' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -128,6 +134,7 @@
   when:
     - rhel9cis_rule_1_6_6
     - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml
index 4e23998..4398df2 100644
--- a/tasks/section_4/cis_4.3.x.yml
+++ b/tasks/section_4/cis_4.3.x.yml
@@ -81,7 +81,7 @@
       register: discovered_nftables_inconnectionrule
 
     - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules"
-      ansible.builtin.command: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
+      ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
       changed_when: false
       failed_when: false
       register: discovered_nftables_outconnectionrule
diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml
index 3fd366c..42ca036 100644
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@@ -80,6 +80,7 @@
   when:
     - rhel9cis_rule_5_1_4
     - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -108,6 +109,7 @@
   when:
     - rhel9cis_rule_5_1_5
     - "'NO-SHA1' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -136,6 +138,7 @@
   when:
     - rhel9cis_rule_5_1_6
     - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml
index 7fcfb0b..ea6eb11 100644
--- a/tasks/section_5/cis_5.4.1.x.yml
+++ b/tasks/section_5/cis_5.4.1.x.yml
@@ -24,6 +24,7 @@
       ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass_max_days }} || $5< {{ rhel9cis_pass_max_days }} || $5 == -1)){print $1}' /etc/shadow"
       changed_when: false
       failed_when: false
+      check_mode: false
       register: discovered_max_days
 
     - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
@@ -64,7 +65,7 @@
         - rhel9cis_force_user_mindays
       ansible.builtin.user:
         name: "{{ item }}"
-        password_expire_max: "{{ rhel9cis_pass_min_days }}"
+        password_expire_min: "{{ rhel9cis_pass_min_days }}"
       loop: "{{ discovered_min_days.stdout_lines }}"
 
 - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml
index b3dd7d9..b291cc2 100644
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@@ -139,7 +139,7 @@
       ansible.builtin.stat:
         path: "{{ item }}"
       loop: "{{ discovered_root_paths_split.stdout_lines }}"
-      register: paths_stat
+      register: discovered_root_paths_stat
 
     - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs"
       ansible.builtin.file:
@@ -148,7 +148,7 @@
         owner: root
         group: root
         mode: 'go-w'
-      loop: "{{ paths_stat.results }}"
+      loop: "{{ discovered_root_paths_stat.results }}"
       when: not item.stat.exists
 
     - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"