From 8cdf5b517af2e1bb62376355872f0d0ab9832c54 Mon Sep 17 00:00:00 2001
From: Bernd Grobauer <bernd.grobauer@siemens.com>
Date: Tue, 22 Jul 2025 11:25:48 +0200
Subject: [PATCH] Fixing pre-check for 5.2.4: allow sudo user without password
 if the user is configured in the exceptions for 5.2.4

Signed-off-by: Bernd Grobauer <bernd.grobauer@siemens.com>
---
 tasks/main.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index 460acc8..82d20ee 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -93,11 +93,14 @@
       block:
         - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"  # noqa name[template]
           ansible.builtin.assert:
-            that:
-              - prelim_ansible_user_password_set.stdout | length != 0
-              - prelim_ansible_user_password_set.stdout != "!!"
+            that: |
+              (
+                ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" ))
+              or
+                (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
+              )
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
-            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
+            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
 
         - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
           ansible.builtin.assert: