ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fixing pre-check for 5.2.4: allow sudo user without password if the user is configured in the exceptions for 5.2.4

Browse source 
Signed-off-by: Bernd Grobauer <bernd.grobauer@siemens.com>
This commit is contained in:
Bernd Grobauer 2025-07-22 11:25:48 +02:00
parent feb183553c
commit 8cdf5b517a
1 changed files with 7 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

11
tasks/main.yml
View file

@ -93,11 +93,14 @@
block: block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template] - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template]
ansible.builtin.assert: ansible.builtin.assert:
that: that: |
- prelim_ansible_user_password_set.stdout | length != 0 (
- prelim_ansible_user_password_set.stdout != "!!" ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" ))
or
(ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
)
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template]
ansible.builtin.assert: ansible.builtin.assert: