Merge pull request #35 from ansible-lockdown/fix_5.2.4

Improved logic for 5.2.4

Changelog.md

@@ -1,11 +1,13 @@
 # Changes to rhel9CIS
 
+## 2.0.2 - Based on CIS v2.0.0
 
-## Based on CIS v2.0.0
+- Update to audit_only to allow fetching results
-
+- resolved false warning for fetch audit
-Update to audit_only to allow fetching results
+- fix root user check
-resolved false warning for fetch audit
+- Improved documentation and variable compilation for crypto policies
-Improved documentation and variable compilation for crypto policies
+- Addresses #318 - Thank you @kodebach & @bgro
+  - Improved logic for 5.2.4 to exclude rhel9cis_sudoers_exclude_nopasswd_list in pre-check tasks/main.yml
 
 ## 2.0.1 - Based on CIS v2.0.0
 

site.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Apply ansible-lockdown hardening
-  hosts: all
+  hosts: "{{ hosts | default('all') }}"
   become: true
   roles:
     - role: "{{ playbook_dir }}"

tasks/main.yml

@@ -99,9 +99,9 @@
 
         - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
           ansible.builtin.assert:
-            that: not prelim_ansible_user_password_set.stdout.startswith("!")
+            that: (not prelim_ansible_user_password_set.stdout.startswith("!")) or (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
-            success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
+            success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} is not locked or included in the exception list for rule 5.2.4"
 
 - name: "Check authselect profile is selected"
   when: rhel9cis_allow_authselect_updates