updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/section_6/cis_6.1.x.yml

@@ -1,30 +1,30 @@
 ---
 
-- name: "6.1.1 | L2 | AUDIT | Audit system file permissions"
+- name: "6.1.1 | AUDIT | Audit system file permissions"
   block:
-      - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Audit the packages"
+      - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages"
         shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto
         args:
-            warn: false
+            warn: no
         changed_when: false
         failed_when: false
         register: rhel9cis_6_1_1_packages_rpm
 
-      - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Create list and warning"
+      - name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning"
         block:
-            - name: "6.1.1 | L2 | Audit system file permissions | Add file discrepancy list to system"
+            - name: "6.1.1 | Audit system file permissions | Add file discrepancy list to system"
               copy:
                   dest: "{{ rhel9cis_rpm_audit_file }}"
                   content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}"
 
-            - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Message out alert for package descrepancies"
+            - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies"
               debug:
                   msg: |
                      "Warning! You have some package descrepancies issues.
                       The file list can be found in {{ rhel9cis_rpm_audit_file }}"
         when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0
 
-      - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Message out no package descrepancies"
+      - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies"
         debug:
             msg: "Good News! There are no package descrepancies"
         when: rhel9cis_6_1_1_packages_rpm.stdout|length == 0
@@ -33,26 +33,32 @@
   tags:
       - level2-server
       - level2-workstation
+      - manual
       - audit
+      - permissions
       - rule_6.1.1
 
-- name: "6.1.2 | L1 | PATCH | Ensure permissions on /etc/passwd are configured"
-  file:
-      dest: /etc/passwd
-      owner: root
-      group: root
-      mode: 0644
+- name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories"
+  shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
+  args:
+      warn: no
+  changed_when: false
+  failed_when: false
   when:
       - rhel9cis_rule_6_1_2
   tags:
+      - skip_ansible_lint
       - level1-server
       - level1-workstation
+      - automated
       - patch
-      - rule_6.1.2
+      - stickybits
+      - permissons
+      - rule_1.1.21
 
-- name: "6.1.3 | L1 | PATCH | Ensure permissions on /etc/passwd- are configured"
+- name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd are configured"
   file:
-      dest: /etc/passwd-
+      dest: /etc/passwd
       owner: root
       group: root
       mode: 0644
@@ -61,10 +67,12 @@
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
+      - permissions
       - rule_6.1.3
 
-- name: "6.1.4 | L1 | PATCH | Ensure permissions on /etc/shadow are configured"
+- name: "6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured"
   file:
       dest: /etc/shadow
       owner: root
@@ -75,24 +83,28 @@
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
+      - permissions
       - rule_6.1.4
 
-- name: "6.1.5 | L1 | PATCH | Ensure permissions on /etc/shadow- are configured"
+- name: "6.1.5 | PATCH |  Ensure permissions on /etc/group are configured"
   file:
-      dest: /etc/shadow-
+      dest: /etc/group-
       owner: root
       group: root
-      mode: 0000
+      mode: 0644
   when:
       - rhel9cis_rule_6_1_5
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
+      - permissions
       - rule_6.1.5
 
-- name: "6.1.6 | L1 | PATCH | Ensure permissions on /etc/gshadow are configured"
+- name: "6.1.6 | PATCH | Ensure permissions on /etc/gshadow are configured"
   file:
       dest: /etc/gshadow
       owner: root
@@ -103,38 +115,44 @@
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
+      - permissions
       - rule_6.1.6
 
-- name: "6.1.7 | L1 | PATCH | Ensure permissions on /etc/gshadow- are configured"
+- name: "6.1.7 | PATCH | Ensure permissions on /etc/passwd- are configured"
   file:
-      dest: /etc/gshadow-
+      dest: /etc/passwd-
       owner: root
       group: root
-      mode: 0000
+      mode: 0644
   when:
       - rhel9cis_rule_6_1_7
   tags:
       - level1-server
       - level1-workstation
+      - autoamted
       - patch
+      - permissions
       - rule_6.1.7
 
-- name: "6.1.8 | L1 | PATCH |  Ensure permissions on /etc/group are configured"
+- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
   file:
-      dest: /etc/group-
+      dest: /etc/shadow-
       owner: root
       group: root
-      mode: 0644
+      mode: 0000
   when:
-      - rhel9cis_rule_6_1_8
+      - rhel9cis_rule_6_1_6
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
-      - rule_6.1.8
+      - permissions
+      - rule_6.1.6
 
-- name: "6.1.9 | L1 | PATCH | Ensure permissions on /etc/group- are configured"
+- name: "6.1.9 | PATCH | Ensure permissions on /etc/group- are configured"
   file:
       dest: /etc/group-
       owner: root
@@ -145,87 +163,78 @@
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
+      - permissionss
       - rule_6.1.9
 
-- name: "6.1.10 | L1 | PATCH | Ensure no world writable files exist"
-  block:
-      - name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Get list of world-writable files"
-        shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
-        args:
-            warn: false
-        failed_when: false
-        changed_when: false
-        register: rhel_09_6_1_10_perms_results
-
-      - name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist"
-        debug:
-            msg: "Good news! We have not found any world-writable files on your system"
-        when:
-            - rhel_09_6_1_10_perms_results.stdout is not defined
-
-      - name: "6.1.10 | L1 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)"
-        file:
-            path: '{{ item }}'
-            mode: o-w
-            state: touch
-        with_items: "{{ rhel_09_6_1_10_perms_results.stdout_lines }}"
-        when:
-            - rhel_09_6_1_10_perms_results.stdout_lines is defined
-            - rhel9cis_no_world_write_adjust
+- name: "6.1.10 | PATCH | Ensure permissions on /etc/gshadow- are configured"
+  file:
+      dest: /etc/gshadow-
+      owner: root
+      group: root
+      mode: 0000
   when:
       - rhel9cis_rule_6_1_10
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
+      - permissions
       - rule_6.1.10
 
-- name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist"
+- name: "6.1.11 | PATCH | Ensure no world writable files exist"
   block:
-      - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
-        shell: find "{{ item.mount }}" -xdev -nouser
-        args:
-            warn: false
-        check_mode: false
+      - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Get list of world-writable files"
+        shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
         failed_when: false
         changed_when: false
-        with_items: "{{ ansible_mounts }}"
-        register: rhel_09_6_1_11_audit
-        when: item['device'].startswith('/dev') and not 'bind' in item['options']
+        register: rhel_08_6_1_11_perms_results
 
-      - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
+      - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist"
         debug:
-            msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
-        with_items: "{{ rhel_09_6_1_11_audit.results }}"
+            msg: "Good news! We have not found any world-writable files on your system"
         when:
-            - item.stdout_lines is defined
-            - item.stdout_lines | length > 0
+            - rhel_08_6_1_11_perms_results.stdout is not defined
+
+      - name: "6.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)"
+        file:
+            path: '{{ item }}'
+            mode: o-w
+            state: touch
+        with_items: "{{ rhel_08_6_1_11_perms_results.stdout_lines }}"
+        when:
+            - rhel_08_6_1_11_perms_results.stdout_lines is defined
+            - rhel9cis_no_world_write_adjust
   when:
       - rhel9cis_rule_6_1_11
   tags:
       - level1-server
       - level1-workstation
-      - audit
+      - automated
+      - patch
+      - files
+      - permissions
       - rule_6.1.11
 
-- name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist"
+- name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist"
   block:
-      - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories"
-        shell: find "{{ item.mount }}" -xdev -nogroup
-        args:
-            warn: false
-        check_mode: false
-        failed_when: false
+      - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
+        command: find "{{ item.mount }}" -xdev -nouser
         changed_when: false
-        register: rhel_09_6_1_12_audit
+        failed_when: false
+        check_mode: false
+        register: rhel_08_6_1_12_audit
         with_items: "{{ ansible_mounts }}"
+        loop_control:
+            label: "{{ item.mount }}"
         when: item['device'].startswith('/dev') and not 'bind' in item['options']
 
-      - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
+      - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
         debug:
-            msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
-        with_items: "{{ rhel_09_6_1_12_audit.results }}"
+            msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
+        with_items: "{{ rhel_08_6_1_12_audit.results }}"
         when:
             - item.stdout_lines is defined
             - item.stdout_lines | length > 0
@@ -234,71 +243,109 @@
   tags:
       - level1-server
       - level1-workstation
-      - patch
+      - automated
+      - audit
+      - files
+      - permissions
       - rule_6.1.12
 
-- name: "6.1.13 | L1 | AUDIT | Audit SUID executables"
+- name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist"
   block:
-      - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Find all SUID executables"
-        shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000
-        args:
-            warn: false
+      - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories"
+        command: find "{{ item.mount }}" -xdev -nogroup
+        check_mode: false
         failed_when: false
         changed_when: false
-        register: rhel_09_6_1_13_perms_results
+        register: rhel_08_6_1_13_audit
         with_items: "{{ ansible_mounts }}"
+        loop_control:
+            label: "{{ item.mount }}"
+        when: item['device'].startswith('/dev') and not 'bind' in item['options']
 
-      - name: "6.1.13 | L1 | AUDIT | Audit SUID executables |  Alert no SUID executables exist"
+      - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
         debug:
-            msg: "Good news! We have not found any SUID executable files on your system"
-        failed_when: false
-        changed_when: false
+            msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
+        with_items: "{{ rhel_08_6_1_13_audit.results }}"
         when:
-            - rhel_09_6_1_13_perms_results.stdout is not defined
-
-      - name: "6.1.13 | L1 | AUDIT | Audit SUID executables |  Alert SUID executables exist"
-        debug:
-            msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
-        with_items: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}"
-        when:
-            - rhel_09_6_1_13_perms_results.stdout is defined
+            - item.stdout_lines is defined
+            - item.stdout_lines | length > 0
   when:
       - rhel9cis_rule_6_1_13
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - audit
+      - files
+      - permissions
       - rule_6.1.13
 
-- name: "6.1.14 | L1 | AUDIT | Audit SGID executables"
+- name: "6.1.14 | AUDIT | Audit SUID executables"
   block:
-      - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Find all SGID executables"
-        shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000
-        args:
-            warn: false
+      - name: "6.1.14 | AUDIT | Audit SUID executables | Find all SUID executables"
+        shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000
         failed_when: false
         changed_when: false
-        register: rhel_09_6_1_14_perms_results
+        register: rhel_08_6_1_14_perms_results
         with_items: "{{ ansible_mounts }}"
+        loop_control:
+            label: "{{ item.mount }}"
 
-      - name: "6.1.14 | L1 | AUDIT | Audit SGID executables |  Alert no SGID executables exist"
+      - name: "6.1.14 | AUDIT | Audit SUID executables |  Alert no SUID executables exist"
         debug:
-            msg: "Good news! We have not found any SGID executable files on your system"
+            msg: "Good news! We have not found any SUID executable files on your system"
         failed_when: false
         changed_when: false
         when:
-            - rhel_09_6_1_14_perms_results.stdout is not defined
+            - rhel_08_6_1_14_perms_results.stdout is not defined
 
-      - name: "6.1.14 | L1 | AUDIT | Audit SGID executables |  Alert SGID executables exist"
+      - name: "6.1.14 | AUDIT | Audit SUID executables |  Alert SUID executables exist"
         debug:
-            msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
-        with_items: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}"
+            msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
+        with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}"
         when:
-            - rhel_09_6_1_14_perms_results.stdout is defined
+            - rhel_08_6_1_14_perms_results.stdout is defined
   when:
       - rhel9cis_rule_6_1_14
   tags:
       - level1-server
       - level1-workstation
-      - patch
+      - manual
+      - audit
+      - files
       - rule_6.1.14
+
+- name: "6.1.15 | AUDIT | Audit SGID executables"
+  block:
+      - name: "6.1.15 | AUDIT | Audit SGID executables | Find all SGID executables"
+        shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000
+        failed_when: false
+        changed_when: false
+        register: rhel_08_6_1_15_perms_results
+        with_items: "{{ ansible_mounts }}"
+        loop_control:
+            label: "{{ item.mount }}"
+
+      - name: "6.1.15 | AUDIT | Audit SGID executables |  Alert no SGID executables exist"
+        debug:
+            msg: "Good news! We have not found any SGID executable files on your system"
+        failed_when: false
+        changed_when: false
+        when:
+            - rhel_08_6_1_15_perms_results.stdout is not defined
+
+      - name: "6.1.15 | AUDIT | Audit SGID executables |  Alert SGID executables exist"
+        debug:
+            msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}"
+        with_items: "{{ rhel_08_6_1_15_perms_results.stdout_lines }}"
+        when:
+            - rhel_08_6_1_15_perms_results.stdout is defined
+  when:
+      - rhel9cis_rule_6_1_15
+  tags:
+      - level1-server
+      - level1-workstation
+      - manual
+      - audit
+      - files
+      - rule_6.1.15

tasks/section_6/cis_6.2.x.yml

@@ -1,9 +1,7 @@
 ---
 
-- name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty"
-  shell: passwd -l {{ item }}
-  args:
-      warn: false
+- name: "6.2.1 | PATCH | Ensure password fields are not empty"
+  command: passwd -l {{ item }}
   changed_when: false
   failed_when: false
   with_items: "{{ empty_password_accounts.stdout_lines }}"
@@ -13,177 +11,268 @@
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
+      - accounts
       - rule_6.2.1
 
-- name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd"
-  shell: sed -i '/^+/ d' /etc/passwd
-  args:
-      warn: false
-  changed_when: false
-  failed_when: false
+
+- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
+  block:
+      - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
+        shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
+        changed_when: false
+        failed_when: false
+        check_mode: false
+        register: rhel9cis_6_2_2_passwd_gid_check
+
+      - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files"
+        debug:
+            msg: "Good News! There are no users that have non-existent GUIDs (Groups)"
+        when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined
+
+      - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
+        debug:
+            msg: "WARNING: The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}"
+        when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined
   when:
       - rhel9cis_rule_6_2_2
   tags:
       - level1-server
       - level1-workstation
-      - patch
+      - automated
+      - audit
+      - accounts
+      - groups
       - rule_6.2.2
-      - skip_ansible_lint
 
-- name: "6.2.3 | L1 | PATCH | Ensure root PATH Integrity"
+- name: "6.2.3 | AUDIT Ensure no duplicate UIDs exist"
   block:
-      - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine empty value"
+      - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
+        shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
+        changed_when: false
+        failed_when: false
+        register: rhel9cis_6_2_3_user_uid_check
+
+      - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist"
+        debug:
+            msg: "Good News! There are no duplicate UID's in the system"
+        when: rhel9cis_6_2_3_user_uid_check.stdout is not defined
+
+      - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
+        debug:
+            msg: "Warning: The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}"
+        when: rhel9cis_6_2_3_user_uid_check.stdout is defined
+  when:
+      - rhel9cis_rule_6_2_3
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - audit
+      - accounts
+      - users
+      - rule_6.2.3
+
+- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist"
+  block:
+      - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
+        shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
+        changed_when: false
+        failed_when: false
+        register: rhel9cis_6_2_4_user_user_check
+
+      - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist"
+        debug:
+            msg: "Good News! There are no duplicate GIDs in the system"
+        when: rhel9cis_6_2_4_user_user_check.stdout is not defined
+
+      - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
+        debug:
+            msg: "Warning: The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}"
+        when: rhel9cis_6_2_4_user_user_check.stdout is defined
+  when:
+      - rhel9cis_rule_6_2_4
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - audit
+      - accounts
+      - groups
+      - rule_6.2.4
+
+- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist"
+  block:
+      - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
+        shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
+        changed_when: false
+        failed_when: false
+        register: rhel9cis_6_2_5_user_username_check
+
+      - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist"
+        debug:
+            msg: "Good News! There are no duplicate user names in the system"
+        when: rhel9cis_6_2_5_user_username_check.stdout is not defined
+
+      - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
+        debug:
+            msg: "Warning: The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}"
+        when: rhel9cis_6_2_5_user_username_check.stdout is defined
+  when:
+      - rhel9cis_rule_6_2_5
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - audit
+      - accounts
+      - users
+      - rule_6.2.5
+
+- name: "6.2.6 | AUDIT |Ensure no duplicate group names exist"
+  block:
+      - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
+        shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
+        changed_when: false
+        failed_when: false
+        check_mode: no
+        register: rhel9cis_6_2_6_group_group_check
+
+      - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist"
+        debug:
+            msg: "Good News! There are no duplicate group names in the system"
+        when: rhel9cis_6_2_6_group_group_check.stdout is defined
+
+      - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
+        debug:
+            msg: "Warning: The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}"
+        when: rhel9cis_6_2_6_group_group_check.stdout is not defined
+  when:
+      - rhel9cis_rule_6_2_6
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - audit
+      - accounts
+      - groups
+      - rule_6.2.6
+
+- name: "6.2.7 | PATCH | Ensure root PATH Integrity"
+  block:
+      - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value"
         shell: 'echo $PATH | grep ::'
-        args:
-            warn: false
-        check_mode: false
-        register: path_colon
         changed_when: False
-        failed_when: path_colon.rc == 0
+        failed_when: rhel9cis_6_2_7_path_colon.rc == 0
+        check_mode: no
+        register: rhel9cis_6_2_7_path_colon
 
-      - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determin colon end"
+      - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end"
         shell: 'echo $PATH | grep :$'
-        args:
-            warn: false
-        check_mode: false
-        register: path_colon_end
         changed_when: False
-        failed_when: path_colon_end.rc == 0
+        failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0
+        check_mode: no
+        register: rhel9cis_6_2_7_path_colon_end
 
-      - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
+      - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
         shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
-        args:
-            warn: false
-        check_mode: false
-        register: dot_in_path
         changed_when: False
-        failed_when: '"." in dot_in_path.stdout_lines'
+        failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines'
+        check_mode: no
+        register: rhel9cis_6_2_7_dot_in_path
 
-      - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path"
+      - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path"
         debug:
             msg:
-                - "The following paths have an empty value: {{ path_colon.stdout_lines }}"
-                - "The following paths have colon end: {{ path_colon_end.stdout_lines }}"
-                - "The following paths have a dot in the path: {{ dot_in_path.stdout_lines }}"
+                - "The following paths have an empty value: {{ rhel9cis_6_2_7_path_colon.stdout_lines }}"
+                - "The following paths have colon end: {{ rhel9cis_6_2_7_path_colon_end.stdout_lines }}"
+                - "The following paths have a dot in the path: {{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}"
 
-      - name: "6.2.3 | L1 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner"
+      - name: "6.2.7 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner"
         file: >
           path='{{ item }}'
           follow=yes
           state=directory
           owner=root
           mode='o-w,g-w'
-        with_items: "{{ dot_in_path.stdout_lines }}"
+        with_items: "{{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}"
   when:
-      - rhel9cis_rule_6_2_3
+      - rhel9cis_rule_6_2_7
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
-      - rule_6.2.3
+      - paths
+      - rule_6.2.7
 
-- name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow"
-  shell: sed -i '/^+/ d' /etc/shadow
-  args:
-      warn: false
+- name: "6.2.8 | PATCH | Ensure root is the only UID 0 account"
+  command: passwd -l {{ item }}
   changed_when: false
   failed_when: false
+  with_items: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}"
   when:
-      - rhel9cis_rule_6_2_4
+      - rhel9cis_uid_zero_accounts_except_root.rc
+      - rhel9cis_rule_6_2_8
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
-      - rule_6.2.4
-      - skip_ansible_lint
+      - accounts
+      - users
+      - rule_6.2.8
 
-- name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group"
-  shell: sed -i '/^+/ d' /etc/group
-  args:
-      warn: false
-  changed_when: false
-  failed_when: false
-  when:
-      - rhel9cis_rule_6_2_5
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_6.2.5
-      - skip_ansible_lint
-
-- name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account"
-  shell: passwd -l {{ item }}
-  args:
-      warn: false
-  changed_when: false
-  failed_when: false
-  with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}"
-  when:
-      - uid_zero_accounts_except_root.rc
-      - rhel9cis_rule_6_2_6
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_6.2.6
-
-- name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
+- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
   block:
-      - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
+      - name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
         stat:
             path: "{{ item }}"
-        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}"
-        register: rhel_09_6_2_7_audit
+        register: rhel_08_6_2_9_audit
+        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
 
-      - debug:
-          var: rhel_09_6_2_7_audit
-
-      - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
-        shell: find -H {{ item.0 | quote }} -not -type l -perm /027
-        args:
-            warn: false
+      - name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
+        command: find -H {{ item.0 | quote }} -not -type l -perm /027
         check_mode: false
-        changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0
-        register: rhel_09_6_2_7_patch_audit
+        changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0
+        register: rhel_08_6_2_9_patch_audit
         when:
             - ansible_check_mode
             - item.1.exists
         with_together:
-            - "{{ rhel_09_6_2_7_audit.results | map(attribute='item') | list }}"
-            - "{{ rhel_09_6_2_7_audit.results | map(attribute='stat') | list }}"
+            - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}"
+            - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}"
         loop_control:
             label: "{{ item.0 }}"
 
-      - name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
+      - name: "6.2.9 | PATCH | Ensure all users' home directories exist"
         file:
             path: "{{ item.0 }}"
-            recurse: true
+            recurse: yes
             mode: a-st,g-w,o-rwx
-        register: rhel_09_6_2_7_patch
+        register: rhel_08_6_2_9_patch
         when:
             - not ansible_check_mode
             - item.1.exists
         with_together:
-            - "{{ rhel_09_6_2_7_audit.results | map(attribute='item') | list }}"
-            - "{{ rhel_09_6_2_7_audit.results | map(attribute='stat') | list }}"
+            - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}"
+            - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}"
         loop_control:
             label: "{{ item.0 }}"
 
       # set default ACLs so the homedir has an effective umask of 0027
-      - name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
+      - name: "6.2.9 | PATCH | Ensure all users' home directories exist"
         acl:
             path: "{{ item.0 }}"
-            default: true
+            default: yes
             state: present
-            recursive: true
+            recursive: yes
             etype: "{{ item.1.etype }}"
             permissions: "{{ item.1.mode }}"
-        when: 
-            - not system_is_container
+        when: not rhel9cis_system_is_container
         with_nested:
-            - "{{ (ansible_check_mode | ternary(rhel_09_6_2_7_patch_audit, rhel_09_6_2_7_patch)).results |
+            - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results |
               rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
             -
                 - etype: group
@@ -191,14 +280,17 @@
                 - etype: other
                   mode: '0'
   when:
-      - rhel9cis_rule_6_2_7
+      - rhel9cis_rule_6_2_9
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
-      - rule_6.2.7
+      - users
+      - rule_6.2.9
 
-- name: "6.2.8 | L1 | PATCH | Ensure users own their home directories"
+
+- name: "6.2.10 | PATCH | Ensure users own their home directories"
   file:
       path: "{{ item.dir }}"
       owner: "{{ item.id }}"
@@ -207,348 +299,66 @@
   loop_control:
       label: "{{ rhel9cis_passwd_label }}"
   when:
-      - min_int_uid | int >= item.uid
-      - rhel9cis_rule_6_2_8
+      - item.uid >= rhel9cis_int_gid
+      - rhel9cis_rule_6_2_10
   tags:
       - skip_ansible_lint  # settings found on 6_2_7
       - level1-server
       - level1-workstation
+      - autoamted
       - patch
-      - rule_6.2.8
-
-- name: "6.2.9 | L1 | PATCH | Ensure users' dot files are not group or world-writable"
-  block:
-      - name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files"
-        shell: find /home/ -name "\.*" -perm /g+w,o+w
-        args:
-            warn: false
-        changed_when: false
-        failed_when: false
-        register: rhel9cis_6_2_9_audit
-
-      - name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found"
-        debug:
-            msg: "Good news! We have not found any group or world-writable dot files on your sytem"
-        when:
-            - rhel9cis_6_2_9_audit.stdout is not defined
-
-      - name: "6.2.9 | L1 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured"
-        file:
-            path: '{{ item }}'
-            mode: go-w
-        with_items: "{{ rhel9cis_6_2_9_audit.stdout_lines }}"
-        when:
-            - rhel9cis_6_2_9_audit.stdout is defined
-            - rhel9cis_dotperm_ansiblemanaged
-  when:
-      - rhel9cis_rule_6_2_9
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_6.2.9
-
-- name: "6.2.10 | L1 | PATCH | Ensure no users have .forward files"
-  file:
-      state: absent
-      dest: "~{{ item }}/.forward"
-  with_items: "{{ users.stdout_lines }}"
-  when:
-      - rhel9cis_rule_6_2_10
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
+      - users
       - rule_6.2.10
 
-- name: "6.2.11 | L1 | PATCH | Ensure no users have .netrc files"
-  file:
-      state: absent
-      dest: "~{{ item }}/.netrc"
-  with_items: "{{ users.stdout_lines }}"
-  when:
-      - rhel9cis_rule_6_2_11
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_6.2.11
-
-- name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible"
-  shell: /bin/true
-  args:
-      warn: false
-  changed_when: false
-  failed_when: false
-  when:
-      - rhel9cis_rule_6_2_12
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_6.2.12
-
-- name: "6.2.13 | L1 | PATCH | Ensure no users have .rhosts files"
-  file:
-      state: absent
-      dest: "~{{ item }}/.rhosts"
-  with_items: "{{ users.stdout_lines }}"
-  when:
-      - rhel9cis_rule_6_2_13
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_6.2.13
-
-- name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
+- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
   block:
-      - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
-        shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
-        args:
-            warn: false
-        changed_when: false
-        failed_when: false
-        check_mode: false
-        register: passwd_gid_check
-
-      - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files"
-        debug:
-            msg: "Good News! There are no users that have non-existent GUIDs (Groups)"
-        when: passwd_gid_check.stdout is not defined
-
-      - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
-        debug:
-            msg: "WARNING: The following users have non-existent GIDs (Groups): {{ passwd_gid_check.stdout_lines | join (', ') }}"
-        when: passwd_gid_check.stdout is defined
-  when:
-      - rhel9cis_rule_6_2_14
-  tags:
-      - level1-server
-      - level1-workstation
-      - audit
-      - rule_6.2.14
-
-- name: "6.2.15 | L1 | AUDIT Ensure no duplicate UIDs exist"
-  block:
-      - name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
-        shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
-        args:
-            warn: false
-        changed_when: false
-        failed_when: false
-        register: user_uid_check
-
-      - name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist"
-        debug:
-            msg: "Good News! There are no duplicate UID's in the system"
-        when: user_uid_check.stdout is not defined
-
-      - name: "6.2.15 | L1 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
-        debug:
-            msg: "Warning: The following users have UIDs that are duplicates: {{ user_uid_check.stdout_lines }}"
-        when: user_uid_check.stdout is defined
-  when:
-      - rhel9cis_rule_6_2_15
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_6.2.15
-
-- name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist"
-  block:
-      - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
-        shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
-        args:
-            warn: false
-        changed_when: false
-        failed_when: false
-        register: user_user_check
-
-      - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist"
-        debug:
-            msg: "Good News! There are no duplicate GIDs in the system"
-        when: user_user_check.stdout is not defined
-
-      - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
-        debug:
-            msg: "Warning: The following groups have duplicate GIDs: {{ user_user_check.stdout_lines }}"
-        when: user_user_check.stdout is defined
-  when:
-      - rhel9cis_rule_6_2_16
-  tags:
-      - level1-server
-      - level1-workstation
-      - audit
-      - rule_6.2.16
-
-- name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist"
-  block:
-      - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
-        shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
-        args:
-            warn: false
-        changed_when: false
-        failed_when: false
-        register: user_username_check
-
-      - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist"
-        debug:
-            msg: "Good News! There are no duplicate user names in the system"
-        when: user_username_check.stdout is not defined
-
-      - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
-        debug:
-            msg: "Warning: The following user names are duplicates: {{ user_username_check.stdout_lines }}"
-        when: user_username_check.stdout is defined
-  when:
-      - rhel9cis_rule_6_2_17
-  tags:
-      - level1-server
-      - level1-workstation
-      - audit
-      - rule_6.2.17
-
-- name: "6.2.18 | L1 | AUDIT |Ensure no duplicate group names exist"
-  block:
-      - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
-        shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
-        args:
-            warn: false
-        changed_when: false
-        failed_when: false
-        check_mode: false
-        register: group_group_check
-
-      - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist"
-        debug:
-            msg: "Good News! There are no duplicate group names in the system"
-        when: group_group_check.stdout is defined
-
-      - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
-        debug:
-            msg: "Warning: The following group names are duplicates: {{ group_group_check.stdout_lines }}"
-        when: group_group_check.stdout is not defined
-  when:
-      - rhel9cis_rule_6_2_18
-  tags:
-      - level1-server
-      - level1-workstation
-      - audit
-      - rule_6.2.18
-
-- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty"
-  block:
-      - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for shadow group and pull group id"
-        shell: "getent group shadow | cut -d: -f3"
-        args:
-            warn: false
-        changed_when: false
-        failed_when: false
-        check_mode: false
-        register: rhel9cis_shadow_gid
-
-      - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check /etc/group for empty shadow group"
-        shell: grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group
-        args:
-            warn: false
-        changed_when: false
-        failed_when: false
-        check_mode: false
-        register: rhel9cis_empty_shadow
-
-      - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for users assigned to shadow"
-        shell: "getent passwd | awk -F: '$4 == '{{ rhel9cis_shadow_gid.stdout }}' {print $1}'"
-        args:
-            warn: false
-        changed_when: false
-        failed_when: false
-        check_mode: false
-        register: rhel9cis_shadow_passwd
-
-      - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is empty and no users assigned"
-        debug:
-            msg:
-                - " Good News! The shadow group is empty and there are no users assigned to shadow"
-        when:
-            - rhel9cis_empty_shadow.stdout | length == 0
-            - rhel9cis_shadow_passwd.stdout | length == 0
-
-      - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is not empty"
-        debug:
-            msg:
-                - "Alert! The shadow group is not empty"
-        when:
-            - rhel9cis_empty_shadow.stdout | length > 0
-
-      - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert users are using shadow group"
-        debug:
-            msg:
-                - "Alert! The following users are assigned to the shadow group, please assing them to the appropriate group"
-                - "{{ rhel9cis_shadow_passwd.stdout_lines }}"
-        when:
-            - rhel9cis_shadow_passwd.stdout | length > 0
-  when:
-      - rhel9cis_rule_6_2_19
-  tags:
-      - level1-server
-      - level1-workstation
-      - audit
-      - rule_6.2.19
-
-- name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist"
-  block:
-      - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist"
+      - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
         stat:
             path: "{{ item }}"
-        register: rhel_09_6_2_20_audit
-        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}"
+        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
+        register: rhel_08_6_2_11_audit
 
-      - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist"
-        shell: find -H {{ item.0 | quote }} -not -type l -perm /027
-        args:
-            warn: false
+      - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
+        command: find -H {{ item.0 | quote }} -not -type l -perm /027
         check_mode: false
-        changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0
-        register: rhel_09_6_2_20_patch_audit
+        changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0
+        register: rhel_08_6_2_11_patch_audit
         when:
             - ansible_check_mode
             - item.1.exists
         with_together:
-            - "{{ rhel_09_6_2_20_audit.results | map(attribute='item') | list }}"
-            - "{{ rhel_09_6_2_20_audit.results | map(attribute='stat') | list }}"
+            - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}"
+            - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}"
         loop_control:
             label: "{{ item.0 }}"
 
-      - name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist"
+      - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
         file:
             path: "{{ item.0 }}"
-            recurse: true
+            recurse: yes
             mode: a-st,g-w,o-rwx
-        register: rhel_09_6_2_20_patch
+        register: rhel_08_6_2_11_patch
         when:
             - not ansible_check_mode
             - item.1.exists
         with_together:
-            - "{{ rhel_09_6_2_20_audit.results | map(attribute='item') | list }}"
-            - "{{ rhel_09_6_2_20_audit.results | map(attribute='stat') | list }}"
+            - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}"
+            - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}"
         loop_control:
             label: "{{ item.0 }}"
 
       # set default ACLs so the homedir has an effective umask of 0027
-      - name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist"
+      - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
         acl:
             path: "{{ item.0 }}"
-            default: true
+            default: yes
             state: present
-            recursive: true
+            recursive: yes
             etype: "{{ item.1.etype }}"
             permissions: "{{ item.1.mode }}"
-        when: 
-            - not system_is_container
+        when: not rhel9cis_system_is_container
         with_nested:
-            - "{{ (ansible_check_mode | ternary(rhel_09_6_2_20_patch_audit, rhel_09_6_2_20_patch)).results |
+            - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results |
               rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
             -
                 - etype: group
@@ -556,9 +366,111 @@
                 - etype: other
                   mode: '0'
   when:
-      - rhel9cis_rule_6_2_20
+      - rhel9cis_rule_6_2_11
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
-      - rule_6.2.20
+      - users
+      - permissions
+      - rule_6.2.11
+
+- name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable"
+  block:
+      - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files"
+        shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w
+        changed_when: false
+        failed_when: false
+        register: rhel9cis_6_2_12_audit
+
+      - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found"
+        debug:
+            msg: "Good news! We have not found any group or world-writable dot files on your sytem"
+        when:
+            - rhel9cis_6_2_12_audit.stdout is not defined
+
+      - name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured"
+        file:
+            path: '{{ item }}'
+            mode: go-w
+        with_items: "{{ rhel9cis_6_2_12_audit.stdout_lines }}"
+        when:
+            - rhel9cis_6_2_12_audit.stdout is defined
+            - rhel9cis_dotperm_ansiblemanaged
+  when:
+      - rhel9cis_rule_6_2_12
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - users
+      - permissions
+      - rule_6.2.12
+
+- name: "6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible"
+  command: /bin/true
+  changed_when: false
+  failed_when: false
+  when:
+      - rhel9cis_rule_6_2_13
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - users
+      - permissions
+      - notimplemented
+      - rule_6.2.13
+
+- name: "6.2.14 | PATCH | Ensure no users have .forward files"
+  file:
+      state: absent
+      dest: "~{{ item }}/.forward"
+  with_items:
+      - "{{ users.stdout_lines }}"
+  when:
+      - rhel9cis_rule_6_2_14
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - users
+      - files
+      - rule_6.2.14
+
+- name: "6.2.15 | PATCH | Ensure no users have .netrc files"
+  file:
+      state: absent
+      dest: "~{{ item }}/.netrc"
+  with_items:
+      - "{{ users.stdout_lines }}"
+  when:
+      - rhel9cis_rule_6_2_15
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - users
+      - files
+      - rule_6.2.15
+
+- name: "6.2.16 | PATCH | Ensure no users have .rhosts files"
+  file:
+      state: absent
+      dest: "~{{ item }}/.rhosts"
+  with_items: "{{ users.stdout_lines }}"
+  when:
+      - rhel9cis_rule_6_2_16
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - users
+      - files
+      - rule_6.2.16

tasks/section_6/main.yml

@@ -4,4 +4,4 @@
   import_tasks: cis_6.1.x.yml
 
 - name: "SECTION | 6.2 | User and Group Settings"
-  import_tasks: cis_6.2.x.yml
+  import_tasks: cis_6.2.x.yml