From c9071b361dbfb78e350d54493bc3ab3b98f51ea3 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Wed, 10 Apr 2024 07:51:31 +0100
Subject: [PATCH] moved audit added discoveries

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/prelim.yml | 67 ++++++++++++++++++++++++++++++++++--------------
 1 file changed, 48 insertions(+), 19 deletions(-)

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index f58ad01..0d7fccc 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -2,6 +2,54 @@
 
 # Preliminary tasks that should always be run
 # List users in order to look files inside each home directory
+
+- name: Include audit specific variables
+  when:
+      - run_audit or audit_only
+      - setup_audit
+  tags:
+      - setup_audit
+      - run_audit
+  ansible.builtin.include_vars: audit.yml
+
+- name: Include pre-remediation audit tasks
+  when:
+      - run_audit or audit_only
+      - setup_audit
+  tags:
+      - run_audit
+  ansible.builtin.import_tasks: pre_remediation_audit.yml
+
+- name: "PRELIM | AUDIT | Interactive Users"
+  tags:
+      - always
+  ansible.builtin.shell: >
+      grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $1 }'
+  changed_when: false
+  register: discovered_interactive_usernames
+
+- name: "PRELIM | AUDIT | Interactive User accounts home directories"
+  tags:
+      - always
+  ansible.builtin.shell: >
+      grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }'
+  changed_when: false
+  register: discovered_interactive_users_home
+
+- name: "PRELIM | AUDIT | Interactive UIDs"
+  tags:
+      - always
+  ansible.builtin.shell: >
+      grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }'
+  changed_when: false
+  register: discovered_interactive_uids
+
+- name: "PRELIM | capture /etc/password variables"
+  ansible.builtin.include_tasks:
+      file: parse_etc_password.yml
+  tags:
+      - always
+
 - name: "PRELIM | List users accounts"
   ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd"
   changed_when: false
@@ -12,25 +60,6 @@
       - level1-workstation
       - users
 
-- name: "PRELIM | capture /etc/password variables"
-  ansible.builtin.include_tasks: parse_etc_password.yml
-  tags:
-      - rule_5.5.2
-      - rule_5.6.2
-      - rule_6.2.9
-      - rule_6.2.10
-      - rule_6.2.11
-      - rhel9cis_section5
-      - rhel9cis_section6
-      - level1-server
-
-- name: "PRELIM | Interactive User accounts"
-  ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6'
-  changed_when: false
-  register: interactive_users_home
-  tags:
-      - always
-
 - name: "PRELIM | Gather accounts with empty password fields"
   ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
   changed_when: false