--- - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled" when: rhel9cis_rule_2_4_1_1 tags: - level1-server - level1-workstation - patch - cron - rule_2.4.1.1 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.service: name: crond enabled: true - name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" when: rhel9cis_rule_2_4_1_2 tags: - level1-server - level1-workstation - patch - cron - rule_2.4.1.2 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/crontab owner: root group: root mode: 'og-rwx' - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" when: rhel9cis_rule_2_4_1_3 tags: - level1-server - level1-workstation - patch - cron - rule_2.4.1.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/cron.hourly state: directory owner: root group: root mode: 'og-rwx' - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" when: rhel9cis_rule_2_4_1_4 tags: - level1-server - level1-workstation - patch - cron - rule_2.4.1.4 ansible.builtin.file: path: /etc/cron.daily state: directory owner: root group: root mode: 'og-rwx' - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" when: rhel9cis_rule_2_4_1_5 tags: - level1-server - level1-workstation - patch - rule_2.4.1.5 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/cron.weekly state: directory owner: root group: root mode: 'og-rwx' - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" when: rhel9cis_rule_2_4_1_6 tags: - level1-server - level1-workstation - patch - rule_2.4.1.6 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/cron.monthly state: directory owner: root group: root mode: 'og-rwx' - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" when: rhel9cis_rule_2_4_1_7 tags: - level1-server - level1-workstation - patch - cron - rule_2.4.1.7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/cron.d state: directory owner: root group: root mode: 'og-rwx' - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users" when: rhel9cis_rule_2_4_1_8 tags: - level1-server - level1-workstation - patch - cron - rule_2.4.1.8 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 block: - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Remove cron.deny" ansible.builtin.file: path: /etc/cron.deny state: absent - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check if cron.allow exists" ansible.builtin.stat: path: "/etc/cron.allow" register: discovered_cron_allow_state - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: path: /etc/cron.allow state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: 'u-x,g-wx,o-rwx' - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users" when: rhel9cis_rule_2_4_2_1 tags: - level1-server - level1-workstation - patch - cron - rule_2.4.2.1 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 block: - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" ansible.builtin.file: path: /etc/at.deny state: absent - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" ansible.builtin.stat: path: "/etc/at.allow" register: discovered_at_allow_state - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" ansible.builtin.file: path: /etc/at.allow state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}' owner: root group: root mode: 'u-x,g-wx,o-rwx'