---

- name: "5.1.1 | L1 | PATCH | Ensure cron daemon is enabled"
  service:
      name: crond
      enabled: yes
  when:
      - rhel9cis_rule_5_1_1
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.1.1

- name: "5.1.2 | L1 | PATCH | Ensure permissions on /etc/crontab are configured"
  file:
      dest: /etc/crontab
      owner: root
      group: root
      mode: 0600
  when:
      - rhel9cis_rule_5_1_2
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.1.2

- name: "5.1.3 | L1 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
  file:
      dest: /etc/cron.hourly
      state: directory
      owner: root
      group: root
      mode: 0700
  when:
      - rhel9cis_rule_5_1_3
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.1.3

- name: "5.1.4 | L1 | PATCH | Ensure permissions on /etc/cron.daily are configured"
  file:
      dest: /etc/cron.daily
      state: directory
      owner: root
      group: root
      mode: 0700
  when:
      - rhel9cis_rule_5_1_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.1.4

- name: "5.1.5 | L1 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
  file:
      dest: /etc/cron.weekly
      state: directory
      owner: root
      group: root
      mode: 0700
  when:
      - rhel9cis_rule_5_1_5
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.1.5

- name: "5.1.6 | L1 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
  file:
      dest: /etc/cron.monthly
      state: directory
      owner: root
      group: root
      mode: 0700
  when:
      - rhel9cis_rule_5_1_6
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.1.6

- name: "5.1.7 | L1 | PATCH | Ensure permissions on /etc/cron.d are configured"
  file:
      dest: /etc/cron.d
      state: directory
      owner: root
      group: root
      mode: 0700
  when:
      - rhel9cis_rule_5_1_7
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.1.7

- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users"
  block:
      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove at.deny"
        file:
            dest: /etc/at.deny
            state: absent

      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if at.allow exists"
        stat:
            path: "/etc/at.allow"
        register: p

      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure at.allow is restricted to authorized users"
        file:
            dest: /etc/at.allow
            state: '{{ "file" if  p.stat.exists else "touch" }}'
            owner: root
            group: root
            mode: 0600

      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny"
        file:
            dest: /etc/cron.deny
            state: absent

      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if cron.allow exists"
        stat:
            path: "/etc/cron.allow"
        register: p

      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
        file:
            dest: /etc/cron.allow
            state: '{{ "file" if  p.stat.exists else "touch" }}'
            owner: root
            group: root
            mode: 0600
  when:
      - rhel9cis_rule_5_1_8
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.1.8