---

- name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured"
  block:
      - name: "5.5.2 | L1 | Ensure system accounts are secured | Set nologin"
        user:
            name: "{{ item.id }}"
            shell: /usr/sbin/nologin
        with_items:
            - "{{ rhel9cis_passwd }}"
        when:
            - item.id != "root"
            - item.id != "sync"
            - item.id != "shutdown"
            - item.id != "halt"
            - item.gid < rhel9cis_int_gid
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"

      - name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured | Lock accounts"
        user:
            name: "{{ item.id }}"
            password_lock: true
        with_items:
            - "{{ rhel9cis_passwd }}"
        when:
            - item.id != "halt"
            - item.id != "shutdown"
            - item.id != "sync"
            - item.id != "root"
            - item.gid < rhel9cis_int_gid
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"
  when:
      - rhel9cis_rule_5_5_2
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.2

- name: "5.5.3 | L1 | PATCH | Ensure default user shell timeout is 900 seconds or less"
  blockinfile:
      create: yes
      mode: 0644
      dest: "{{ item.dest }}"
      state: "{{ item.state }}"
      marker: "# {mark} ANSIBLE MANAGED"
      block: |
        # Set session timeout - CIS ID RHEL-09-5.4.5
        TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
        export TMOUT
        readonly TMOUT
  with_items:
      - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present }
      - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" }
  when:
      - rhel9cis_rule_5_5_3
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.3

- name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0"
  command: usermod -g 0 root
  changed_when: false
  failed_when: false
  when:
      - rhel9cis_rule_5_5_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.4

- name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive"
  block:
      - name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
        replace:
            path: /etc/bashrc
            regexp: '(^\s+umask) 0[012][0-6]'
            replace: '\1 027'

      - name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
        replace:
            path: /etc/profile
            regexp: '(^\s+umask) 0[012][0-6]'
            replace: '\1 027'
  when:
      - rhel9cis_rule_5_5_5
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.5.5