RHEL9-CIS/tasks/section_5/cis_5.6.x.yml

---

- name: "5.6.2 | PATCH | Ensure system accounts are secured"
  block:
      - name: "5.6.2 | Ensure system accounts are secured | Set nologin"
        ansible.builtin.user:
            name: "{{ item.id }}"
            shell: /usr/sbin/nologin
        loop: "{{ rhel9cis_passwd }}"
        when:
            - item.id != "root"
            - item.id != "sync"
            - item.id != "shutdown"
            - item.id != "halt"
            - item.id != "nfsnobody"
            - item.uid < min_int_uid | int
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"
        loop_control:
            label: "{{ item.id }}"

      - name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts"
        ansible.builtin.user:
            name: "{{ item.id }}"
            password_lock: true
        loop: "{{ rhel9cis_passwd }}"
        when:
            - item.id != "halt"
            - item.id != "shutdown"
            - item.id != "sync"
            - item.id != "root"
            - item.id != "nfsnobody"
            - item.uid < min_int_uid | int
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"
        loop_control:
            label: "{{ item.id }}"
  when:
      - rhel9cis_rule_5_6_2
  tags:
      - level1-server
      - level1-workstation
      - patch
      - accounts
      - rule_5.6.2

- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
  ansible.builtin.blockinfile:
      path: "{{ item.path }}"
      state: "{{ item.state }}"
      marker: "# {mark} - CIS benchmark - Ansible-lockdown"
      create: true
      mode: '0644'
      block: |
        TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
        export TMOUT
        readonly TMOUT
  loop:
      - { path: "{{ rhel9cis_shell_session_timeout.file }}", state: present }
      - { path: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" }
  when:
      - rhel9cis_rule_5_6_3
  tags:
      - level1-server
      - level1-workstation
      - patch
      - accounts
      - rule_5.6.3

- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
  ansible.builtin.user:
      name: root
      group: 0
  when:
      - rhel9cis_rule_5_6_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - accounts
      - rule_5.6.4

- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
  block:
      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings"
        ansible.builtin.lineinfile:
            path: "{{ item.path }}"
            regexp: '(?i)(umask\s*)'
            line: '{{ item.line }} 027'
        with_items:
            - { path: '/etc/bashrc', line: 'umask' }
            - { path: '/etc/profile', line: 'umask' }
            - { path: '/etc/login.defs', line: 'UMASK' }

      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
        ansible.builtin.lineinfile:
            path: /etc/login.defs
            regexp: '^USERGROUPS_ENAB'
            line: USERGROUPS_ENAB no

  when:
      - rhel9cis_rule_5_6_5
  tags:
      - level1-server
      - level1-workstation
      - patch
      - accounts
      - rule_5.6.5

- name: "5.6.6 | PATCH | Ensure root password is set"
  ansible.builtin.debug:
      msg: "The root password has been set as per the assert in early stages"
  when:
      - rhel9cis_rule_5_6_6
  tags:
      - level1-server
      - level1-workstation
      - patch
      - accounts
      - root
      - rule_5.6.6