RHEL9-CIS/tasks/section_5/cis_5.3.x.yml

---

- name: "5.3.1 | PATCH | Ensure sudo is installed"
  ansible.builtin.package:
      name: sudo
      state: present
  when:
      - rhel9cis_rule_5_3_1
  tags:
      - level1-server
      - level1-workstation
      - patch
      - sudo
      - rule_5.3.1

- name: "5.3.2 | PATCH | Ensure sudo commands use pty"
  ansible.builtin.lineinfile:
      path: /etc/sudoers
      line: "Defaults    use_pty"
      validate: '/usr/sbin/visudo -cf %s'
  when:
      - rhel9cis_rule_5_3_2
  tags:
      - level1-server
      - level1-workstation
      - patch
      - sudo
      - rule_5.3.2

- name: "5.3.3 | PATCH | Ensure sudo log file exists"
  ansible.builtin.lineinfile:
      path: /etc/sudoers
      regexp: '^Defaults    logfile='
      line: 'Defaults    logfile="{{ rhel9cis_sudolog_location }}"'
      validate: '/usr/sbin/visudo -cf %s'
  when:
      - rhel9cis_rule_5_3_3
  tags:
      - level1-server
      - level1-workstation
      - patch
      - sudo
      - rule_5.3.3

- name: "5.3.4 | PATCH | Ensure users must provide password for escalation"
  ansible.builtin.replace:
      path: "{{ item }}"
      regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
      replace: '\1PASSWD\2'
      validate: '/usr/sbin/visudo -cf %s'
  loop: "{{ rhel9cis_sudoers_files.stdout_lines }}"
  when:
      - rhel9cis_rule_5_3_4
  tags:
      - level2-server
      - level2-workstation
      - patch
      - sudo
      - rule_5.3.4

- name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
  ansible.builtin.replace:
      path: "{{ item }}"
      regexp: '^([^#].*)!authenticate(.*)'
      replace: '\1authenticate\2'
      validate: '/usr/sbin/visudo -cf %s'
  loop: "{{ rhel9cis_sudoers_files.stdout_lines }}"
  when:
      - rhel9cis_rule_5_3_5
  tags:
      - level1-server
      - level1-workstation
      - patch
      - sudo
      - rule_5.3.5

- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
  block:
      - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set"
        ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
        changed_when: false
        failed_when: false
        register: rhel9cis_5_3_6_timeout_files

      - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
        ansible.builtin.lineinfile:
            path: /etc/sudoers
            regexp: 'Defaults timestamp_timeout='
            line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
            validate: '/usr/sbin/visudo -cf %s'
        when: rhel9cis_5_3_6_timeout_files.stdout | length == 0

      - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
        ansible.builtin.replace:
            path: "{{ item }}"
            regexp: 'timestamp_timeout=(\d+)'
            replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
            validate: '/usr/sbin/visudo -cf %s'
        loop: "{{ rhel9cis_5_3_6_timeout_files.stdout_lines }}"
        when: rhel9cis_5_3_6_timeout_files.stdout | length > 0
  when:
      - rhel9cis_rule_5_3_6
  tags:
      - level1-server
      - level1-workstation
      - patch
      - sudo
      - rule_5.3.6

- name: "5.3.7 | PATCH | Ensure access to the su command is restricted"
  block:

      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
        ansible.builtin.group:
            name: "{{ rhel9cis_sugroup }}"
            state: present
        register: rhel9cis_5_3_7_sugroup

      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
        ansible.builtin.lineinfile:
            path: /etc/group
            regexp: '^{{ rhel9cis_sugroup }}(:.:.*:).*$'
            line: '{{ rhel9cis_sugroup }}\g<1>'
            backrefs: true

      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/su
            regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
            line: 'auth           required        pam_wheel.so use_uid group={{ rhel9cis_sugroup }}'
  when:
      - rhel9cis_rule_5_3_7
  tags:
      - level1-server
      - level1-workstation
      - patch
      - sudo
      - rule_5.3.7