RHEL9-CIS/tasks/section_5/main.yml

---

# Access, Authentication, and Authorization

- name: "SECTION | 5.1 | Configure time-based job schedulers"
  ansible.builtin.import_tasks:
      file: cis_5.1.x.yml

- name: "SECTION | 5.2 | Configure SSH Server"
  ansible.builtin.import_tasks:
      file: cis_5.2.x.yml
  when:
      - "'openssh-server' in ansible_facts.packages"

- name: "SECTION | 5.3 | Configure privilege escalation"
  ansible.builtin.import_tasks:
      file: cis_5.3.x.yml

- name: "SECTION | 5.4 | Configure authselect"
  ansible.builtin.import_tasks:
      file: cis_5.4.x.yml

- name: "SECTION | 5.5 | Configure PAM | not authselect"
  ansible.builtin.import_tasks:
      file: cis_5.5.x.yml
  when: not rhel9cis_authselect_custom_profile_select

- name: "SECTION | 5.5 | Configure PAM | authselect"
  ansible.builtin.import_tasks:
      file: cis_5.5.x_authselect.yml
  when: rhel9cis_authselect_custom_profile_select

- name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters"
  ansible.builtin.import_tasks:
      file: cis_5.6.1.x.yml

- name: "SECTION | 5.6.x | Misc. User Account Settings"
  ansible.builtin.import_tasks:
      file: cis_5.6.x.yml
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`---`

updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`# Access, Authentication, and Authorization`

Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`- name: "SECTION \| 5.1 \| Configure time-based job schedulers"`
import_tasks file added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 14:55:55 +01:00			`ansible.builtin.import_tasks:`
			`file: cis_5.1.x.yml`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
			`- name: "SECTION \| 5.2 \| Configure SSH Server"`
import_tasks file added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 14:55:55 +01:00			`ansible.builtin.import_tasks:`
			`file: cis_5.2.x.yml`
Fix in logic for Alma (#4) * container standards Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on handlers Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial container ignore Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and containder discovery Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic on auditd task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tags and crypto logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * distro update for rocky Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * system_is_container updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * ssh pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logrotate pkg check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * logic in container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up crypto step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added missing tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * container vars file now a variable Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added uid discovery and usage Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Updated OS checks and conditionals Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed empty become Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * change audit to include task Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added OS_specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated import/include Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * OS Specific vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changed_when Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed UID logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed reboot var Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * changed skip_reboot var name Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * masked only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * remove debug update logic 6.2.8 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed CentOS Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-02-02 11:25:03 +00:00			`when:`
			`- "'openssh-server' in ansible_facts.packages"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "SECTION \| 5.3 \| Configure privilege escalation"`
import_tasks file added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 14:55:55 +01:00			`ansible.builtin.import_tasks:`
			`file: cis_5.3.x.yml`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "SECTION \| 5.4 \| Configure authselect"`
import_tasks file added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 14:55:55 +01:00			`ansible.builtin.import_tasks:`
			`file: cis_5.4.x.yml`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
Address #191 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-06-05 09:46:14 +01:00			`- name: "SECTION \| 5.5 \| Configure PAM \| not authselect"`
import_tasks file added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 14:55:55 +01:00			`ansible.builtin.import_tasks:`
			`file: cis_5.5.x.yml`
Address #191 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-06-05 09:46:14 +01:00			`when: not rhel9cis_authselect_custom_profile_select`

			`- name: "SECTION \| 5.5 \| Configure PAM \| authselect"`
			`ansible.builtin.import_tasks:`
			`file: cis_5.5.x_authselect.yml`
			`when: rhel9cis_authselect_custom_profile_select`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "SECTION \| 5.6.1.x \| Shadow Password Suite Parameters"`
import_tasks file added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 14:55:55 +01:00			`ansible.builtin.import_tasks:`
			`file: cis_5.6.1.x.yml`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "SECTION \| 5.6.x \| Misc. User Account Settings"`
import_tasks file added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 14:55:55 +01:00			`ansible.builtin.import_tasks:`
			`file: cis_5.6.x.yml`