sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Addresses #318 - Thank you @kodebach & @bgro

Browse source 
Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
This commit is contained in:
Frederick Witty 2025-06-27 11:12:07 -04:00
parent 16179a658b
commit 23338ccd31
No known key found for this signature in database
GPG key ID: D29987C25A47D813
2 changed files with 9 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

5
tasks/main.yml
View file

@ -101,10 +101,9 @@
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template]
ansible.builtin.assert:
that:
- not prelim_ansible_user_password_set.stdout.startswith("!")
that: (not prelim_ansible_user_password_set.stdout.startswith("!")) or (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
success_msg: "The local account {{ ansible_env.SUDO_USER }} is not locked or included in the exception list for rule 5.2.4"
- name: "Check authselect profile is selected"
when: rhel9cis_allow_authselect_updates