From 3df7334cda626f842efa80a370257b349f04e961 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 11 Nov 2024 16:04:14 +0000
Subject: [PATCH 1/3] improved mount idempotence

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_1/cis_1.1.2.1.x.yml | 2 +-
 tasks/section_1/cis_1.1.2.4.x.yml | 2 +-
 tasks/section_1/cis_1.1.2.5.x.yml | 2 +-
 tasks/section_1/cis_1.1.2.6.x.yml | 2 +-
 tasks/section_1/cis_1.1.2.7.x.yml | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml
index d64c3a7..5683cde 100644
--- a/tasks/section_1/cis_1.1.2.1.x.yml
+++ b/tasks/section_1/cis_1.1.2.1.x.yml
@@ -33,7 +33,7 @@
     src: "{{ item.device }}"
     fstype: "{{ item.fstype }}"
     state: present
-    opts: defaults,{% if rhel9cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_1_4 %}noexec{% endif %}
+    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_1_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_1_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_1_4) %},noexec{% endif %}"
   notify: Remount tmp
   loop: "{{ ansible_facts.mounts }}"
   loop_control:
diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml
index d2e4aa8..0aa4fa2 100644
--- a/tasks/section_1/cis_1.1.2.4.x.yml
+++ b/tasks/section_1/cis_1.1.2.4.x.yml
@@ -45,7 +45,7 @@
     src: "{{ item.device }}"
     fstype: "{{ item.fstype }}"
     state: present
-    opts: defaults,{% if rhel9cis_rule_1_1_2_4_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_4_3 %}nosuid{% endif %}
+    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_4_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_4_2) %},nosuid{% endif %}"
   loop: "{{ ansible_facts.mounts }}"
   loop_control:
     label: "{{ item.device }}"
diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml
index a09d46d..449bc8b 100644
--- a/tasks/section_1/cis_1.1.2.5.x.yml
+++ b/tasks/section_1/cis_1.1.2.5.x.yml
@@ -49,7 +49,7 @@
     src: "{{ item.device }}"
     fstype: "{{ item.fstype }}"
     state: present
-    opts: defaults,{% if rhel9cis_rule_1_1_2_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_5_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_5_4 %}noexec{% endif %}
+    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_5_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_5_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_5_4) %},noexec{% endif %}"
   loop: "{{ ansible_facts.mounts }}"
   loop_control:
     label: "{{ item.device }}"
diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml
index d6e2c56..c45da55 100644
--- a/tasks/section_1/cis_1.1.2.6.x.yml
+++ b/tasks/section_1/cis_1.1.2.6.x.yml
@@ -47,7 +47,7 @@
     src: "{{ item.device }}"
     fstype: "{{ item.fstype }}"
     state: present
-    opts: defaults,{% if rhel9cis_rule_1_1_2_6_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_6_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_6_4 %}noexec{% endif %}
+    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_6_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_6_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_6_4) %},noexec{% endif %}"
   loop: "{{ ansible_facts.mounts }}"
   loop_control:
     label: "{{ item.device }}"
diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml
index 4e21461..4a8f67c 100644
--- a/tasks/section_1/cis_1.1.2.7.x.yml
+++ b/tasks/section_1/cis_1.1.2.7.x.yml
@@ -47,7 +47,7 @@
     src: "{{ item.device }}"
     fstype: "{{ item.fstype }}"
     state: present
-    opts: defaults,{% if rhel9cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_7_4 %}noexec{% endif %}
+    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_7_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_7_4) %},noexec{% endif %}"
   loop: "{{ ansible_facts.mounts }}"
   loop_control:
     label: "{{ item.device }}"

From 44b712fdf90f4941d369fdb3ec8b4a72a495c616 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 11 Nov 2024 16:06:29 +0000
Subject: [PATCH 2/3] improved gpg regex

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_1/cis_1.2.1.x.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml
index d5ea30f..dca12b0 100644
--- a/tasks/section_1/cis_1.2.1.x.yml
+++ b/tasks/section_1/cis_1.2.1.x.yml
@@ -53,7 +53,7 @@
     - name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
       ansible.builtin.replace:
         name: "{{ item.path }}"
-        regexp: "^gpgcheck=0"
+        regexp: ^gpgcheck\s*=\s*0
         replace: "gpgcheck=1"
       loop: "{{ discovered_yum_repos.files }}"
       loop_control:
@@ -87,7 +87,7 @@
     - name: "1.2.1.3 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files"
       ansible.builtin.replace:
         path: "{{ item.path }}"
-        regexp: '^repo_gpgcheck( |)=( |)0'
+        regexp: ^repo_gpgcheck\s*=s*0
         replace: repo_gpgcheck=1
       loop: "{{ discovered_repo_files.files }}"
       loop_control:

From f02a9d442fe74762cba84891de0f393090dfe9a2 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 11 Nov 2024 17:35:12 +0000
Subject: [PATCH 3/3] added system account enhancement 5.4.2.7 thanks to
 @Thulium-Drake

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 defaults/main.yml               | 5 +++++
 tasks/section_5/cis_5.4.2.x.yml | 1 +
 2 files changed, 6 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 4e07349..e210596 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -992,6 +992,11 @@ rhel9cis_futurepwchgdate_autofix: true
 # 5.4.2.x
 rhel9cis_root_umask: '0027'  # 0027 or more restrictive
 
+## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin
+# The system users on this list are allowed to have a shell (e.g. applications
+# that require a shell to function)
+rhel9cis_system_users_shell: []
+
 ## Control 5.4.3.2 - Configuring user shell timeout
 # This dictionary is related to ensuring the rule about user shell timeout
 # This variable represents the amount of seconds a command or process is allowed to
diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml
index 4d75928..2cf378c 100644
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@@ -199,6 +199,7 @@
   when:
     - rhel9cis_rule_5_4_2_7
     - "item.id not in prelim_interactive_usernames.stdout"
+    - item.id not in rhel9cis_system_users_shell
     - "'root' not in item.id"
     - rhel9cis_disruption_high
   tags: