updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-03-30 16:18:11 +01:00 · 2022-03-30 16:18:11 +01:00 · c6caa90059
commit c6caa90059
parent 398bc5bd0c
36 changed files with 2584 additions and 2078 deletions
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -1,18 +1,20 @@
 ---

- name: "5.1.1 | L1 | PATCH | Ensure cron daemon is enabled"
+- name: "5.1.1 | PATCH | Ensure cron daemon is enabled"
  service:
      name: crond
-      enabled: true
+      enabled: yes
  when:
      - rhel9cis_rule_5_1_1
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.1

- name: "5.1.2 | L1 | PATCH | Ensure permissions on /etc/crontab are configured"
+- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
  file:
      dest: /etc/crontab
      owner: root
@ -23,10 +25,12 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.2

- name: "5.1.3 | L1 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
+- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
  file:
      dest: /etc/cron.hourly
      state: directory
@ -38,10 +42,12 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.3

- name: "5.1.4 | L1 | PATCH | Ensure permissions on /etc/cron.daily are configured"
+- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
  file:
      dest: /etc/cron.daily
      state: directory
@ -53,10 +59,12 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.4

- name: "5.1.5 | L1 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
+- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
  file:
      dest: /etc/cron.weekly
      state: directory
@ -71,7 +79,7 @@
      - patch
      - rule_5.1.5

- name: "5.1.6 | L1 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
+- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
  file:
      dest: /etc/cron.monthly
      state: directory
@ -83,10 +91,11 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
      - rule_5.1.6

- name: "5.1.7 | L1 | PATCH | Ensure permissions on /etc/cron.d are configured"
+- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
  file:
      dest: /etc/cron.d
      state: directory
@ -98,43 +107,27 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.7

- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users"
+- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users"
  block:
-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove at.deny"
-        file:
-            dest: /etc/at.deny
-            state: absent
-
-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if at.allow exists"
-        stat:
-            path: "/etc/at.allow"
-        register: p
-
-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure at.allow is restricted to authorized users"
-        file:
-            dest: /etc/at.allow
-            state: '{{ "file" if  p.stat.exists else "touch" }}'
-            owner: root
-            group: root
-            mode: 0600
-
-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny"
+      - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny"
        file:
            dest: /etc/cron.deny
            state: absent

-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if cron.allow exists"
+      - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists"
        stat:
            path: "/etc/cron.allow"
-        register: p
+        register: rhel9cis_5_1_8_cron_allow_state

-      - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
+      - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
        file:
            dest: /etc/cron.allow
-            state: '{{ "file" if  p.stat.exists else "touch" }}'
+            state: '{{ "file" if  rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}'
            owner: root
            group: root
            mode: 0600
@ -143,5 +136,36 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - cron
      - rule_5.1.8
+
+- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users"
+  block:
+      - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny"
+        file:
+            dest: /etc/at.deny
+            state: absent
+
+      - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users  | Check if at.allow exists"
+        stat:
+            path: "/etc/at.allow"
+        register: rhel9cis_5_1_9_at_allow_state
+
+      - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users"
+        file:
+            dest: /etc/at.allow
+            state: '{{ "file" if  rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}'
+            owner: root
+            group: root
+            mode: 0600
+  when:
+      - rhel9cis_rule_5_1_9
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - cron
+      - rule_5.1.9
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@ -1,6 +1,6 @@
 ---

- name: "5.2.1 | L1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
+- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured"
  file:
      dest: /etc/ssh/sshd_config
      state: file
@ -12,12 +12,76 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - ssh
+      - permissions
      - rule_5.2.1

- name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited"
+- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured"
  block:
-      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
+      - name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys"
+        find:
+            paths: /etc/ssh
+            patterns: 'ssh_host_*_key'
+            recurse: true
+            file_type: any
+        register: rhel9cis_5_2_2_ssh_private_host_key
+
+      - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
+        file:
+            path: "{{ item.path }}"
+            owner: root
+            group: root
+            mode: 0600
+        with_items:
+            - "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}"
+        loop_control:
+            label: "{{ item.path }}"
+  when:
+      - rhel9cis_rule_5_2_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - ssh
+      - permissions
+      - rule_5.2.2
+
+- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured"
+  block:
+      - name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys"
+        find:
+            paths: /etc/ssh
+            patterns: 'ssh_host_*_key.pub'
+            recurse: true
+            file_type: any
+        register: rhel9cis_5_2_3_ssh_public_host_key
+
+      - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
+        file:
+            path: "{{ item.path }}"
+            owner: root
+            group: root
+            mode: 0644
+        with_items:
+            - "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}"
+        loop_control:
+            label: "{{ item.path }}"
+  when:
+      - rhel9cis_rule_5_2_3
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - ssh
+      - rule_5.2.3
+
+- name: "5.2.4 | PATCH | Ensure SSH access is limited"
+  block:
+      - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
        lineinfile:
            state: present
            dest: /etc/ssh/sshd_config
@ -26,7 +90,7 @@
        notify: restart sshd
        when: "rhel9cis_sshd['allowusers']|default('') | length > 0"

-      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
+      - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
        lineinfile:
            state: present
            dest: /etc/ssh/sshd_config
@ -35,7 +99,7 @@
        notify: restart sshd
        when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"

-      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
+      - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
        lineinfile:
            state: present
            dest: /etc/ssh/sshd_config
@ -44,7 +108,7 @@
        notify: restart sshd
        when: "rhel9cis_sshd['denyusers']|default('') | length > 0"

-      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
+      - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
        lineinfile:
            state: present
            dest: /etc/ssh/sshd_config
@ -52,67 +116,17 @@
            line: DenyGroups {{ rhel9cis_sshd['denygroups'] }}
        notify: restart sshd
        when: "rhel9cis_sshd['denygroups']|default('') | length > 0"
-  when:
-      - rhel9cis_rule_5_2_2
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.2.2
-
- name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured"
-  block:
-      - name: "5.2.3 | L1 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys"
-        find:
-            paths: /etc/ssh
-            patterns: 'ssh_host_*_key'
-            recurse: true
-            file_type: any
-        register: rhel9cis_5_2_3_ssh_private_host_key
-
-      - name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
-        file:
-            path: "{{ item.path }}"
-            owner: root
-            group: root
-            mode: 0600
-        with_items:
-            - "{{ rhel9cis_5_2_3_ssh_private_host_key.files }}"
-  when:
-      - rhel9cis_rule_5_2_3
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.2.3
-
- name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured"
-  block:
-      - name: "5.2.4 | L1 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys"
-        find:
-            paths: /etc/ssh
-            patterns: 'ssh_host_*_key.pub'
-            recurse: true
-            file_type: any
-        register: rhel9cis_5_2_4_ssh_public_host_key
-
-      - name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
-        file:
-            path: "{{ item.path }}"
-            owner: root
-            group: root
-            mode: 0644
-        with_items:
-            - "{{ rhel9cis_5_2_4_ssh_public_host_key.files }}"
  when:
      - rhel9cis_rule_5_2_4
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - ssh
      - rule_5.2.4

- name: "5.2.5 | L1 | PATCH | Ensure SSH LogLevel is appropriate"
+- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
@ -123,145 +137,155 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - sshs
      - rule_5.2.5

- name: "5.2.6 | L2 | PATCH | Ensure SSH X11 forwarding is disabled"
+- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
-      regexp: "^#X11Forwarding|^X11Forwarding"
-      line: 'X11Forwarding no'
+      regexp: "^#UsePAM|^UsePAM"
+      line: 'UsePAM yes'
  when:
      - rhel9cis_rule_5_2_6
  tags:
-      - level2-server
+      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - ssh
      - rule_5.2.6

- name: "5.2.7 | L1 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
-  lineinfile:
-      state: present
-      dest: /etc/ssh/sshd_config
-      regexp: '^(#)?MaxAuthTries \d'
-      line: 'MaxAuthTries 4'
-  when:
-      - rhel9cis_rule_5_2_7
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.2.7
-
- name: "5.2.8 | L1 | PATCH | Ensure SSH IgnoreRhosts is enabled"
-  lineinfile:
-      state: present
-      dest: /etc/ssh/sshd_config
-      regexp: "^#IgnoreRhosts|^IgnoreRhosts"
-      line: 'IgnoreRhosts yes'
-  when:
-      - rhel9cis_rule_5_2_8
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.2.8
-
- name: "5.2.9 | L1 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
-  lineinfile:
-      state: present
-      dest: /etc/ssh/sshd_config
-      regexp: ^#HostbasedAuthentication|^HostbasedAuthentication"
-      line: 'HostbasedAuthentication no'
-  when:
-      - rhel9cis_rule_5_2_9
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.2.9
-
- name: "5.2.10 | L1 | PATCH | Ensure SSH root login is disabled"
+- name: "5.2.7 | PATCH | Ensure SSH root login is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#PermitRootLogin|^PermitRootLogin"
      line: 'PermitRootLogin no'
  when:
-      - rhel9cis_rule_5_2_10
+      - rhel9cis_rule_5_2_7
  tags:
      - level1-server
      - level1-workstation
+      - autoamted
      - patch
-      - rule_5.2.10
+      - ssh
+      - rule_5.2.7

- name: "5.2.11 | L1 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
+- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: ^#HostbasedAuthentication|^HostbasedAuthentication"
+      line: 'HostbasedAuthentication no'
+  when:
+      - rhel9cis_rule_5_2_8
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - ssh
+      - rule_5.2.8
+
+- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
      line: 'PermitEmptyPasswords no'
  when:
-      - rhel9cis_rule_5_2_11
+      - rhel9cis_rule_5_2_9
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
-      - rule_5.2.11
+      - ssh
+      - rule_5.2.9

- name: "5.2.12 | L1 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
+- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
      line: 'PermitUserEnvironment no'
  when:
-      - rhel9cis_rule_5_2_12
+      - rhel9cis_rule_5_2_10
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
-      - rule_5.2.12
+      - ssh
+      - rule_5.2.10

- name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured"
-  block:
-      - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
-        lineinfile:
-            state: present
-            dest: /etc/ssh/sshd_config
-            regexp: '^ClientAliveInterval'
-            line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
-
-      - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
-        lineinfile:
-            state: present
-            dest: /etc/ssh/sshd_config
-            regexp: '^ClientAliveCountMax'
-            line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
-  when:
-      - rhel9cis_rule_5_2_13
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.2.13
-
- name: "5.2.14 | L1 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
+- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
-      regexp: "^#LoginGraceTime|^LoginGraceTime"
-      line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
+      regexp: "^#IgnoreRhosts|^IgnoreRhosts"
+      line: 'IgnoreRhosts yes'
+  when:
+      - rhel9cis_rule_5_2_11
+  tags:
+      - level1-server
+      - level1-workstation
+      - autoamted
+      - patch
+      - ssh
+      - rule_5.2.11
+
+- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#X11Forwarding|^X11Forwarding"
+      line: 'X11Forwarding no'
+  when:
+      - rhel9cis_rule_5_2_12
+  tags:
+      - level2-server
+      - level1-workstation
+      - autoamted
+      - patch
+      - ssh
+      - rule_5.2.12
+
+- name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
+      line: 'AllowTcpForwarding no'
+  when:
+      - rhel9cis_rule_5_2_13
+  tags:
+      - level2-server
+      - level2-workstation
+      - autoamted
+      - patch
+      - ssh
+      - rule_5.2.13
+
+- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
+  shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
+  args:
+      warn: no
+  notify: restart sshd
  when:
      - rhel9cis_rule_5_2_14
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - ssh
      - rule_5.2.14

- name: "5.2.15 | L1 | PATCH | Ensure SSH warning banner is configured"
+- name: "5.2.15  | PATCH | Ensure SSH warning banner is configured"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
@ -272,74 +296,96 @@
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - ssh
      - rule_5.2.15

- name: "5.2.16 | L1 | PATCH | Ensure SSH PAM is enabled"
+- name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
-      regexp: "^#UsePAM|^UsePAM"
-      line: 'UsePAM yes'
+      regexp: '^(#)?MaxAuthTries \d'
+      line: 'MaxAuthTries 4'
  when:
      - rhel9cis_rule_5_2_16
  tags:
      - level1-server
      - level1-workstation
+      - autoamted
      - patch
+      - ssh
      - rule_5.2.16

- name: "5.2.17 | L2 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
-  lineinfile:
-      state: present
-      dest: /etc/ssh/sshd_config
-      regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
-      line: 'AllowTcpForwarding no'
-  when:
-      - rhel9cis_rule_5_2_17
-  tags:
-      - level2-server
-      - level2-workstation
-      - patch
-      - rule_5.2.17
-
- name: "5.2.18 | L1 | PATCH | Ensure SSH MaxStartups is configured"
+- name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#MaxStartups|^MaxStartups"
      line: 'MaxStartups 10:30:60'
  when:
-      - rhel9cis_rule_5_2_18
+      - rhel9cis_rule_5_2_17
  tags:
      - level1-server
      - level1-workstation
+      - autoamted
      - patch
-      - rule_5.2.18
+      - ssh
+      - rule_5.2.17

- name: "5.2.19 | L1 | PATCH | Ensure SSH MaxSessions is set to 4 or less"
+- name: "5.2.18  | PATCH | Ensure SSH MaxSessions is set to 10 or less"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#MaxSessions|^MaxSessions"
      line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
+  when:
+      - rhel9cis_rule_5_2_18
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - ssh
+      - rule_5.2.18
+
+- name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#LoginGraceTime|^LoginGraceTime"
+      line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
  when:
      - rhel9cis_rule_5_2_19
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - ssh
      - rule_5.2.19

- name: "5.2.20 | L1 | PATCH | Ensure system-wide crypto policy is not over-ridden"
-  shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
-  args:
-      warn: false
-  notify: restart sshd
+- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured"
+  block:
+      - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
+        lineinfile:
+            state: present
+            dest: /etc/ssh/sshd_config
+            regexp: '^ClientAliveInterval'
+            line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
+
+      - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
+        lineinfile:
+            state: present
+            dest: /etc/ssh/sshd_config
+            regexp: '^ClientAliveCountMax'
+            line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
  when:
      - rhel9cis_rule_5_2_20
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
+      - ssh
      - rule_5.2.20
--- a/tasks/section_5/cis_5.3.x.yml
+++ b/tasks/section_5/cis_5.3.x.yml
@ -1,94 +1,138 @@
 ---

- name: "5.3.1 | L1 | PATCH | Create custom authselect profile"
-  block:
-      - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Gather profiles"
-        shell: 'authselect current | grep "Profile ID: custom/"'
-        args:
-            warn: false
-        failed_when: false
-        changed_when: false
-        check_mode: false
-        register: rhel9cis_5_3_1_profiles
-
-      - name: "5.3.1 | L1 | AUDIT | Create custom authselect profile | Show profiles"
-        debug:
-            msg:
-                - "Below are the current custom profiles"
-                - "{{ rhel9cis_5_3_1_profiles.stdout_lines }}"
-
-      - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Create custom profiles"
-        shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
-        args:
-            warn: false
-        when: rhel9cis_authselect_custom_profile_create
+- name: "5.3.1 | PATCH | Ensure sudo is installed"
+  package:
+      name: sudo
+      state: present
  when:
      - rhel9cis_rule_5_3_1
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
-      - authselect
+      - sudo
      - rule_5.3.1

- name: "5.3.2 | L1 | PATCH | Select authselect profile"
-  block:
-      - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Gather profiles and enabled features"
-        shell: "authselect current"
-        args:
-            warn: false
-        failed_when: false
-        changed_when: false
-        check_mode: false
-        register: rhel9cis_5_3_2_profiles
-
-      - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Show profiles"
-        debug:
-            msg:
-                - "Below are the current custom profiles"
-                - "{{ rhel9cis_5_3_2_profiles.stdout_lines }}"
-
-      - name: "5.3.2 | L1 | PATCH | Select authselect profile | Create custom profiles"
-        shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}"
-        args:
-            warn: false
-        when: rhel9cis_authselect_custom_profile_select
+- name: "5.3.2 | PATCH | Ensure sudo commands use pty"
+  lineinfile:
+      dest: /etc/sudoers
+      line: "Defaults    use_pty"
+      state: present
  when:
      - rhel9cis_rule_5_3_2
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
-      - authselect
+      - sudo
      - rule_5.3.2

- name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock"
-  block:
-      - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
-        shell: "authselect current | grep with-faillock"
-        args:
-            warn: false
-        failed_when: false
-        changed_when: false
-        check_mode: false
-        register: rhel9cis_5_3_3_profiles_faillock
-
-      - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock| Show profiles"
-        debug:
-            msg:
-                - "Below are the current custom profiles"
-                - "{{ rhel9cis_5_3_3_profiles_faillock.stdout_lines }}"
-
-      - name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
-        shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
-        args:
-            warn: false
-        when: rhel9cis_authselect_custom_profile_select
+- name: "5.3.3 | PATCH | Ensure sudo log file exists"
+  lineinfile:
+      dest: /etc/sudoers
+      regexp: '^Defaults    logfile='
+      line: 'Defaults    logfile="{{ rhel9cis_varlog_location }}"'
+      state: present
  when:
      - rhel9cis_rule_5_3_3
  tags:
      - level1-server
      - level1-workstation
+      - automated
      - patch
-      - authselect
+      - sudo
      - rule_5.3.3
+
+- name: "5.3.4 | PATCH | Ensure users must provide password for escalation"
+  replace:
+      path: "{{ item }}"
+      regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
+      replace: '\1PASSWD\2'
+  with_items:
+      - "{{ rhel9cis_sudoers_files.stdout_lines }}"
+  when:
+      - rhel9cis_rule_5_3_4
+  tags:
+      - level2-server
+      - level2-workstation
+      - automated
+      - patch
+      - sudo
+      - rule_5.3.4
+
+- name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
+  replace:
+      path: "{{ item }}"
+      regexp: '^([^#].*)!authenticate(.*)'
+      replace: '\1authenticate\2'
+  with_items:
+      - "{{ rhel9cis_sudoers_files.stdout_lines }}"
+  when:
+      - rhel9cis_rule_5_3_5
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - sudo
+      - rule_5.3.5
+
+- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
+  block:
+      - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set"
+        shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
+        changed_when: false
+        failed_when: false
+        register: rhel9cis_5_3_6_timeout_files
+
+      - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
+        lineinfile:
+            path: /etc/sudoers
+            regexp: 'Defaults timestamp_timeout='
+            line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
+            validate: '/usr/sbin/visudo -cf %s'
+        when: rhel9cis_5_3_6_timeout_files.stdout | length == 0
+
+      - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
+        replace:
+            path: "{{ item }}"
+            regexp: 'timestamp_timeout=(\d+)'
+            replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
+            validate: '/usr/sbin/visudo -cf %s'
+        with_items:
+            - "{{ rhel9cis_5_3_6_timeout_files.stdout_lines }}"
+        when: rhel9cis_5_3_6_timeout_files.stdout | length > 0
+  when:
+      - rhel9cis_rule_5_3_6
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - sudo
+      - rule_5.3.6
+
+- name: "5.3.7 | PATCH | Ensure access to the su command is restricted"
+  block:
+      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
+        lineinfile:
+            state: present
+            dest: /etc/pam.d/su
+            regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
+            line: 'auth           required        pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'
+
+      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
+        user:
+            name: "{{ rhel9cis_sugroup_users }}"
+            groups: "{{ rhel9cis_sugroup | default('wheel') }}"
+  when:
+      - rhel9cis_rule_5_3_7
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - sudo
+      - rule_5.3.7
--- a/tasks/section_5/cis_5.4.x.yml
+++ b/tasks/section_5/cis_5.4.x.yml
@ -1,131 +1,61 @@
 ---

- name: |
-    "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
-     5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
-     5.4.3 | L1 | PATCH | Ensure password reuse is limited
-     5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
+- name: "5.4.1 | PATCH | Ensure custom authselect profile is used"
  block:
-      - name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
-        lineinfile:
-            state: present
-            dest: /etc/security/pwquality.conf
-            regexp: ^{{ item.name }}
-            line: "{{ item.name }} = {{ item.value }}"
-        with_items:
-            - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
-            - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
-        when: rhel9cis_rule_5_4_1
+      - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles"
+        shell: 'authselect current | grep "Profile ID: custom/"'
+        failed_when: false
+        changed_when: false
+        check_mode: no
+        register: rhel9cis_5_4_1_profiles

-      - name: |
-          "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings
-           5.4.3| L1 | PATCH | Ensure password reuse is limited | Set system-auth remember settings"
-        lineinfile:
-            dest: /etc/pam.d/system-auth
-            state: present
-            regexp: '^password    requisite                                    pam_pwquality.so'
-            line: "password    requisite                                    pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
-            insertbefore: '^#?password ?'
-        when:
-            - rhel9cis_rule_5_4_1 or
-              rhel9cis_rule_5_4_3
+      - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
+        debug:
+            msg:
+                - "Below are the current custom profiles"
+                - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}"

-      - name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
-        lineinfile:
-            dest: /etc/pam.d/password-auth
-            state: present
-            regexp: '^password    requisite                                    pam_pwquality.so'
-            line: "password    requisite                                    pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
-            insertbefore: '^#?password ?'
-        when: rhel9cis_rule_5_4_1
-
-      - name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock time for preauth"
-        lineinfile:
-            dest: /etc/pam.d/{{ item }}
-            state: present
-            regexp: '^auth        required                                     pam_faillock.so preauth'
-            line: "auth        required                                     pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
-            insertafter: '^#?auth ?'
-        with_items:
-            - "system-auth"
-            - "password-auth"
-        when: rhel9cis_rule_5_4_2
-
-      - name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock times for authfail"
-        lineinfile:
-            dest: /etc/pam.d/{{ item }}
-            state: present
-            regexp: '^auth        required                                     pam_faillock.so authfail'
-            line: "auth        required                                     pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
-            insertafter: '^#?auth ?'
-        with_items:
-            - "system-auth"
-            - "password-auth"
-        when: rhel9cis_rule_5_4_2
-
-      - name: |
-           "5.4.3 | L1 | PATCH | Ensure password reuse is limited | Set system-auth remember remember settings
-            5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings"
-        lineinfile:
-            dest: /etc/pam.d/system-auth
-            state: present
-            regexp: '^password    sufficient                                   pam_unix.so'
-            line: "password    sufficient                                   pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}"
-            insertafter: '^#?password ?'
-        when:
-            - rhel9cis_rule_5_4_3 or
-              rhel9cis_rule_5_4_4
-
-      - name: "5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings"
-        lineinfile:
-            dest: /etc/pam.d/password-auth
-            state: present
-            regexp: '^password    sufficient                                   pam_unix.so'
-            line: "password    sufficient                                   pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok"
-            insertafter: '^#?password ?'
-        when: rhel9cis_rule_5_4_4
-
-      # The two steps below were added to keep authconfig from overwritting the above configs. This follows steps from here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services
-      # With the steps below you will score five (5) points lower due to false positive results
-      - name: |
-           "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
-            5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
-            5.4.3 | L1 | PATCH | Ensure password reuse is limited
-            5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
-        copy:
-            src: /etc/pam.d/{{ item }}
-            dest: /etc/pam.d/{{ item }}-local
-            remote_src: true
-            owner: root
-            group: root
-            mode: '0644'
-        with_items:
-            - "system-auth"
-            - "password-auth"
-
-      - name: |
-           "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured
-            5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured
-            5.4.3 | L1 | PATCH | Ensure password reuse is limited
-            5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512"
-        file:
-            src: /etc/pam.d/{{ item }}-local
-            dest: /etc/pam.d/{{ item }}
-            state: link
-            force: true
-        with_items:
-            - "system-auth"
-            - "password-auth"
+      - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
+        shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
+        args:
+            warn: no
+        when: rhel9cis_authselect_custom_profile_create
  when:
-      - rhel9cis_rule_5_4_1 or
-        rhel9cis_rule_5_4_2 or
-        rhel9cis_rule_5_4_3 or
-        rhel9cis_rule_5_4_4
+      - rhel9cis_rule_5_4_1
  tags:
      - level1-server
      - level1-workstation
+      - manual
      - patch
+      - authselect
      - rule_5.4.1
+
+- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock"
+  block:
+      - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
+        shell: "authselect current | grep with-faillock"
+        failed_when: false
+        changed_when: false
+        check_mode: no
+        register: rhel9cis_5_4_2_profiles_faillock
+
+      - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles"
+        debug:
+            msg:
+                - "Below are the current custom profiles"
+                - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}"
+
+      - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
+        shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
+        args:
+            warn: no
+        when: rhel9cis_authselect_custom_profile_select
+  when:
+      - rhel9cis_rule_5_4_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - authselect
      - rule_5.4.2
-      - rule_5.4.3
-      - rule_5.4.4
--- a/tasks/section_5/cis_5.5.1.x.yml
+++ b/tasks/section_5/cis_5.5.1.x.yml
@ -1,131 +0,0 @@
---
-
- name: "5.5.1.1 | L1 | PATCH | Ensure password expiration is 365 days or less"
-  lineinfile:
-      state: present
-      dest: /etc/login.defs
-      regexp: '^PASS_MAX_DAYS'
-      line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
-  when:
-      - rhel9cis_rule_5_5_1_1
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.5.1.1
-
- name: "5.5.1.2 | L1 | PATCH | Ensure minimum days between password changes is 7 or more"
-  lineinfile:
-      state: present
-      dest: /etc/login.defs
-      regexp: '^PASS_MIN_DAYS'
-      line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
-  when:
-      - rhel9cis_rule_5_5_1_2
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.5.1.2
-
- name: "5.5.1.3 | L1 | PATCH | Ensure password expiration warning days is 7 or more"
-  lineinfile:
-      state: present
-      dest: /etc/login.defs
-      regexp: '^PASS_WARN_AGE'
-      line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
-  when:
-      - rhel9cis_rule_5_5_1_3
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.5.1.3
-
- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less"
-  block:
-      - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings"
-        shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
-        args:
-            warn: false
-        changed_when: false
-        failed_when: false
-        check_mode: false
-        register: rhel9cis_5_5_1_4_inactive_settings
-
-      - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
-        shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
-        args:
-            warn: false
-        when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0
-
-      - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
-        shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1'
-        args:
-            warn: false
-        check_mode: false
-        register: rhel_09_5_5_1_4_audit
-        changed_when: false
-
-      - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
-        shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
-        args:
-            warn: false
-        with_items:
-            - "{{ rhel_09_5_5_1_4_audit.stdout_lines }}"
-  when:
-      - rhel9cis_rule_5_5_1_4
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.5.1.4
-
- name: "5.5.1.5 | L1 |  PATCH | Ensure all users last password change date is in the past"
-  block:
-      - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
-        shell: echo $(($(date --utc --date "$1" +%s)/86400))
-        args:
-            warn: false
-        failed_when: false
-        changed_when: false
-        check_mode: false
-        register: rhel9cis_5_5_1_5_currentut
-
-      - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
-        shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_5_1_5_currentut.stdout }})print$1}'"
-        args:
-            warn: false
-        changed_when: false
-        failed_when: false
-        check_mode: false
-        register: rhel9cis_5_5_1_5_user_list
-
-      - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"
-        debug:
-            msg: "Good News! All accounts have PW change dates that are in the past"
-        when: rhel9cis_5_5_1_5_user_list.stdout | length == 0
-
-      - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
-        debug:
-            msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_5_1_5_user_list.stdout_lines }}"
-        when:
-            - rhel9cis_5_5_1_5_user_list.stdout | length > 0
-            - not rhel9cis_futurepwchgdate_autofix
-
-      - name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
-        shell: passwd --expire {{ item }}
-        args:
-            warn: false
-        when:
-            - rhel9cis_5_5_1_5_user_list | length > 0
-            - rhel9cis_futurepwchgdate_autofix
-        with_items:
-            - "{{ rhel9cis_5_5_1_5_user_list.stdout_lines }}"
-  when:
-      - rhel9cis_rule_5_5_1_5
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.5.1.5
--- a/tasks/section_5/cis_5.5.x.yml
+++ b/tasks/section_5/cis_5.5.x.yml
@ -1,8 +1,8 @@
 ---

- name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured"
+- name: "5.5.2 | PATCH | Ensure system accounts are secured"
  block:
-      - name: "5.5.2 | L1 | Ensure system accounts are secured | Set nologin"
+      - name: "5.5.2 | Ensure system accounts are secured | Set nologin"
        user:
            name: "{{ item.id }}"
            shell: /usr/sbin/nologin
@ -13,11 +13,11 @@
            - item.id != "sync"
            - item.id != "shutdown"
            - item.id != "halt"
-            - item.uid < 1000
+            - rhel9cis_int_gid | int > item.gid
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"

-      - name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured | Lock accounts"
+      - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock accounts"
        user:
            name: "{{ item.id }}"
            password_lock: true
@ -28,7 +28,7 @@
            - item.id != "shutdown"
            - item.id != "sync"
            - item.id != "root"
-            - min_int_uid | int >= item.uid
+            - rhel9cis_int_gid | int > item.gid
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"
  when:
@ -39,15 +39,15 @@
      - patch
      - rule_5.5.2

- name: "5.5.3 | L1 | PATCH | Ensure default user shell timeout is 900 seconds or less"
+- name: "5.5.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
  blockinfile:
-      create: true
+      create: yes
      mode: 0644
      dest: "{{ item.dest }}"
      state: "{{ item.state }}"
      marker: "# {mark} ANSIBLE MANAGED"
      block: |
-        # Set session timeout - CIS ID RHEL-09-5.4.5
+        # Set session timeout - CIS ID RHEL-08-5.4.5
        TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
        export TMOUT
        readonly TMOUT
@ -62,10 +62,8 @@
      - patch
      - rule_5.5.3

- name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0"
-  shell: usermod -g 0 root
-  args:
-      warn: false
+- name: "5.5.4 | PATCH | Ensure default group for the root account is GID 0"
+  command: usermod -g 0 root
  changed_when: false
  failed_when: false
  when:
@ -76,15 +74,15 @@
      - patch
      - rule_5.5.4

- name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive"
+- name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive"
  block:
-      - name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
+      - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
        replace:
            path: /etc/bashrc
            regexp: '(^\s+umask) 0[012][0-6]'
            replace: '\1 027'

-      - name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
+      - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
        replace:
            path: /etc/profile
            regexp: '(^\s+umask) 0[012][0-6]'
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@ -0,0 +1,125 @@
+---
+
+- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
+  lineinfile:
+      state: present
+      dest: /etc/login.defs
+      regexp: '^PASS_MAX_DAYS'
+      line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
+  when:
+      - rhel9cis_rule_5_6_1_1
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - password
+      - rule_5.5.1.1
+
+- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
+  lineinfile:
+      state: present
+      dest: /etc/login.defs
+      regexp: '^PASS_MIN_DAYS'
+      line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
+  when:
+      - rhel9cis_rule_5_6_1_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - password
+      - rule_5.6.1.2
+
+- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
+  lineinfile:
+      state: present
+      dest: /etc/login.defs
+      regexp: '^PASS_WARN_AGE'
+      line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
+  when:
+      - rhel9cis_rule_5_6_1_3
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - password
+      - rule_5.5.1.3
+
+- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less"
+  block:
+      - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings"
+        shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
+        changed_when: false
+        failed_when: false
+        check_mode: no
+        register: rhel9cis_5_6_1_4_inactive_settings
+
+      - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
+        command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
+        when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0
+
+      - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
+        shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1'
+        changed_when: false
+        check_mode: no
+        register: rhel_8_5_6_1_4_user_list
+
+      - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
+        command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
+        with_items:
+            - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}"
+  when:
+      - rhel9cis_rule_5_6_1_4
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - password
+      - rule_5.6.1.4
+
+- name: "5.6.1.5 |  PATCH | Ensure all users last password change date is in the past"
+  block:
+      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
+        shell: echo $(($(date --utc --date "$1" +%s)/86400))
+        changed_when: false
+        failed_when: false
+        check_mode: no
+        register: rhel9cis_5_6_1_5_currentut
+
+      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
+        shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'"
+        changed_when: false
+        failed_when: false
+        check_mode: no
+        register: rhel9cis_5_6_1_5_user_list
+
+      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist"
+        debug:
+            msg: "Good News! All accounts have PW change dates that are in the past"
+        when: rhel9cis_5_6_1_5_user_list.stdout | length == 0
+
+      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
+        debug:
+            msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
+        when:
+            - rhel9cis_5_6_1_5_user_list.stdout | length > 0
+            - not rhel9cis_futurepwchgdate_autofix
+
+      - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
+        command: passwd --expire {{ item }}
+        when:
+            - rhel9cis_5_6_1_5_user_list | length > 0
+            - rhel9cis_futurepwchgdate_autofix
+        with_items:
+            - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
+  when:
+      - rhel9cis_rule_5_6_1_5
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.1.5
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@ -0,0 +1,108 @@
+---
+
+- name: "5.6.2 | PATCH | Ensure system accounts are secured"
+  block:
+      - name: "5.6.2 | Ensure system accounts are secured | Set nologin"
+        user:
+            name: "{{ item.id }}"
+            shell: /usr/sbin/nologin
+        with_items:
+            - "{{ rhel9cis_passwd }}"
+        when:
+            - item.id != "root"
+            - item.id != "sync"
+            - item.id != "shutdown"
+            - item.id != "halt"
+            - rhel9cis_int_gid | int < item.gid
+            - item.shell != "      /bin/false"
+            - item.shell != "      /usr/sbin/nologin"
+        loop_control:
+            label: "{{ item.id }}"
+
+      - name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts"
+        user:
+            name: "{{ item.id }}"
+            password_lock: true
+        with_items:
+            - "{{ rhel9cis_passwd }}"
+        when:
+            - item.id != "halt"
+            - item.id != "shutdown"
+            - item.id != "sync"
+            - item.id != "root"
+            - rhel9cis_int_gid | int < item.gid
+            - item.shell != "      /bin/false"
+            - item.shell != "      /usr/sbin/nologin"
+        loop_control:
+            label: "{{ item.id }}"
+  when:
+      - rhel9cis_rule_5_6_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - accounts
+      - rule_5.6.2
+
+- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
+  blockinfile:
+      create: yes
+      mode: 0644
+      dest: "{{ item.dest }}"
+      state: "{{ item.state }}"
+      marker: "# {mark} ANSIBLE MANAGED"
+      block: |
+        # Set session timeout - CIS ID RHEL-08-5.4.5
+        TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
+        export TMOUT
+        readonly TMOUT
+  with_items:
+      - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present }
+      - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" }
+  when:
+      - rhel9cis_rule_5_6_3
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - accounts
+      - rule_5.6.3
+
+- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
+  command: usermod -g 0 root
+  changed_when: false
+  failed_when: false
+  when:
+      - rhel9cis_rule_5_6_4
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - accounts
+      - rule_5.6.4
+
+- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
+  block:
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
+        replace:
+            path: /etc/bashrc
+            regexp: '(^\s+umask) 0[012][0-6]'
+            replace: '\1 027'
+
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
+        replace:
+            path: /etc/profile
+            regexp: '(^\s+umask) 0[012][0-6]'
+            replace: '\1 027'
+  when:
+      - rhel9cis_rule_5_6_5
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - accounts
+      - rule_5.6.5
--- a/tasks/section_5/cis_5.6.yml
+++ b/tasks/section_5/cis_5.6.yml
@ -1,37 +0,0 @@
---
-
-# this will just display the list of consoles. The site will need to confirm the allowed consoles are correct and change manually if needed.
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console"
-  block:
-      - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Check if securetty file exists"
-        stat:
-            path: /etc/securetty
-        register: rhel9cis_securetty_check
-
-      - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles"
-        shell: cat /etc/securetty
-        args:
-            warn: false
-        changed_when: false
-        register: rhel_09_5_6_audit
-        when: rhel9cis_securetty_check.stat.exists
-
-      - name: "5.6 | L1 | AUDIT |Ensure root login is restricted to system console | Display Console"
-        debug:
-            msg:
-                - "These are the consoles with root login access, please review:"
-                - "{{ rhel_09_5_6_audit.stdout_lines }}"
-        when: rhel9cis_securetty_check.stat.exists
-
-      - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Display that no securetty file exists"
-        debug:
-            msg:
-                - "There is no /etc/securetty file, this has been removed by default in RHEL9"
-        when: not rhel9cis_securetty_check.stat.exists
-  when:
-      - rhel9cis_rule_5_6
-  tags:
-      - level1-server
-      - level1-workstation
-      - audit
-      - rule_5.6
--- a/tasks/section_5/cis_5.7.yml
+++ b/tasks/section_5/cis_5.7.yml
@ -1,22 +0,0 @@
---
-
- name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted"
-  block:
-      - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
-        lineinfile:
-            state: present
-            dest: /etc/pam.d/su
-            regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
-            line: 'auth           required        pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'
-
-      - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
-        user:
-            name: "{{ rhel9cis_sugroup_users }}"
-            groups: "{{ rhel9cis_sugroup | default('wheel') }}"
-  when:
-      - rhel9cis_rule_5_7
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_5.7
--- a/tasks/section_5/main.yml
+++ b/tasks/section_5/main.yml
@ -1,5 +1,7 @@
 ---

+# Access, Authentication, and Authorization
+
 - name: "SECTION | 5.1 | Configure time-based job schedulers"
  import_tasks: cis_5.1.x.yml

@ -8,22 +10,17 @@
  when:
      - "'openssh-server' in ansible_facts.packages"

- name: "SECTION | 5.3 | Configure Profiles"
+- name: "SECTION | 5.3 | Configure privilege escalation"
  include_tasks: cis_5.3.x.yml
-  when:
-      - rhel9cis_use_authconfig

- name: "SECTION | 5.4 | Configure PAM "
+- name: "SECTION | 5.4 | Configure authselect"
  import_tasks: cis_5.4.x.yml

- name: "SECTION | 5.5.1.x | Passwords and Accounts"
-  import_tasks: cis_5.5.1.x.yml
-
- name: "SECTION | 5.5.x | System Accounts and User Settings"
+- name: "SECTION | 5.5 | Configure PAM "
  import_tasks: cis_5.5.x.yml

- name: "SECTION | 5.6 | Root Login"
-  import_tasks: cis_5.6.yml
+- name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters"
+  import_tasks: cis_5.6.1.x.yml

- name: Section | 5.7 | su Command Restriction
-  import_tasks: cis_5.7.yml
+- name: "SECTION | 5.6.x | Misc. User Account Settings"
+  import_tasks: cis_5.6.x.yml