From 23338ccd314d433049606b36114d6d32c004d5e3 Mon Sep 17 00:00:00 2001
From: Frederick Witty <frederickw@mindpointgroup.com>
Date: Fri, 27 Jun 2025 11:12:07 -0400
Subject: [PATCH 1/2] Addresses #318 - Thank you @kodebach & @bgro

Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
---
 Changelog.md   | 12 +++++++-----
 tasks/main.yml |  5 ++---
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 331a17e..53cf91d 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,11 +1,13 @@
 # Changes to rhel9CIS
 
-## Based on CIS v2.0.0
+## 2.0.1 - Based on CIS v2.0.0
 
-Update to audit_only to allow fetching results
-resolved false warning for fetch audit
-fix root user check
-Improved documentation and variable compilation for crypto policies
+- Update to audit_only to allow fetching results
+- resolved false warning for fetch audit
+- fix root user check
+- Improved documentation and variable compilation for crypto policies
+- Addresses #318 - Thank you @kodebach & @bgro
+  - Improved logic for 5.2.4 to exclude rhel9cis_sudoers_exclude_nopasswd_list in pre-check task/main.yml
 
 ## 2.0.1 - Based on CIS v2.0.0
 
diff --git a/tasks/main.yml b/tasks/main.yml
index 25bb7bc..460acc8 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -101,10 +101,9 @@
 
         - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
           ansible.builtin.assert:
-            that:
-              - not prelim_ansible_user_password_set.stdout.startswith("!")
+            that: (not prelim_ansible_user_password_set.stdout.startswith("!")) or (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
-            success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
+            success_msg: "The local account {{ ansible_env.SUDO_USER }} is not locked or included in the exception list for rule 5.2.4"
 
 - name: "Check authselect profile is selected"
   when: rhel9cis_allow_authselect_updates

From ac276f34fc8e5773e232fc51b90446df796b9fb5 Mon Sep 17 00:00:00 2001
From: Frederick Witty <frederickw@mindpointgroup.com>
Date: Fri, 27 Jun 2025 11:15:19 -0400
Subject: [PATCH 2/2] ChangeLog versioning fix

Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
---
 Changelog.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 53cf91d..b6db646 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,13 +1,13 @@
 # Changes to rhel9CIS
 
-## 2.0.1 - Based on CIS v2.0.0
+## 2.0.2 - Based on CIS v2.0.0
 
 - Update to audit_only to allow fetching results
 - resolved false warning for fetch audit
 - fix root user check
 - Improved documentation and variable compilation for crypto policies
 - Addresses #318 - Thank you @kodebach & @bgro
-  - Improved logic for 5.2.4 to exclude rhel9cis_sudoers_exclude_nopasswd_list in pre-check task/main.yml
+  - Improved logic for 5.2.4 to exclude rhel9cis_sudoers_exclude_nopasswd_list in pre-check tasks/main.yml
 
 ## 2.0.1 - Based on CIS v2.0.0