From e4bf188383ad8d06566da1713c47fa0fb0755584 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Wed, 7 Sep 2022 13:35:36 +0100
Subject: [PATCH] Added Assertion for passwd set on ansible user

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/main.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/tasks/main.yml b/tasks/main.yml
index e2c9261..ecddbaa 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -20,6 +20,28 @@
   tags:
       - always
 
+- name: "Check password set for {{ ansible_user }}"
+  block:
+       - name: Capture current password state of "{{ ansible_user }}"
+         shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
+         changed_when: false
+         failed_when: false
+         check_mode: false
+         register: ansible_user_password_set
+
+       - name: "Assert that password set for {{ ansible_user }} and account not locked"
+         assert:
+             that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
+             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
+             success_msg: "You a password set for the {{ ansible_user }}"
+         vars:
+              sudo_password_rule: rhel9cis_rule_5_3_4
+  when:
+      - rhel9cis_rule_5_3_4
+      - not system_is_ec2
+  tags:
+      - user_passwd
+
 - name: Setup rules if container
   block:
       - name: Discover and set container variable if required