From f02a9d442fe74762cba84891de0f393090dfe9a2 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 11 Nov 2024 17:35:12 +0000
Subject: [PATCH] added system account enhancement 5.4.2.7 thanks to
 @Thulium-Drake

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 defaults/main.yml               | 5 +++++
 tasks/section_5/cis_5.4.2.x.yml | 1 +
 2 files changed, 6 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 4e07349..e210596 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -992,6 +992,11 @@ rhel9cis_futurepwchgdate_autofix: true
 # 5.4.2.x
 rhel9cis_root_umask: '0027'  # 0027 or more restrictive
 
+## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin
+# The system users on this list are allowed to have a shell (e.g. applications
+# that require a shell to function)
+rhel9cis_system_users_shell: []
+
 ## Control 5.4.3.2 - Configuring user shell timeout
 # This dictionary is related to ensuring the rule about user shell timeout
 # This variable represents the amount of seconds a command or process is allowed to
diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml
index 4d75928..2cf378c 100644
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@@ -199,6 +199,7 @@
   when:
     - rhel9cis_rule_5_4_2_7
     - "item.id not in prelim_interactive_usernames.stdout"
+    - item.id not in rhel9cis_system_users_shell
     - "'root' not in item.id"
     - rhel9cis_disruption_high
   tags: