--- - name: "5.1.1 | PATCH | Ensure cron daemon is enabled" ansible.builtin.service: name: crond enabled: true when: - rhel9cis_rule_5_1_1 tags: - level1-server - level1-workstation - patch - cron - rule_5.1.1 - name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" ansible.builtin.file: path: /etc/crontab owner: root group: root mode: '0600' when: - rhel9cis_rule_5_1_2 tags: - level1-server - level1-workstation - patch - cron - rule_5.1.2 - name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" ansible.builtin.file: path: /etc/cron.hourly state: directory owner: root group: root mode: '0700' when: - rhel9cis_rule_5_1_3 tags: - level1-server - level1-workstation - patch - cron - rule_5.1.3 - name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" ansible.builtin.file: path: /etc/cron.daily state: directory owner: root group: root mode: '0700' when: - rhel9cis_rule_5_1_4 tags: - level1-server - level1-workstation - patch - cron - rule_5.1.4 - name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" ansible.builtin.file: path: /etc/cron.weekly state: directory owner: root group: root mode: '0700' when: - rhel9cis_rule_5_1_5 tags: - level1-server - level1-workstation - patch - rule_5.1.5 - name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" ansible.builtin.file: path: /etc/cron.monthly state: directory owner: root group: root mode: '0700' when: - rhel9cis_rule_5_1_6 tags: - level1-server - level1-workstation - patch - rule_5.1.6 - name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" ansible.builtin.file: path: /etc/cron.d state: directory owner: root group: root mode: '0700' when: - rhel9cis_rule_5_1_7 tags: - level1-server - level1-workstation - patch - cron - rule_5.1.7 - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" block: - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" ansible.builtin.file: path: /etc/cron.deny state: absent - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" ansible.builtin.stat: path: "/etc/cron.allow" register: rhel9cis_5_1_8_cron_allow_state - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: path: /etc/cron.allow state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: '0600' when: - rhel9cis_rule_5_1_8 tags: - level1-server - level1-workstation - patch - cron - rule_5.1.8 - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" block: - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" ansible.builtin.file: path: /etc/at.deny state: absent - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" ansible.builtin.stat: path: "/etc/at.allow" register: rhel9cis_5_1_9_at_allow_state - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" ansible.builtin.file: path: /etc/at.allow state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root mode: '0600' when: - rhel9cis_rule_5_1_9 tags: - level1-server - level1-workstation - patch - cron - rule_5.1.9