---
# tasks file for RHEL9-CIS

- name: Check OS version and family
  ansible.builtin.assert:
      that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
      fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
      success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
  when:
      - os_check
  tags:
      - always

- name: Check ansible version
  ansible.builtin.assert:
      that: ansible_version.full is version_compare(min_ansible_version, '>=')
      fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
      success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
  tags:
      - always

- name: "Check password set for {{ ansible_env.SUDO_USER }}"
  block:
      - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state"
        ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'"
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel9cis_ansible_user_password_set

      - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account"
        ansible.builtin.debug:
            msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks."
        when:
            - rhel9cis_ansible_user_password_set.stdout == "not found"

      - name: "Check local account"
        block:
            - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"
              ansible.builtin.assert:
                  that:
                      - rhel9cis_ansible_user_password_set.stdout | length != 0
                      - rhel9cis_ansible_user_password_set.stdout != "!!"
                  fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
                  success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"

            - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"
              ansible.builtin.assert:
                  that:
                      - not rhel9cis_ansible_user_password_set.stdout.startswith("!")
                  fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
                  success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
        when:
            - rhel9cis_ansible_user_password_set.stdout != "not found"
  when:
      - rhel9cis_rule_5_3_4
      - ansible_env.SUDO_USER is defined
      - not system_is_ec2
  tags:
      - user_passwd
      - rule_5.3.4
  vars:
      sudo_password_rule: rhel9cis_rule_5_3_4  # pragma: allowlist secret

- name: Ensure root password is set
  block:
      - name: Ensure root password is set
        ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
        changed_when: false
        register: root_passwd_set

      - name: Ensure root password is set
        ansible.builtin.assert:
            that: root_passwd_set.rc == 0
            fail_msg: "You have rule 5.6.6 enabled this requires that you have a root password set"
            success_msg: "You have a root password set"
  when:
      - rhel9cis_rule_5_6_6
  tags:
      - level1-server
      - level1-workstation
      - patch
      - accounts
      - root
      - rule_5.6.6

- name: Setup rules if container
  block:
      - name: Discover and set container variable if required
        ansible.builtin.set_fact:
            system_is_container: true

      - name: Load variable for container
        ansible.builtin.include_vars:
            file: "{{ container_vars_file }}"

      - name: Output if discovered is a container
        ansible.builtin.debug:
            msg: system has been discovered as a container
        when:
            - system_is_container
  when:
      - ansible_connection == 'docker' or
        ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
      - container_discovery
      - always

- name: Check crypto-policy input
  ansible.builtin.assert:
      that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
      fail_msg: "Crypto policy is not a permitted version"
      success_msg: "Crypto policy is a permitted version"

- name: Check crypto-policy module input
  ansible.builtin.assert:
      that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
      fail_msg: "Crypto policy module is not a permitted version"
      success_msg: "Crypto policy module is a permitted version"
  when:
      - rhel9cis_rule_1_10
      - rhel9cis_crypto_policy_module | length > 0
  tags:
      - rule_1.10

- name: Check rhel9cis_bootloader_password_hash variable has been changed
  ansible.builtin.assert:
      that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
      msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
  when:
      - rhel9cis_set_boot_pass
      - rhel9cis_rule_1_4_1
  tags:
      - always

- name: Gather the package facts
  ansible.builtin.package_facts:
      manager: auto
  tags:
      - always

- name: Include OS specific variables
  ansible.builtin.include_vars: "{{ ansible_facts.distribution }}.yml"
  tags:
      - always

- name: Include preliminary steps
  ansible.builtin.import_tasks:
      file: prelim.yml
  tags:
      - prelim_tasks
      - always

- name: Run Section 1 tasks
  ansible.builtin.import_tasks:
      file: section_1/main.yml
  when: rhel9cis_section1
  tags:
      - rhel9cis_section1

- name: Run Section 2 tasks
  ansible.builtin.import_tasks:
      file: section_2/main.yml
  when: rhel9cis_section2
  tags:
      - rhel9cis_section2

- name: Run Section 3 tasks
  ansible.builtin.import_tasks:
      file: section_3/main.yml
  when: rhel9cis_section3
  tags:
      - rhel9cis_section3

- name: Run Section 4 tasks
  ansible.builtin.import_tasks:
      file: section_4/main.yml
  when: rhel9cis_section4
  tags:
      - rhel9cis_section4

- name: Run Section 5 tasks
  ansible.builtin.import_tasks:
      file: section_5/main.yml
  when: rhel9cis_section5
  tags:
      - rhel9cis_section5

- name: Run Section 6 tasks
  ansible.builtin.import_tasks:
      file: section_6/main.yml
  when: rhel9cis_section6
  tags:
      - rhel9cis_section6

- name: Run auditd logic
  ansible.builtin.import_tasks:
      file: auditd.yml
  when: update_audit_template
  tags:
      - always

- name: Run post remediation tasks
  ansible.builtin.import_tasks:
      file: post.yml
  tags:
      - post_tasks
      - always

- name: Run post_remediation audit
  ansible.builtin.import_tasks:
      file: post_remediation_audit.yml
  when:
      - run_audit

- name: Show Audit Summary
  ansible.builtin.debug:
      msg: "{{ audit_results.split('\n') }}"
  when: run_audit

- name: If Warnings found Output count and control IDs affected
  ansible.builtin.debug:
      msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"
  when: warn_count != 0
  tags:
      - always