--- - name: "5.6.2 | PATCH | Ensure system accounts are secured" block: - name: "5.6.2 | PATCH | Ensure system accounts are secured | Set nologin" ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin loop: "{{ rhel9cis_passwd }}" when: - item.id != "root" - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - item.id != "nfsnobody" - item.uid < min_int_uid | int - item.shell != "/bin/false" - item.shell != "/usr/sbin/nologin" - item.shell != "/sbin/nologin" - item.shell != "/dev/null" loop_control: label: "{{ item.id }}" - name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts" ansible.builtin.user: name: "{{ item.id }}" password_lock: true loop: "{{ rhel9cis_passwd }}" when: - item.id != "halt" - item.id != "shutdown" - item.id != "sync" - item.id != "root" - item.id != "nfsnobody" - item.uid < min_int_uid | int - item.shell != "/bin/false" - item.shell != "/usr/sbin/nologin" - item.shell != "/sbin/nologin" - item.shell != "/dev/null" loop_control: label: "{{ item.id }}" when: - rhel9cis_rule_5_6_2 tags: - level1-server - level1-workstation - patch - accounts - rule_5.6.2 - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" ansible.builtin.blockinfile: path: "{{ item.path }}" state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true mode: '0644' block: | TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT readonly TMOUT loop: - { path: "{{ rhel9cis_shell_session_timeout.file }}", state: present } - { path: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } when: - rhel9cis_rule_5_6_3 tags: - level1-server - level1-workstation - patch - accounts - rule_5.6.3 - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" ansible.builtin.user: name: root group: 0 when: - rhel9cis_rule_5_6_4 tags: - level1-server - level1-workstation - patch - accounts - rule_5.6.4 - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" ansible.builtin.replace: path: "{{ item.path }}" regexp: (?i)(umask\s+\d\d\d) replace: '{{ item.line }} 027' with_items: - { path: '/etc/bashrc', line: 'umask' } - { path: '/etc/profile', line: 'umask' } - { path: '/etc/login.defs', line: 'UMASK' } - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^USERGROUPS_ENAB' line: USERGROUPS_ENAB no - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Add umask sessions for pamd" community.general.pamd: name: "{{ item }}" type: session control: required module_path: pam_limits.so new_type: session new_module_path: pam_umask.so new_control: optional state: before register: rhel9cis_pamd_umask_added loop: - system-auth - password-auth - name: "5.6.5 | AUDIT | Ensure default user umask is 027 or more restrictive | update umask settings if required" ansible.builtin.replace: path: "/etc/pam.d/{{ item }}" regexp: ^(session\s+)(requisite|required)(\s+pam_umask.so)$ replace: \1optional\3 loop: - system-auth - password-auth when: - rhel9cis_rule_5_6_5 tags: - level1-server - level1-workstation - patch - accounts - rule_5.6.5 - name: "5.6.6 | PATCH | Ensure root password is set" ansible.builtin.debug: msg: "The root password has been set as per the assert in early stages" when: - rhel9cis_rule_5_6_6 tags: - level1-server - level1-workstation - patch - accounts - root - rule_5.6.6