---

- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
  tags:
    - always
  block:
    - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
      ansible.builtin.shell: cat /etc/passwd
      changed_when: false
      check_mode: false
      register: rhel9cis_passwd_file_audit

    - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries"
      ansible.builtin.set_fact:
        rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
      loop: "{{ rhel9cis_passwd_file_audit.stdout_lines }}"
      vars:
        ld_passwd_regex: >-
          ^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)
        ld_passwd_yaml: |  # pragma: allowlist secret
          id: >-4
              \g<id>
          password: >-4
              \g<password>
          uid: \g<uid>
          gid: \g<gid>
          gecos: >-4
              \g<gecos>
          dir: >-4
              \g<dir>
          shell: >-4
              \g<shell>