---

- name: "5.6.2 | PATCH | Ensure system accounts are secured"
  block:
      - name: "5.6.2 | Ensure system accounts are secured | Set nologin"
        user:
            name: "{{ item.id }}"
            shell: /usr/sbin/nologin
        with_items:
            - "{{ rhel9cis_passwd }}"
        when:
            - item.id != "root"
            - item.id != "sync"
            - item.id != "shutdown"
            - item.id != "halt"
            - item.id != "nfsnobody"
            - min_int_uid | int < item.gid
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"
        loop_control:
            label: "{{ item.id }}"

      - name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts"
        user:
            name: "{{ item.id }}"
            password_lock: true
        with_items:
            - "{{ rhel9cis_passwd }}"
        when:
            - item.id != "halt"
            - item.id != "shutdown"
            - item.id != "sync"
            - item.id != "root"
            - item.id != "nfsnobody"
            - min_int_uid | int < item.gid
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"
        loop_control:
            label: "{{ item.id }}"
  when:
      - rhel9cis_rule_5_6_2
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - accounts
      - rule_5.6.2

- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less"
  blockinfile:
      create: yes
      mode: 0644
      dest: "{{ item.dest }}"
      state: "{{ item.state }}"
      marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED"
      block: |
        TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
        export TMOUT
        readonly TMOUT
  with_items:
      - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present }
      - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" }
  when:
      - rhel9cis_rule_5_6_3
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - accounts
      - rule_5.6.3

- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
  user:
      name: root
      group: 0
  when:
      - rhel9cis_rule_5_6_4
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - accounts
      - rule_5.6.4

- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
  block:
      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
        replace:
            path: /etc/bashrc
            regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]'
            replace: '\1 027'

      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
        replace:
            path: /etc/profile
            regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]'
            replace: '\1 027'
  when:
      - rhel9cis_rule_5_6_5
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - accounts
      - rule_5.6.5