--- # Preliminary tasks that should always be run # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd" changed_when: false check_mode: false register: users tags: - level1-server - level1-workstation - users - name: "PRELIM | Interactive User accounts" ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6' changed_when: false register: interactive_users_home tags: - always - name: "PRELIM | Gather accounts with empty password fields" ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" changed_when: false check_mode: false register: empty_password_accounts tags: - level1-server - level1-workstation - passwords - name: "PRELIM | Gather UID 0 accounts other than root" ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false check_mode: false register: rhel9cis_uid_zero_accounts_except_root tags: - rule_6.2.8 - level1-server - level1-workstation - users - name: "PRELIM | Setup crypto-policy" block: - name: "PRELIM | Install crypto-policies" ansible.builtin.package: name: - crypto-policies - crypto-policies-scripts state: present - name: "PRELIM | Gather system-wide crypto-policy" ansible.builtin.shell: update-crypto-policies --show changed_when: false check_mode: false register: system_wide_crypto_policy when: - rhel9cis_rule_1_10 tags: - level1-server - level1-workstation - rule_1.10 - crypto - name: "PRELIM | if systemd coredump" ansible.builtin.stat: path: /etc/systemd/coredump.conf register: systemd_coredump when: - rhel9cis_rule_1_5_1 tags: - level1-server - level1-workstation - rule_1.5.1 - systemd - name: "PRELIM | Section 1.1 | Create list of mount points" ansible.builtin.set_fact: mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" tags: - level1-server - level1-workstation - name: "PRELIM | Ensure python3-libselinux is installed" ansible.builtin.package: name: python3-libselinux state: present when: - '"python3-libselinux" not in ansible_facts.packages' - name: "PRELIM | Set facts based on boot type" block: - name: "PRELIM | Check whether machine is UEFI-based" ansible.builtin.stat: path: /sys/firmware/efi register: rhel_09_efi_boot - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" ansible.builtin.set_fact: rhel9cis_legacy_boot: true grub2_path: /etc/grub2.cfg when: not rhel_09_efi_boot.stat.exists - name: "PRELIM | set grub fact | UEFI" ansible.builtin.set_fact: grub2_path: /etc/grub2-efi.cfg when: rhel_09_efi_boot.stat.exists - name: "PRELIM | Update to latest gpg keys" ansible.builtin.package: name: "{{ ansible_distribution | lower }}-gpg-keys" state: latest when: - rhel9cis_rule_1_2_4 - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: name: audit state: present become: true when: - '"auditd" not in ansible_facts.packages' - rhel9cis_rule_4_1_1_1 tags: - level2-server - level2-workstation - patch - rule_4.1.1.1 - auditd - name: "PRELIM | 4.1.4.5 | Audit conf and rules files | list files" ansible.builtin.find: path: /etc/audit file_type: file recurse: true patterns: '*.conf,*.rules' register: auditd_conf_files when: - rhel9cis_rule_4_1_4_5 or rhel9cis_rule_4_1_4_6 or rhel9cis_rule_4_1_4_7 tags: - level2-server - level2-workstation - patch - auditd - rule_4.1.4.5 - rule_4.1.4.6 - rule_4.1.4.7 - name: "PRELIM | Section 5.1 | Configure cron" ansible.builtin.package: name: cronie state: present become: true when: - rhel9cis_rule_5_1_1 - '"cronie" not in ansible_facts.packages' tags: - level1-server - level1-workstation - rule_5.1.1 - cron - name: "PRELIM | Install authconfig" ansible.builtin.package: name: authconfig state: present become: true when: - rhel9cis_use_authconfig - rhel9cis_rule_5_3_1 or rhel9cis_rule_5_3_2 or rhel9cis_rule_5_3_3 or '"authconfig" not in ansible_facts.packages or "auditd-lib" not in ansible_facts.packages' tags: - level1-server - level1-workstation - rule_5.3.1 or rule_5.3.2 or rule_5.3.3 - authconfig - auditd - name: "PRELIM | 5.3.4 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false check_mode: false register: rhel9cis_sudoers_files when: - rhel9cis_rule_5_3_4 or rhel9cis_rule_5_3_5 tags: - rule_5.3.4 - rule_5.3.5 - name: "PRELIM | Check for rhnsd service" ansible.builtin.shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" changed_when: false check_mode: false become: true register: rhnsd_service_status when: - rhel9cis_rule_1_2_2 - ansible_distribution == "RedHat" tags: - rule_1.2.2 - skip_ansible_lint - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" block: - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_min_id - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_max_id - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: gid_min_id - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" ansible.builtin.set_fact: min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" - name: Output of uid findings ansible.builtin.debug: msg: "{{ min_int_uid }} {{ max_int_uid }}" when: - not discover_int_uid