RHEL9-CIS/tasks/section_1/cis_1.2.x.yml

---

- name: "1.2.1 | L1 | PATCH | Ensure Red Hat Subscription Manager connection is configured"
  redhat_subscription:
      state: present
      username: "{{ rhel9cis_rh_sub_user }}"
      password: "{{ rhel9cis_rh_sub_password }}"
      auto_attach: true
      no_log: true
  when:
      - ansible_distribution == "RedHat"
      - rhel9cis_rhnsd_required
      - rhel9cis_rule_1_2_1
  tags:
      - level1-server
      - level1-workstation
      - notscored
      - patch
      - rule_1.2.1
      - skip_ansible_lint  # Added as no_log still errors on ansuible-lint

- name: "1.2.2 | L1 | PATCH | Disable the rhnsd Daemon"
  service:
      name: rhnsd
      state: stopped
      enabled: false
      masked: true
  when:
      - ansible_distribution == "RedHat"
      - rhnsd_service_status.stdout == "loaded" and not rhel9cis_rhnsd_required
      - rhel9cis_rule_1_2_2
  tags:
      - level1-server
      - level1-workstation
      - notscored
      - patch
      - rule_1.2.2

- name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured"
  shell: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}"
  args:
      warn: false
  when:
      - rhel9cis_rule_1_2_3
      - ansible_distribution == "RedHat" or
        ansible_distribution == "Rocky"
  tags:
      - level1-server
      - level1-workstation
      - notscored
      - patch
      - rule_1.2.3

- name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated"
  block:
      - name: "1.2.4 | L1 | AUDIT | Ensure gpgcheck is globally activated | Find repos"
        find:
            paths: /etc/yum.repos.d
            patterns: "*.repo"
        register: yum_repos
        changed_when: false

      - name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
        replace:
            name: "{{ item.path }}"
            regexp: "^gpgcheck=0"
            replace: "gpgcheck=1"
        with_items:
            - "{{ yum_repos.files }}"
  when:
      - rhel9cis_rule_1_2_4
  tags:
      - level1-server
      - level1-workstation
      - scored
      - patch
      - rule_1.2.4

- name: "1.2.5 | L1 | Ensure package manager repositories are configured"
  block:
      - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list"
        shell: dnf repolist
        args:
            warn: false
        changed_when: false
        failed_when: false
        register: dnf_configured
        check_mode: false

      - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list"
        debug:
            msg:
                - "Alert! Below are the configured repos. Please review and make sure all align with site policy"
                - "{{ dnf_configured.stdout_lines }}"
  when:
      - rhel9cis_rule_1_2_5
  tags:
      - level1-server
      - level1-workstation
      - notscored
      - patch
      - rule_1.2.5
      - skip_ansible_lint