---
- name: Lockdown | AUDIT | Check current authselect configuration
  command: authselect current
  register: baseline_lockdown_authselect_status
  failed_when: false  # Exit code is 2 when not configured
  changed_when: false

- name: Lockdown | AUDIT | Do not disable root login if no authselect profile configured
  ansible.builtin.set_fact:
    rhel9cis_rule_5_1_20: false
  when: baseline_lockdown_authselect_status.rc == 2

- name: Lockdown | PATCH | Run Ansible Lockdown (RHEL9-CIS)
  ansible.builtin.include_role:
    name: RHEL9-CIS
  vars:
    # Ensure message of the day is configured properly - we have our own MOTD to apply
    rhel9cis_rule_1_7_1: false
    rhel9cis_rule_1_7_4: false
    # Don't restrict user SSH access in sshd_config - this is managed by FreeIPA
    rhel9cis_rule_5_1_7: false
    # TODO: figure out boot password
    rhel9cis_set_boot_pass: false
    # TODO: We intend to later deploy a remote rsyslog sink
    rhel9cis_syslog: rsyslog
    rhel9cis_time_synchronization_servers: "{{ baseline_ntp_servers }}"
    rhel9cis_warning_banner: "{{ baseline_warning_banner }}"
    rhel9cis_sshd_denyusers: "admin nobody"
  when: (ansible_distribution == "Rocky") and (ansible_distribution_major_version == "9")